You are viewing a plain text version of this content. The canonical link for it is here.
Posted to c-dev@axis.apache.org by "Garrett Holmstrom (JIRA)" <ji...@apache.org> on 2011/04/09 02:18:05 UTC
[jira] [Created] (RAMPARTC-154) Body signature generation ignores
data source request payloads
Body signature generation ignores data source request payloads
--------------------------------------------------------------
Key: RAMPARTC-154
URL: https://issues.apache.org/jira/browse/RAMPARTC-154
Project: Rampart/C
Issue Type: Bug
Components: OMXMLSecurity
Affects Versions: 1.3.0
Environment: Linux (all distributions)
Reporter: Garrett Holmstrom
Assignee: Malinda Kaushalye Kapuruge
In our web services implementation, we generate Axis/2c code with WSDL2C and use rampart/c as a module. On the server and client side we require that all SOAP requests contain timestamps and signed request bodies. However, we found that enabling signature checking of <Body> elements in the policy:
<sp:SignedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<sp:Body/>
</sp:SignedParts>
...results in all requests being rejected by the receiver due to signature verification failure. After investigation, we found that requests generated by the auto-generated Axis/2C code contained signatures over an empty <Body>, i.e. all its payload was ignored during element signing. On the other hand, when the request was received, the entire <Body> was checked against the signature. We determined that the problem is due to the fact that rampart/c code ignores the payloads of requests with type AXIOM_DATA_SOURCE.
Attached is a patch that makes the checksum include the bodies of such requests when they are generated.
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: c-dev-unsubscribe@axis.apache.org
For additional commands, e-mail: c-dev-help@axis.apache.org
[jira] [Updated] (RAMPARTC-154) Body signature generation ignores
data source request payloads
Posted by "Garrett Holmstrom (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/RAMPARTC-154?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Garrett Holmstrom updated RAMPARTC-154:
---------------------------------------
Attachment: rampart-trunk-c14n.patch
Patch that includes payloads of type AXIOM_DATA_SOURCE in body signature calculations
> Body signature generation ignores data source request payloads
> --------------------------------------------------------------
>
> Key: RAMPARTC-154
> URL: https://issues.apache.org/jira/browse/RAMPARTC-154
> Project: Rampart/C
> Issue Type: Bug
> Components: OMXMLSecurity
> Affects Versions: 1.3.0
> Environment: Linux (all distributions)
> Reporter: Garrett Holmstrom
> Assignee: Malinda Kaushalye Kapuruge
> Labels: patch
> Attachments: rampart-trunk-c14n.patch
>
>
> In our web services implementation, we generate Axis/2c code with WSDL2C and use rampart/c as a module. On the server and client side we require that all SOAP requests contain timestamps and signed request bodies. However, we found that enabling signature checking of <Body> elements in the policy:
> <sp:SignedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> <sp:Body/>
> </sp:SignedParts>
>
> ...results in all requests being rejected by the receiver due to signature verification failure. After investigation, we found that requests generated by the auto-generated Axis/2C code contained signatures over an empty <Body>, i.e. all its payload was ignored during element signing. On the other hand, when the request was received, the entire <Body> was checked against the signature. We determined that the problem is due to the fact that rampart/c code ignores the payloads of requests with type AXIOM_DATA_SOURCE.
> Attached is a patch that makes the checksum include the bodies of such requests when they are generated.
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: c-dev-unsubscribe@axis.apache.org
For additional commands, e-mail: c-dev-help@axis.apache.org