You are viewing a plain text version of this content. The canonical link for it is here.

Posted to wss4j-dev@ws.apache.org by "Colm O hEigeartaigh (JIRA)" <ji...@apache.org> on 2008/10/16 16:45:44 UTC

[jira] Updated: (WSS-145) Problem in upgrading to xml-sec 1.4.2

     [ https://issues.apache.org/jira/browse/WSS-145?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Colm O hEigeartaigh updated WSS-145:
------------------------------------

    Attachment: wss4j_wss145.patch


Werner, please have a look at the attached patch for this issue and let me know if this is acceptable to you. 

I followed the discussion on security-dev on this issue...it seemed to me that there wasn't a consensus on whether the bug was in WSS4J or xml-sec. In any case, a simple fix in WSS4J solves the problem, which essentially amounts to doing this whenever a KeyInfo object is created:

Element keyInfoElement = keyInfo.getElement();
keyInfoElement.setAttributeNS(WSConstants.XMLNS_NS, "xmlns:"
        + WSConstants.SIG_PREFIX, WSConstants.SIG_NS);

This way, the "ds" namespace gets set properly on the DOM element.

There are no backwards compatibility issues, as I've tested the changes with both xmlsec 1.4.0 and 1.4.2, and the tests all pass.




> Problem in upgrading to xml-sec 1.4.2
> -------------------------------------
>
>                 Key: WSS-145
>                 URL: https://issues.apache.org/jira/browse/WSS-145
>             Project: WSS4J
>          Issue Type: Improvement
>          Components: WSS4J Core
>    Affects Versions: 1.5.4
>            Reporter: Colm O hEigeartaigh
>            Assignee: Werner Dittmann
>             Fix For: 1.5.5
>
>         Attachments: wss4j_wss145.patch
>
>
> WSS4J 1.5.4 has a dependency on xml-sec 1.4.0. xml-sec 1.4.1 has a major c14n fix, but we ran into a critical problem with encryption, see:
> http://issues.apache.org/jira/browse/WSS-128
> Ideally we'd like to release WSS4J 1.5.5 with xml-sec 1.4.2. However, there's a problem with namespace prefixes when signing a request:
> http://www.nabble.com/Undeclared-namespace-prefix-"ds"-error-tt19668706.html#a19668706
> It's still not clear at this stage whether it's a problem in WSS4J or xml-sec, or why this problem doesn't appear when xml-sec 1.4.0 or 1.4.1 is used.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org

Re: [jira] Updated: (WSS-145) Problem in upgrading to xml-sec 1.4.2

Posted by Werner Dittmann <We...@t-online.de>.

This works, sure.

There is some discussion at xml-sec if the decision to declare
some specific elements as "Signature" internal. I'll file a JIRA
to xml-sec against the modification may cause failures on other
xml-sec elements also not only for KeyInfo.

But as a security  mesure we should use this patch for WSS4J.

Regards,
Werner



Colm O hEigeartaigh (JIRA) schrieb:
>      [ https://issues.apache.org/jira/browse/WSS-145?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
> 
> Colm O hEigeartaigh updated WSS-145:
> ------------------------------------
> 
>     Attachment: wss4j_wss145.patch
> 
> 
> Werner, please have a look at the attached patch for this issue and let me know if this is acceptable to you. 
> 
> I followed the discussion on security-dev on this issue...it seemed to me that there wasn't a consensus on whether the bug was in WSS4J or xml-sec. In any case, a simple fix in WSS4J solves the problem, which essentially amounts to doing this whenever a KeyInfo object is created:
> 
> Element keyInfoElement = keyInfo.getElement();
> keyInfoElement.setAttributeNS(WSConstants.XMLNS_NS, "xmlns:"
>         + WSConstants.SIG_PREFIX, WSConstants.SIG_NS);
> 
> This way, the "ds" namespace gets set properly on the DOM element.
> 
> There are no backwards compatibility issues, as I've tested the changes with both xmlsec 1.4.0 and 1.4.2, and the tests all pass.
> 
> 
> 
> 
>> Problem in upgrading to xml-sec 1.4.2
>> -------------------------------------
>>
>>                 Key: WSS-145
>>                 URL: https://issues.apache.org/jira/browse/WSS-145
>>             Project: WSS4J
>>          Issue Type: Improvement
>>          Components: WSS4J Core
>>    Affects Versions: 1.5.4
>>            Reporter: Colm O hEigeartaigh
>>            Assignee: Werner Dittmann
>>             Fix For: 1.5.5
>>
>>         Attachments: wss4j_wss145.patch
>>
>>
>> WSS4J 1.5.4 has a dependency on xml-sec 1.4.0. xml-sec 1.4.1 has a major c14n fix, but we ran into a critical problem with encryption, see:
>> http://issues.apache.org/jira/browse/WSS-128
>> Ideally we'd like to release WSS4J 1.5.5 with xml-sec 1.4.2. However, there's a problem with namespace prefixes when signing a request:
>> http://www.nabble.com/Undeclared-namespace-prefix-"ds"-error-tt19668706.html#a19668706
>> It's still not clear at this stage whether it's a problem in WSS4J or xml-sec, or why this problem doesn't appear when xml-sec 1.4.0 or 1.4.1 is used.
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org