You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@cxf.apache.org by "Colm O hEigeartaigh (JIRA)" <ji...@apache.org> on 2011/09/16 12:33:08 UTC

[jira] [Resolved] (CXF-2924) WS-SP support does not enforce signature algorithm or digest algorithm on server side

     [ https://issues.apache.org/jira/browse/CXF-2924?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Colm O hEigeartaigh resolved CXF-2924.
--------------------------------------

    Resolution: Fixed

> WS-SP support does not enforce signature algorithm or digest algorithm on server side
> -------------------------------------------------------------------------------------
>
>                 Key: CXF-2924
>                 URL: https://issues.apache.org/jira/browse/CXF-2924
>             Project: CXF
>          Issue Type: Bug
>          Components: WS-* Components
>    Affects Versions: 2.2.10, 2.3
>            Reporter: David Valeri
>            Assignee: Colm O hEigeartaigh
>
> A WS-SP policy document that includes an algorithm suite assertion for a signature operation, such as the example below, does not trigger the enforcement of the algorithm suite in the inbound interceptors.
> {code:xml}
>     ...
>       <sp:AsymmetricBinding>
>         <wsp:Policy>
>           <sp:InitiatorToken>
>             <wsp:Policy>
>               <sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never">
>                 <wsp:Policy>
>                   <sp:RequireIssuerSerialReference />
>                   <sp:WssX509V3Token10 />
>                 </wsp:Policy>
>               </sp:X509Token>
>             </wsp:Policy>
>           </sp:InitiatorToken>
>           <sp:RecipientToken>
>             <wsp:Policy>
>               <sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never">
>                 <wsp:Policy>
>                   <sp:RequireIssuerSerialReference />
>                   <sp:WssX509V3Token10 />
>                 </wsp:Policy>
>               </sp:X509Token>
>             </wsp:Policy>
>           </sp:RecipientToken>
>           <sp:AlgorithmSuite>
>             <wsp:Policy>
>               <sp:Basic256Sha256 />
>             </wsp:Policy>
>           </sp:AlgorithmSuite>
>           <sp:Layout>
>             <wsp:Policy>
>               <sp:Strict />
>             </wsp:Policy>
>           </sp:Layout>
>         </wsp:Policy>
>       </sp:AsymmetricBinding>
>     ...
> {code}
> While the message could be inspected in order to extract this information, WSS4J already possesses the information.  Unfortunately, WSS4J does not report the information in the result data (1.5.8).  This issue is blocked on the addition of this information to the WSS4J results.  See WSS-236.

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira