Ruchith, looks ok for me. cann you apply and checkin? Thanks.
Werner > -----Ursprüngliche Nachricht----- > Von: Ruchith Fernando [mailto:[EMAIL PROTECTED] > Gesendet: Sonntag, 4. Juni 2006 17:21 > An: Werner Dittmann > Cc: [email protected] > Betreff: Re: Problems using both InflowSecurity and OutflowSecurity > > Hi Werner, > > Right now we do return a <wsse11:SignatureConfirmation> in response to > those requests that doesn't contain a signature (Which seems to be > correct as for the spec). For example this can be observed when the > only action if "Encrypt". But WSHandler#checkSignatureConfirmation() > at the client throws an error saying "got a SC element, but no stored > SV". > > IMHO we should not throw and error in the above case. I fixed this in > my sandbox and attached the patch for your review. > > Thanks, > Ruchith > > On 5/24/06, Ruchith Fernando <[EMAIL PROTECTED]> wrote: > > Hi Werner, > > > > Yep .. my bad !! thanks for correction ... the spec [1] > clearly states > > that we have to include one SignatureConfirmation element. > > > > 1428 If no <ds:Signature> elements are present in the > original request > > message, the responder > > 1429 MUST include exactly one > <wsse11:SignatureConfirmation> element. > > > > IMHO this allows for a case where there will be a > > SignatureConfirmation element with no stored signature value at the > > requester... therefore IMHO we should not throw an > exception in such a > > scenario. > > > > Thanks, > > Ruchith > > > > [1] > https://svn.apache.org/repos/asf/webservices/wss4j/trunk/specs > /oasis-2005xx-wss-soap-message-security-1.1-CD.pdf > > > > On 5/23/06, Werner Dittmann <[EMAIL PROTECTED]> wrote: > > > Hi, > > > > > > I haven't checked it yet - but according to the WSS specs > > > sending of security confirmation is also required (AFAIK) > > > in any case even if the request didn't contain an Signature > > > > > > I'll cross check it. > > > > > > Regards, > > > Werner > > > > > > Ruchith Fernando wrote: > > > > Hi, > > > > > > > > On 5/23/06, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > > > >> Hi Ruchith, > > > >> > > > >> thanks again, this works. But isn't this a bug? > > > >> Why does it include a SignatureConfirmation if there > is no signature to > > > >> confirm? > > > > > > > > Yep ... I agree that we should not return > SignatureConfirmation when > > > > there's no signature in the request... please file a > JIRA bug here: > > > > [1] > > > > > > > >> If this behaviour is correct, the default value of > > > >> enableSignatureConfirmation should be "false", shouldn't it? > > > > > > > > +1 on making the default false... and I believe this > will be fixed > > > > when we support WS-SecurityPolicy (in WSS4J 2.0). > > > > > > > > Thanks, > > > > Ruchith > > > > > > > > [1] http://issues.apache.org/jira/browse/WSS > > > > > > > > > --------------------------------------------------------------------- > > > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > > > > > > > > > > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
