Glen, As Colm mentioned, there is a patch on the Jira already. (actually, Colm could just commit it probably, but I suppose having someone look at it is a good idea)
Basically, this is a bug in Rampart. Rampart is suffering from the same "blindly strip the first char" problem that wss4j did. If you put some printlns in the rampart token store, with 1.5.5, you can see: add: 7EA37A075C8888C7BE12367220453773 add: #sctId-1176318351 get: #sctId-1176318351: org.apache.rahas.to...@364e50ee get: 7EA37A075C8888C7BE12367220453773: org.apache.rahas.to...@420253af Service invoked get: sctId-1176318351: org.apache.rahas.to...@420253af get: EA37A075C8888C7BE12367220453773: org.apache.rahas.to...@364e50ee The last line is the tell tale sign. That ID is NOT a valid token ID, but the token store is finding a token for it. That's probably some sort of security violation or something. Not sure how exploitable it is. What's worse, in SOME cases, if you pass the VALID id in, the store doesn't find the token for it. Actually, I would take the patch one furthur and update the STSClient.findIdentifier method to check the unattached first instead of the attached. With that, all the "add" calls would be with the full id and not the wsu:Id. The lookups later would be a bit quicker then as well. My recommendation would be to get wss4j 1.5.6 out and then follow it up with a rampart release that fixes those issues. Dan On Tue March 10 2009 4:53:23 pm Glen Daniels wrote: > Hi Colm, all: > > -1 from me, unfortunately, since running the Rampart build with the new > WSS4J produced a test failure. In particular the testWithPolicy() test > in RampartTest (integration module) fails. > > DanK believes this might have to do with the way WSS4J has corrected its > URL handling (it was previously truncating the 1st char of all urls > assuming that they'd be of the form "#urn..."). > > Could someone from rampart-dev have a look at this? > > Thanks, > --Glen > > P.S. A huge +1, by the way, to the congratulations on all the hard work > and interop success! > > Colm O hEigeartaigh wrote: > > To the Apache Web Services Community, > > > > This is a call for votes for the wss4j-1.5.6 release. > > > > The distribution can be found at the following URL: > > > > http://people.apache.org/~coheigea/stage/wss4j/1.5.6/dist/ > > > > You can also point maven at the following URL to pull down the 1.5.6 > > release POM, source, and class JARs: > > > > http://people.apache.org/~coheigea/stage/wss4j/1.5.6/maven/ > > > > Additionally, the generated version of the web site can be found at > > > > http://people.apache.org/~coheigea/stage/wss4j/1.5.6/site/ > > > > The list of bugs fixed in this release can be seen here: > > > > https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=1231006 > > 3&styleName=Html&version=12313623 > > > > This vote will stay open for at least 72 hours. > > > > Here is my (non-binding and advisory) +1. > > > > Thanks, > > > > Colm. > > --------------------------------------------------------------------- > To unsubscribe, e-mail: wss4j-dev-unsubscr...@ws.apache.org > For additional commands, e-mail: wss4j-dev-h...@ws.apache.org -- Daniel Kulp dk...@apache.org http://www.dankulp.com/blog
