You are viewing a plain text version of this content. The canonical link for it is here.

Posted to fx-dev@ws.apache.org by Ruchith Fernando <ru...@gmail.com> on 2006/10/01 11:26:06 UTC

Re: New security patch, and a comment on the RampartBasedSecurityManager

Hi Matt,

Thanks for pointing this out!

I checked in the implementation of checkProofOfPossession(), please have a look:

http://svn.apache.org/viewvc?view=rev&rev=451727
http://svn.apache.org/viewvc?view=rev&rev=451728

Thanks,
Ruchith

On 9/28/06, Matthew Lovett <ML...@uk.ibm.com> wrote:
> Hi all,
>
> I just attached a new patch to
> https://issues.apache.org/jira/browse/SANDESHA2-16, to implement the TODOs
> left behind from some refactoring.
>
> While putting that in I had a quick look at the rampart security manager,
> and I think that it is missing a bit of logic in the
> checkProofOfPossession() method. The purpose if that check is to ensure
> that the sender of 'this' message has possession of the token that was
> embedded in the create sequence message. See the public review draft of
> the WS-RM 1.1 spec for the justification for this - in short it is to
> prevent hijacking of the Sequence by another authorized user. If you have
> a no-op there then I expect that you have left this hole open, though I
> can't be 100% sure as I've not used rampart.
>
> Thanks
>
> Matt
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: sandesha-dev-unsubscribe@ws.apache.org
> For additional commands, e-mail: sandesha-dev-help@ws.apache.org
>
>


-- 
www.ruchith.org

---------------------------------------------------------------------
To unsubscribe, e-mail: sandesha-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: sandesha-dev-help@ws.apache.org