You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@cxf.apache.org by "Colm O hEigeartaigh (JIRA)" <ji...@apache.org> on 2015/06/24 17:52:04 UTC

[jira] [Commented] (CXF-6473) Double signatures while using AsymmetricBindingHandler

    [ https://issues.apache.org/jira/browse/CXF-6473?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14599615#comment-14599615 ] 

Colm O hEigeartaigh commented on CXF-6473:
------------------------------------------


I've fixed the problem with calling getSignedParts twice with EncryptBeforeSigning. The Timestamp will still be signed twice as per your WSDL as you are unnecessarily including a SignedElements policy pointing to the Timestamp. According to the spec, the Timestamp must be signed by the main Signature if it is included in the request. So there is no need to explicitly sign it as well.

Colm.

> Double signatures while using AsymmetricBindingHandler
> ------------------------------------------------------
>
>                 Key: CXF-6473
>                 URL: https://issues.apache.org/jira/browse/CXF-6473
>             Project: CXF
>          Issue Type: Bug
>          Components: WS-* Components
>    Affects Versions: 2.7.13
>            Reporter: Jordy Onrust
>            Assignee: Colm O hEigeartaigh
>             Fix For: 3.0.6, 2.7.17, 3.1.2
>
>
> WSDL: http://pastebin.com/Xx82fmGX
> Response: http://pastebin.com/KbuMrfn4
> In the given response signatures appear double or even triple. 
> The getSignedParts method in AbstractBinding is called twice.
> The first call is done in the doEncryptBeforeSign method at line 262.
> Second call is done in the doSignature at line 506, called by doEncryptBeforeSign method at line 301.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)