You are viewing a plain text version of this content. The canonical link for it is here.
Posted to wss4j-dev@ws.apache.org by "Colm O hEigeartaigh (JIRA)" <ji...@apache.org> on 2008/10/02 13:09:44 UTC
[jira] Created: (WSS-145) Problem in upgrading to xml-sec 1.4.2
Problem in upgrading to xml-sec 1.4.2
-------------------------------------
Key: WSS-145
URL: https://issues.apache.org/jira/browse/WSS-145
Project: WSS4J
Issue Type: Improvement
Components: WSS4J Core
Affects Versions: 1.5.4
Reporter: Colm O hEigeartaigh
Assignee: Werner Dittmann
Fix For: 1.5.5
WSS4J 1.5.4 has a dependency on xml-sec 1.4.0. xml-sec 1.4.1 has a major c14n fix, but we ran into a critical problem with encryption, see:
http://issues.apache.org/jira/browse/WSS-128
Ideally we'd like to release WSS4J 1.5.5 with xml-sec 1.4.2. However, there's a problem with namespace prefixes when signing a request:
http://www.nabble.com/Undeclared-namespace-prefix-"ds"-error-tt19668706.html#a19668706
It's still not clear at this stage whether it's a problem in WSS4J or xml-sec, or why this problem doesn't appear when xml-sec 1.4.0 or 1.4.1 is used.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
RE: [jira] Created: (WSS-145) Problem in upgrading to xml-sec 1.4.2
Posted by "Dittmann, Werner (NSN - DE/Munich)" <we...@nsn.com>.
Colm,
I'm in contact with the guys from xmlsec to clarify this issue.
Some test cases indicate that it is a problem inside xmlsec-1.4.2,
further tests are ongoing.
Werner
> -----Original Message-----
> From: ext Colm O hEigeartaigh (JIRA) [mailto:jira@apache.org]
> Sent: Thursday, October 02, 2008 1:10 PM
> To: wss4j-dev@ws.apache.org
> Subject: [jira] Created: (WSS-145) Problem in upgrading to
> xml-sec 1.4.2
>
> Problem in upgrading to xml-sec 1.4.2
> -------------------------------------
>
> Key: WSS-145
> URL: https://issues.apache.org/jira/browse/WSS-145
> Project: WSS4J
> Issue Type: Improvement
> Components: WSS4J Core
> Affects Versions: 1.5.4
> Reporter: Colm O hEigeartaigh
> Assignee: Werner Dittmann
> Fix For: 1.5.5
>
>
>
> WSS4J 1.5.4 has a dependency on xml-sec 1.4.0. xml-sec 1.4.1
> has a major c14n fix, but we ran into a critical problem with
> encryption, see:
>
> http://issues.apache.org/jira/browse/WSS-128
>
> Ideally we'd like to release WSS4J 1.5.5 with xml-sec 1.4.2.
> However, there's a problem with namespace prefixes when
> signing a request:
>
> http://www.nabble.com/Undeclared-namespace-prefix-"ds"-error-t
t19668706.html#a19668706
>
> It's still not clear at this stage whether it's a problem in
> WSS4J or xml-sec, or why this problem doesn't appear when
> xml-sec 1.4.0 or 1.4.1 is used.
>
> --
> This message is automatically generated by JIRA.
> -
> You can reply to this email to add a comment to the issue online.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
> For additional commands, e-mail: wss4j-dev-help@ws.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
[jira] Resolved: (WSS-145) Problem in upgrading to xml-sec 1.4.2
Posted by "Colm O hEigeartaigh (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WSS-145?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Colm O hEigeartaigh resolved WSS-145.
-------------------------------------
Resolution: Fixed
> Problem in upgrading to xml-sec 1.4.2
> -------------------------------------
>
> Key: WSS-145
> URL: https://issues.apache.org/jira/browse/WSS-145
> Project: WSS4J
> Issue Type: Improvement
> Components: WSS4J Core
> Affects Versions: 1.5.4
> Reporter: Colm O hEigeartaigh
> Assignee: Colm O hEigeartaigh
> Fix For: 1.5.5
>
> Attachments: wss4j_wss145.patch
>
>
> WSS4J 1.5.4 has a dependency on xml-sec 1.4.0. xml-sec 1.4.1 has a major c14n fix, but we ran into a critical problem with encryption, see:
> http://issues.apache.org/jira/browse/WSS-128
> Ideally we'd like to release WSS4J 1.5.5 with xml-sec 1.4.2. However, there's a problem with namespace prefixes when signing a request:
> http://www.nabble.com/Undeclared-namespace-prefix-"ds"-error-tt19668706.html#a19668706
> It's still not clear at this stage whether it's a problem in WSS4J or xml-sec, or why this problem doesn't appear when xml-sec 1.4.0 or 1.4.1 is used.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
[jira] Assigned: (WSS-145) Problem in upgrading to xml-sec 1.4.2
Posted by "Colm O hEigeartaigh (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WSS-145?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Colm O hEigeartaigh reassigned WSS-145:
---------------------------------------
Assignee: Colm O hEigeartaigh (was: Werner Dittmann)
> Problem in upgrading to xml-sec 1.4.2
> -------------------------------------
>
> Key: WSS-145
> URL: https://issues.apache.org/jira/browse/WSS-145
> Project: WSS4J
> Issue Type: Improvement
> Components: WSS4J Core
> Affects Versions: 1.5.4
> Reporter: Colm O hEigeartaigh
> Assignee: Colm O hEigeartaigh
> Fix For: 1.5.5
>
> Attachments: wss4j_wss145.patch
>
>
> WSS4J 1.5.4 has a dependency on xml-sec 1.4.0. xml-sec 1.4.1 has a major c14n fix, but we ran into a critical problem with encryption, see:
> http://issues.apache.org/jira/browse/WSS-128
> Ideally we'd like to release WSS4J 1.5.5 with xml-sec 1.4.2. However, there's a problem with namespace prefixes when signing a request:
> http://www.nabble.com/Undeclared-namespace-prefix-"ds"-error-tt19668706.html#a19668706
> It's still not clear at this stage whether it's a problem in WSS4J or xml-sec, or why this problem doesn't appear when xml-sec 1.4.0 or 1.4.1 is used.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
Re: [jira] Updated: (WSS-145) Problem in upgrading to xml-sec 1.4.2
Posted by Werner Dittmann <We...@t-online.de>.
