+1. Tested the rampart trunk with the staged wss4j 1.5.6 with Clom's patch.
thanks, Nandana On Wed, Mar 11, 2009 at 6:59 AM, Nandana Mihindukulasooriya < nandana....@gmail.com> wrote: > Hi Clom, > I will test this first thing today morning and update the vote. > > thanks, > Nandana > > P.S. : Congratulations on getting WSS4J 1.5.6 out and getting WS Trust > stuff working. > > > On Wed, Mar 11, 2009 at 6:44 AM, Glen Daniels <g...@thoughtcraft.com>wrote: > >> Hey Dan, Colm, all: >> >> This makes sense, and you can consider my -1 withdrawn. >> . >> I would, however, like to see Nandana's +1 on this before it goes out. >> >> Thanks, >> --Glen >> >> Daniel Kulp wrote: >> > As Colm mentioned, there is a patch on the Jira already. (actually, >> Colm >> > could just commit it probably, but I suppose having someone look at it >> is a >> > good idea) >> > >> > Basically, this is a bug in Rampart. Rampart is suffering from the >> same >> > "blindly strip the first char" problem that wss4j did. If you put some >> > printlns in the rampart token store, with 1.5.5, you can see: >> > >> > add: 7EA37A075C8888C7BE12367220453773 >> > add: #sctId-1176318351 >> > get: #sctId-1176318351: org.apache.rahas.to...@364e50ee >> > get: 7EA37A075C8888C7BE12367220453773: org.apache.rahas.to...@420253af >> > Service invoked >> > get: sctId-1176318351: org.apache.rahas.to...@420253af >> > get: EA37A075C8888C7BE12367220453773: org.apache.rahas.to...@364e50ee >> > >> > The last line is the tell tale sign. That ID is NOT a valid token ID, >> but the >> > token store is finding a token for it. That's probably some sort of >> security >> > violation or something. Not sure how exploitable it is. What's >> worse, in >> > SOME cases, if you pass the VALID id in, the store doesn't find the >> token for >> > it. >> > >> > Actually, I would take the patch one furthur and update the >> > STSClient.findIdentifier method to check the unattached first instead of >> the >> > attached. With that, all the "add" calls would be with the full id and >> not >> > the wsu:Id. The lookups later would be a bit quicker then as well. >> > >> > >> > My recommendation would be to get wss4j 1.5.6 out and then follow it up >> with a >> > rampart release that fixes those issues. >> > >> > Dan >> > >> > >> > On Tue March 10 2009 4:53:23 pm Glen Daniels wrote: >> >> Hi Colm, all: >> >> >> >> -1 from me, unfortunately, since running the Rampart build with the new >> >> WSS4J produced a test failure. In particular the testWithPolicy() test >> >> in RampartTest (integration module) fails. >> >> >> >> DanK believes this might have to do with the way WSS4J has corrected >> its >> >> URL handling (it was previously truncating the 1st char of all urls >> >> assuming that they'd be of the form "#urn..."). >> >> >> >> Could someone from rampart-dev have a look at this? >> >> >> >> Thanks, >> >> --Glen >> >> >> >> P.S. A huge +1, by the way, to the congratulations on all the hard >> work >> >> and interop success! >> >> >> >> Colm O hEigeartaigh wrote: >> >>> To the Apache Web Services Community, >> >>> >> >>> This is a call for votes for the wss4j-1.5.6 release. >> >>> >> >>> The distribution can be found at the following URL: >> >>> >> >>> http://people.apache.org/~coheigea/stage/wss4j/1.5.6/dist/<http://people.apache.org/%7Ecoheigea/stage/wss4j/1.5.6/dist/> >> >>> >> >>> You can also point maven at the following URL to pull down the 1.5.6 >> >>> release POM, source, and class JARs: >> >>> >> >>> http://people.apache.org/~coheigea/stage/wss4j/1.5.6/maven/<http://people.apache.org/%7Ecoheigea/stage/wss4j/1.5.6/maven/> >> >>> >> >>> Additionally, the generated version of the web site can be found at >> >>> >> >>> http://people.apache.org/~coheigea/stage/wss4j/1.5.6/site/<http://people.apache.org/%7Ecoheigea/stage/wss4j/1.5.6/site/> >> >>> >> >>> The list of bugs fixed in this release can be seen here: >> >>> >> >>> >> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=1231006 >> >>> 3&styleName=Html&version=12313623 >> >>> >> >>> This vote will stay open for at least 72 hours. >> >>> >> >>> Here is my (non-binding and advisory) +1. >> >>> >> >>> Thanks, >> >>> >> >>> Colm. >> >> --------------------------------------------------------------------- >> >> To unsubscribe, e-mail: wss4j-dev-unsubscr...@ws.apache.org >> >> For additional commands, e-mail: wss4j-dev-h...@ws.apache.org >> > >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: wss4j-dev-unsubscr...@ws.apache.org >> For additional commands, e-mail: wss4j-dev-h...@ws.apache.org >> >>
