This change is fine, as far as CXF is concerned. (In fact, it will
allow us to remove a workaround for it)
Could we get an Axis person to double check whether the fix is good
for Axis?
Thanks!
-Fred
On Feb 18, 2008, at 7:24 AM, Colm O hEigeartaigh (JIRA) wrote:
[ https://issues.apache.org/jira/browse/WSS-70?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Colm O hEigeartaigh updated WSS-70:
-----------------------------------
Attachment: wss4j_actions.patch
WSHandler checkReceiverResults causes security problem
------------------------------------------------------
Key: WSS-70
URL: https://issues.apache.org/jira/browse/WSS-70
Project: WSS4J
Issue Type: Bug
Reporter: Gürkan Vural
Priority: Critical
Attachments: wss4j_actions.patch
In WSS4J 1.1.0 in WSDoAllReceiver there is a check of security
actions
which also checks the size of actions. However this part is moved in
WSS4J 1.5 to WSHandler.java using checkReceiverResults function and
action size check is commented out. However the checking for loop is
controled against the size of actions received in the SOAP message.
This
cause a security problem when an empty security header is sent. It
omits
the for loop and throws no exception!
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