This works, sure.
There is some discussion at xml-sec if the decision to declare
some specific elements as "Signature" internal. I'll file a JIRA
to xml-sec against the modification may cause failures on other
xml-sec elements also not only for KeyInfo.
But as a security mesure we should use this patch for WSS4J.
Regards,
Werner
Colm O hEigeartaigh (JIRA) schrieb:
> [ https://issues.apache.org/jira/browse/WSS-145?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
>
> Colm O hEigeartaigh updated WSS-145:
> ------------------------------------
>
> Attachment: wss4j_wss145.patch
>
>
> Werner, please have a look at the attached patch for this issue and let me know if this is acceptable to you.
>
> I followed the discussion on security-dev on this issue...it seemed to me that there wasn't a consensus on whether the bug was in WSS4J or xml-sec. In any case, a simple fix in WSS4J solves the problem, which essentially amounts to doing this whenever a KeyInfo object is created:
>
> Element keyInfoElement = keyInfo.getElement();
> keyInfoElement.setAttributeNS(WSConstants.XMLNS_NS, "xmlns:"
> + WSConstants.SIG_PREFIX, WSConstants.SIG_NS);
>
> This way, the "ds" namespace gets set properly on the DOM element.
>
> There are no backwards compatibility issues, as I've tested the changes with both xmlsec 1.4.0 and 1.4.2, and the tests all pass.
>
>
>
>
>> Problem in upgrading to xml-sec 1.4.2
>> -------------------------------------
>>
>> Key: WSS-145
>> URL: https://issues.apache.org/jira/browse/WSS-145
>> Project: WSS4J
>> Issue Type: Improvement
>> Components: WSS4J Core
>> Affects Versions: 1.5.4
>> Reporter: Colm O hEigeartaigh
>> Assignee: Werner Dittmann
>> Fix For: 1.5.5
>>
>> Attachments: wss4j_wss145.patch
>>
>>
>> WSS4J 1.5.4 has a dependency on xml-sec 1.4.0. xml-sec 1.4.1 has a major c14n fix, but we ran into a critical problem with encryption, see:
>> http://issues.apache.org/jira/browse/WSS-128
>> Ideally we'd like to release WSS4J 1.5.5 with xml-sec 1.4.2. However, there's a problem with namespace prefixes when signing a request:
>> http://www.nabble.com/Undeclared-namespace-prefix-"ds"-error-tt19668706.html#a19668706
>> It's still not clear at this stage whether it's a problem in WSS4J or xml-sec, or why this problem doesn't appear when xml-sec 1.4.0 or 1.4.1 is used.
>
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
[jira] Updated: (WSS-145) Problem in upgrading to xml-sec 1.4.2
Posted by "Colm O hEigeartaigh (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WSS-145?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Colm O hEigeartaigh updated WSS-145:
------------------------------------
Attachment: wss4j_wss145.patch
Werner, please have a look at the attached patch for this issue and let me know if this is acceptable to you.
I followed the discussion on security-dev on this issue...it seemed to me that there wasn't a consensus on whether the bug was in WSS4J or xml-sec. In any case, a simple fix in WSS4J solves the problem, which essentially amounts to doing this whenever a KeyInfo object is created:
Element keyInfoElement = keyInfo.getElement();
keyInfoElement.setAttributeNS(WSConstants.XMLNS_NS, "xmlns:"
+ WSConstants.SIG_PREFIX, WSConstants.SIG_NS);
This way, the "ds" namespace gets set properly on the DOM element.
There are no backwards compatibility issues, as I've tested the changes with both xmlsec 1.4.0 and 1.4.2, and the tests all pass.
