You are viewing a plain text version of this content. The canonical link for it is here.
Posted to wss4j-dev@ws.apache.org by Ruchith Fernando <ru...@gmail.com> on 2006/06/04 17:21:12 UTC

Re: Problems using both InflowSecurity and OutflowSecurity

Hi Werner,

Right now we do return a <wsse11:SignatureConfirmation> in response to
those requests that doesn't contain a signature (Which seems to be
correct as for the spec).  For example this can be observed when the
only action if "Encrypt". But WSHandler#checkSignatureConfirmation()
at the client throws an error saying "got a SC element, but no stored
SV".

IMHO we should not throw and error in the above case. I fixed this in
my sandbox and attached the patch for your review.

Thanks,
Ruchith

On 5/24/06, Ruchith Fernando <ru...@gmail.com> wrote:
> Hi Werner,
>
> Yep .. my bad !! thanks for correction ... the spec [1] clearly states
> that we have to include one SignatureConfirmation element.
>
> 1428 If no <ds:Signature> elements are present in the original request
> message, the responder
> 1429 MUST include exactly one <wsse11:SignatureConfirmation> element.
>
> IMHO this allows for a case where there will be a
> SignatureConfirmation element with no stored signature value at the
> requester... therefore IMHO we should not throw an exception in such a
> scenario.
>
> Thanks,
> Ruchith
>
> [1] https://svn.apache.org/repos/asf/webservices/wss4j/trunk/specs/oasis-2005xx-wss-soap-message-security-1.1-CD.pdf
>
> On 5/23/06, Werner Dittmann <We...@t-online.de> wrote:
> > Hi,
> >
> > I haven't checked it yet - but according to the WSS specs
> > sending of security confirmation is also required (AFAIK)
> > in any case even if the request didn't contain an Signature
> >
> > I'll cross check it.
> >
> > Regards,
> > Werner
> >
> > Ruchith Fernando wrote:
> > > Hi,
> > >
> > > On 5/23/06, mpollmeier@s-und-n.de <mp...@s-und-n.de> wrote:
> > >> Hi Ruchith,
> > >>
> > >> thanks again, this works. But isn't this a bug?
> > >> Why does it include a SignatureConfirmation if there is no signature to
> > >> confirm?
> > >
> > > Yep ... I agree that we should not return SignatureConfirmation when
> > > there's no signature in the request... please file a JIRA bug here:
> > > [1]
> > >
> > >> If this behaviour is correct, the default value of
> > >> enableSignatureConfirmation should be "false", shouldn't it?
> > >
> > > +1 on making the default false... and I believe this will be fixed
> > > when we support WS-SecurityPolicy (in WSS4J 2.0).
> > >
> > > Thanks,
> > > Ruchith
> > >
> > > [1] http://issues.apache.org/jira/browse/WSS
> > >
> > > ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
> > > For additional commands, e-mail: wss4j-dev-help@ws.apache.org
> > >
> > >
> >
> >
>