You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@cxf.apache.org by "Colm O hEigeartaigh (JIRA)" <ji...@apache.org> on 2015/04/09 17:22:13 UTC

[jira] [Updated] (CXF-6343) EncryptedHeader not properly processed or generated

     [ https://issues.apache.org/jira/browse/CXF-6343?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Colm O hEigeartaigh updated CXF-6343:
-------------------------------------
    Fix Version/s: 3.0.5
                   3.1.0

> EncryptedHeader not properly processed or generated
> ---------------------------------------------------
>
>                 Key: CXF-6343
>                 URL: https://issues.apache.org/jira/browse/CXF-6343
>             Project: CXF
>          Issue Type: Bug
>          Components: WS-* Components
>    Affects Versions: 3.0.4
>            Reporter: Hugo Trippaers
>            Assignee: Colm O hEigeartaigh
>             Fix For: 3.1.0, 3.0.5
>
>
> We spend quite some time getting interoperability with .NET 4.5 to work. In the end we managed to track down the problem to EncryptedHeader. .NET wraps EncryptedData for headers in an EncryptedHeader. This can be properly understood and parsed by WSS4J, however CXF will return an error first telling the client that it doesn't understand the EncryptedHeader element.
> This can be fixed by adding the following QName("http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd", "EncryptedHeader") to the understood headers in the AbstractTokenInterceptor
> The return path has a problem as well, the EncryptedHeaders are not generated by WSS4J while they should be (if i understand the spec correctly). This seems to be due to a bug in AbstractBindingBuilder where the method getEncryptedParts the following snippet should have Header instead of Element for headers
>         List<WSEncryptionPart> signedParts = new ArrayList<WSEncryptionPart>();
>         if (parts != null) {
>             isBody = parts.isBody();
>             for (Header head : parts.getHeaders()) {
>                 WSEncryptionPart wep = new WSEncryptionPart(head.getName(),
>                                                             head.getNamespace(),
>                                                             "Element");
>                 signedParts.add(wep);
>             }
>             
>             Attachments attachments = parts.getAttachments();
>             if (attachments != null) {
>                 WSEncryptionPart wep = new WSEncryptionPart("cid:Attachments", "Element");
>                 signedParts.add(wep);
>             }
>         }
> I'm more than happy to provide a patch for this, but i'm looking for a second opinion on this analysis. 



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)