You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@santuario.apache.org by "Colm O hEigeartaigh (Jira)" <ji...@apache.org> on 2020/04/14 07:37:00 UTC

[jira] [Resolved] (SANTUARIO-538) SignatureCreateReferenceURIResolverTest gives false positives

     [ https://issues.apache.org/jira/browse/SANTUARIO-538?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Colm O hEigeartaigh resolved SANTUARIO-538.
-------------------------------------------
    Resolution: Fixed

> SignatureCreateReferenceURIResolverTest gives false positives
> -------------------------------------------------------------
>
>                 Key: SANTUARIO-538
>                 URL: https://issues.apache.org/jira/browse/SANTUARIO-538
>             Project: Santuario
>          Issue Type: Bug
>          Components: Java
>    Affects Versions: Java 2.1.5
>            Reporter: Peter De Maeyer
>            Assignee: Colm O hEigeartaigh
>            Priority: Major
>             Fix For: Java 2.2.0
>
>
> {{SignatureCreationReferenceURIResolverTest.testSignatureCreationWithExternal*}} gives false positives.
> The essence of these tests seems to be a {{SecurePart}} that has an external reference.
> These secure parts never match anything, in spite of the fact that they are required (by default).
> The reason they don't fail is because {{OutboundXMLSec.processOutMessage}} ignores them: because they have no {{getIdToSign()}}, no {{getName()}} and no {{isSecureEntireRequest()}}, they are never put ({{putAsMap}}) in the security context.
> You can just as well remove them from the tests, and the tests are still green.
> An example of a code snippet from {{SignatureCreationReferenceURIResolverTest}}:
> {code}
> File file = new File(BASEDIR + 
>                      "/src/test/resources/ie/baltimore/merlin-examples/merlin-xmlenc-five/plaintext.xml").getCanonicalFile();
> // Below securePart is ignored, nothing is verified, test is falsely green.
> securePart = new SecurePart(file.toURI().toString(),
>         new String[]{"http://www.w3.org/TR/2001/REC-xml-c14n-20010315"},
>         XMLSecurityConstants.NS_XMLDSIG_SHA1);
> properties.addSignaturePart(securePart);
> {code}
> If someone could explain to me what the intent of this feature is, I would be happy to fix them.
> I have the vague impression that they're tests for a feature that has not been implemented.
> I bumped into this in the context of SANTUARIO-532, where {{SignatureCreationReferenceURIResolverTest}} started failing on the requiredness once I no longer ignore the secure parts in {{OutboundXMLSec.processOutMessage}}.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)