You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@cxf.apache.org by "David Valeri (JIRA)" <ji...@apache.org> on 2010/01/29 17:00:35 UTC
[jira] Created: (CXF-2638) WS-SecurityPolicy SignedElements,
SignedParts, EncryptedParts, EncryptedElements, and
ContentEncryptedElements assertions incorrectly verified
WS-SecurityPolicy SignedElements, SignedParts, EncryptedParts, EncryptedElements, and ContentEncryptedElements assertions incorrectly verified
----------------------------------------------------------------------------------------------------------------------------------------------
Key: CXF-2638
URL: https://issues.apache.org/jira/browse/CXF-2638
Project: CXF
Issue Type: Bug
Components: WS-* Components
Affects Versions: 2.3
Reporter: David Valeri
When security configuration is provided via WS-SecurityPolicy, the PolicyBasedWSS4JInInterceptor enforces the SignedElements assertion incorrectly. If there is more than one match to the assertion XPath, the validation code does not correctly detect the unsigned matches so long as any one of the matches is signed. This logic does not accurately reflect the case in which multiple matches for the signature coverage XPath exist in the message and may provide a false sense of integrity in the message.
Per section 1.2 of the WS-Security spec:
The XPath expression "identifies the nodes to be integrity protected."
Based on this language, it seems as if all nodes matching the XPath expression must be integrity constrained.
Similar issues exist with the SignedParts, EncryptedParts, EncryptedElements, and ContentEncryptedElements assertions as well.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (CXF-2638) WS-SecurityPolicy SignedElements,
SignedParts, EncryptedParts, EncryptedElements, and
ContentEncryptedElements assertions incorrectly verified
Posted by "David Valeri (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CXF-2638?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
David Valeri updated CXF-2638:
------------------------------
Attachment: cxf-2638-fixed.patch
Attached patch with missing test files.
> WS-SecurityPolicy SignedElements, SignedParts, EncryptedParts, EncryptedElements, and ContentEncryptedElements assertions incorrectly verified
> ----------------------------------------------------------------------------------------------------------------------------------------------
>
> Key: CXF-2638
> URL: https://issues.apache.org/jira/browse/CXF-2638
> Project: CXF
> Issue Type: Bug
> Components: WS-* Components
> Affects Versions: 2.3
> Reporter: David Valeri
> Assignee: Daniel Kulp
> Attachments: cxf-2638-fixed.patch, cxf-2638.patch
>
>
> When security configuration is provided via WS-SecurityPolicy, the PolicyBasedWSS4JInInterceptor enforces the SignedElements assertion incorrectly. If there is more than one match to the assertion XPath, the validation code does not correctly detect the unsigned matches so long as any one of the matches is signed. This logic does not accurately reflect the case in which multiple matches for the signature coverage XPath exist in the message and may provide a false sense of integrity in the message.
> Per section 1.2 of the WS-Security spec:
> The XPath expression "identifies the nodes to be integrity protected."
> Based on this language, it seems as if all nodes matching the XPath expression must be integrity constrained.
> Similar issues exist with the SignedParts, EncryptedParts, EncryptedElements, and ContentEncryptedElements assertions as well.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Assigned: (CXF-2638) WS-SecurityPolicy SignedElements,
SignedParts, EncryptedParts, EncryptedElements, and
ContentEncryptedElements assertions incorrectly verified
Posted by "Daniel Kulp (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CXF-2638?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Daniel Kulp reassigned CXF-2638:
--------------------------------
Assignee: Daniel Kulp
> WS-SecurityPolicy SignedElements, SignedParts, EncryptedParts, EncryptedElements, and ContentEncryptedElements assertions incorrectly verified
> ----------------------------------------------------------------------------------------------------------------------------------------------
>
> Key: CXF-2638
> URL: https://issues.apache.org/jira/browse/CXF-2638
> Project: CXF
> Issue Type: Bug
> Components: WS-* Components
> Affects Versions: 2.3
> Reporter: David Valeri
> Assignee: Daniel Kulp
> Attachments: cxf-2638.patch
>
>
> When security configuration is provided via WS-SecurityPolicy, the PolicyBasedWSS4JInInterceptor enforces the SignedElements assertion incorrectly. If there is more than one match to the assertion XPath, the validation code does not correctly detect the unsigned matches so long as any one of the matches is signed. This logic does not accurately reflect the case in which multiple matches for the signature coverage XPath exist in the message and may provide a false sense of integrity in the message.
> Per section 1.2 of the WS-Security spec:
> The XPath expression "identifies the nodes to be integrity protected."
> Based on this language, it seems as if all nodes matching the XPath expression must be integrity constrained.
> Similar issues exist with the SignedParts, EncryptedParts, EncryptedElements, and ContentEncryptedElements assertions as well.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (CXF-2638) WS-SecurityPolicy SignedElements,
SignedParts, EncryptedParts, EncryptedElements, and
ContentEncryptedElements assertions incorrectly verified
Posted by "David Valeri (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CXF-2638?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
David Valeri updated CXF-2638:
------------------------------
Attachment: cxf-2638.patch
Attaching patch and test case. The coverage checking code is split into a utility class for use by an enhancement request I intend to submit in the near future.
