You are viewing a plain text version of this content. The canonical link for it is here.
Posted to rampart-dev@ws.apache.org by Heiko Görig <h....@gmx.de> on 2009/01/15 20:28:33 UTC

Bugs in method UsernameToken.serialize(XMLStreamWriter writer)

Hi all,

 

I found 2 bugs in the method UsernameToken.serialize(XMLStreamWriter
writer).

First one:

If the WssUsernameToken10 or WssUsernameToken11 assertion is present, the
policy element inside the UsernameToken assertion get’s the
WS-SecurityPolicy 1.2 namespace and not the WS-Policy namespace.

Therefore the following code must be changed (see comments):

 

if (isUseUTProfile10() || isUseUTProfile11()) {

String pPrefix = writer.getPrefix(SPConstants.POLICY.getNamespaceURI());

            if (pPrefix == null) {

pPrefix = SPConstants.POLICY.getPrefix(); // --> insert

writer.setPrefix(SPConstants.POLICY.getPrefix(),
SPConstants.POLICY.getNamespaceURI());

            }

 

            // <wsp:Policy>

            writer.writeStartElement(pPrefix,
SPConstants.POLICY.getLocalPart(), SPConstants.POLICY.getNamespaceURI()); //
--> use “pPrefix” instead of  “prefix” as first parameter

 

Second one:

The elements HashPassword and NoPassword are put inside the
WssUsernameToken10 or WssUsernameToken11 elements and not inside the Policy
element of the UsernameToken. Therefore they will not be loaded again by the
UsernameTokenBuilder after serialization. It is also inconsistent to the
WS-SecurityPolicy 1.2 specification. Therefore, the call
writer.writerEndElement() in line 163 must be moved to line 140.

 

Regards,

hg