> WS-SecurityPolicy SignedElements, SignedParts, EncryptedParts, EncryptedElements, and ContentEncryptedElements assertions incorrectly verified
> ----------------------------------------------------------------------------------------------------------------------------------------------
>
> Key: CXF-2638
> URL: https://issues.apache.org/jira/browse/CXF-2638
> Project: CXF
> Issue Type: Bug
> Components: WS-* Components
> Affects Versions: 2.3
> Reporter: David Valeri
> Attachments: cxf-2638.patch
>
>
> When security configuration is provided via WS-SecurityPolicy, the PolicyBasedWSS4JInInterceptor enforces the SignedElements assertion incorrectly. If there is more than one match to the assertion XPath, the validation code does not correctly detect the unsigned matches so long as any one of the matches is signed. This logic does not accurately reflect the case in which multiple matches for the signature coverage XPath exist in the message and may provide a false sense of integrity in the message.
> Per section 1.2 of the WS-Security spec:
> The XPath expression "identifies the nodes to be integrity protected."
> Based on this language, it seems as if all nodes matching the XPath expression must be integrity constrained.
> Similar issues exist with the SignedParts, EncryptedParts, EncryptedElements, and ContentEncryptedElements assertions as well.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Resolved: (CXF-2638) WS-SecurityPolicy SignedElements,
SignedParts, EncryptedParts, EncryptedElements, and
ContentEncryptedElements assertions incorrectly verified
Posted by "Daniel Kulp (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CXF-2638?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Daniel Kulp resolved CXF-2638.
------------------------------
Resolution: Fixed
Fix Version/s: 2.2.7
Patch applied. Major thanks. This adds some much needed unit testing into the ws/security module.
> WS-SecurityPolicy SignedElements, SignedParts, EncryptedParts, EncryptedElements, and ContentEncryptedElements assertions incorrectly verified
> ----------------------------------------------------------------------------------------------------------------------------------------------
>
> Key: CXF-2638
> URL: https://issues.apache.org/jira/browse/CXF-2638
> Project: CXF
> Issue Type: Bug
> Components: WS-* Components
> Affects Versions: 2.3
> Reporter: David Valeri
> Assignee: Daniel Kulp
> Fix For: 2.2.7
>
> Attachments: cxf-2638-fixed.patch, cxf-2638.patch
>
>
> When security configuration is provided via WS-SecurityPolicy, the PolicyBasedWSS4JInInterceptor enforces the SignedElements assertion incorrectly. If there is more than one match to the assertion XPath, the validation code does not correctly detect the unsigned matches so long as any one of the matches is signed. This logic does not accurately reflect the case in which multiple matches for the signature coverage XPath exist in the message and may provide a false sense of integrity in the message.
> Per section 1.2 of the WS-Security spec:
> The XPath expression "identifies the nodes to be integrity protected."
> Based on this language, it seems as if all nodes matching the XPath expression must be integrity constrained.
> Similar issues exist with the SignedParts, EncryptedParts, EncryptedElements, and ContentEncryptedElements assertions as well.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (CXF-2638) WS-SecurityPolicy SignedElements,
SignedParts, EncryptedParts, EncryptedElements, and
ContentEncryptedElements assertions incorrectly verified
Posted by "Daniel Kulp (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CXF-2638?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12828660#action_12828660 ]
Daniel Kulp commented on CXF-2638:
----------------------------------
There are a bunch of missing files in this patch which is causing the new tests to fail.
org/apache/cxf/ws/security/wss4j/PolicyBasedWss4JInOutTest_bus_context.xml
signed_missing_signed_body.xml
encrypted_missing_enc_header.xml
encrypted_body_element.xml
encrypted_missing_enc_body.xml
encrypted_body_content.xml
et.c.....
Can you recreate the patch making sure all the files are "added" first?
Thanks!
> WS-SecurityPolicy SignedElements, SignedParts, EncryptedParts, EncryptedElements, and ContentEncryptedElements assertions incorrectly verified
> ----------------------------------------------------------------------------------------------------------------------------------------------
>
> Key: CXF-2638
> URL: https://issues.apache.org/jira/browse/CXF-2638
> Project: CXF
> Issue Type: Bug
> Components: WS-* Components
> Affects Versions: 2.3
> Reporter: David Valeri
> Assignee: Daniel Kulp
> Attachments: cxf-2638.patch
>
>
> When security configuration is provided via WS-SecurityPolicy, the PolicyBasedWSS4JInInterceptor enforces the SignedElements assertion incorrectly. If there is more than one match to the assertion XPath, the validation code does not correctly detect the unsigned matches so long as any one of the matches is signed. This logic does not accurately reflect the case in which multiple matches for the signature coverage XPath exist in the message and may provide a false sense of integrity in the message.
> Per section 1.2 of the WS-Security spec:
> The XPath expression "identifies the nodes to be integrity protected."
> Based on this language, it seems as if all nodes matching the XPath expression must be integrity constrained.
> Similar issues exist with the SignedParts, EncryptedParts, EncryptedElements, and ContentEncryptedElements assertions as well.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.