> Problem in upgrading to xml-sec 1.4.2
> -------------------------------------
>
> Key: WSS-145
> URL: https://issues.apache.org/jira/browse/WSS-145
> Project: WSS4J
> Issue Type: Improvement
> Components: WSS4J Core
> Affects Versions: 1.5.4
> Reporter: Colm O hEigeartaigh
> Assignee: Werner Dittmann
> Fix For: 1.5.5
>
> Attachments: wss4j_wss145.patch
>
>
> WSS4J 1.5.4 has a dependency on xml-sec 1.4.0. xml-sec 1.4.1 has a major c14n fix, but we ran into a critical problem with encryption, see:
> http://issues.apache.org/jira/browse/WSS-128
> Ideally we'd like to release WSS4J 1.5.5 with xml-sec 1.4.2. However, there's a problem with namespace prefixes when signing a request:
> http://www.nabble.com/Undeclared-namespace-prefix-"ds"-error-tt19668706.html#a19668706
> It's still not clear at this stage whether it's a problem in WSS4J or xml-sec, or why this problem doesn't appear when xml-sec 1.4.0 or 1.4.1 is used.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
[jira] Commented: (WSS-145) Problem in upgrading to xml-sec 1.4.2
Posted by "Dittmann, Werner (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WSS-145?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12636346#action_12636346 ]
Dittmann, Werner commented on WSS-145:
--------------------------------------
Colm,
I'm in contact with the guys from xmlsec to clarify this issue.
Some test cases indicate that it is a problem inside xmlsec-1.4.2,
further tests are ongoing.
Werner
t19668706.html#a19668706
> Problem in upgrading to xml-sec 1.4.2
> -------------------------------------
>
> Key: WSS-145
> URL: https://issues.apache.org/jira/browse/WSS-145
> Project: WSS4J
> Issue Type: Improvement
> Components: WSS4J Core
> Affects Versions: 1.5.4
> Reporter: Colm O hEigeartaigh
> Assignee: Werner Dittmann
> Fix For: 1.5.5
>
>
> WSS4J 1.5.4 has a dependency on xml-sec 1.4.0. xml-sec 1.4.1 has a major c14n fix, but we ran into a critical problem with encryption, see:
> http://issues.apache.org/jira/browse/WSS-128
> Ideally we'd like to release WSS4J 1.5.5 with xml-sec 1.4.2. However, there's a problem with namespace prefixes when signing a request:
> http://www.nabble.com/Undeclared-namespace-prefix-"ds"-error-tt19668706.html#a19668706
> It's still not clear at this stage whether it's a problem in WSS4J or xml-sec, or why this problem doesn't appear when xml-sec 1.4.0 or 1.4.1 is used.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
[jira] Commented: (WSS-145) Problem in upgrading to xml-sec 1.4.2
Posted by "Werner Dittmann (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WSS-145?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12640268#action_12640268 ]
Werner Dittmann commented on WSS-145:
-------------------------------------
This works, sure.
There is some discussion at xml-sec if the decision to declare
some specific elements as "Signature" internal. I'll file a JIRA
to xml-sec against the modification may cause failures on other
xml-sec elements also not only for KeyInfo.
But as a security mesure we should use this patch for WSS4J.
Regards,
Werner
> Problem in upgrading to xml-sec 1.4.2
> -------------------------------------
>
> Key: WSS-145
> URL: https://issues.apache.org/jira/browse/WSS-145
> Project: WSS4J
> Issue Type: Improvement
> Components: WSS4J Core
> Affects Versions: 1.5.4
> Reporter: Colm O hEigeartaigh
> Assignee: Werner Dittmann
> Fix For: 1.5.5
>
> Attachments: wss4j_wss145.patch
>
>
> WSS4J 1.5.4 has a dependency on xml-sec 1.4.0. xml-sec 1.4.1 has a major c14n fix, but we ran into a critical problem with encryption, see:
> http://issues.apache.org/jira/browse/WSS-128
> Ideally we'd like to release WSS4J 1.5.5 with xml-sec 1.4.2. However, there's a problem with namespace prefixes when signing a request:
> http://www.nabble.com/Undeclared-namespace-prefix-"ds"-error-tt19668706.html#a19668706
> It's still not clear at this stage whether it's a problem in WSS4J or xml-sec, or why this problem doesn't appear when xml-sec 1.4.0 or 1.4.1 is used.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
[jira] Closed: (WSS-145) Problem in upgrading to xml-sec 1.4.2
Posted by "Colm O hEigeartaigh (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WSS-145?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Colm O hEigeartaigh closed WSS-145.
-----------------------------------
> Problem in upgrading to xml-sec 1.4.2
> -------------------------------------
>
> Key: WSS-145
> URL: https://issues.apache.org/jira/browse/WSS-145
> Project: WSS4J
> Issue Type: Improvement
> Components: WSS4J Core
> Affects Versions: 1.5.4
> Reporter: Colm O hEigeartaigh
> Assignee: Colm O hEigeartaigh
> Fix For: 1.5.5
>
> Attachments: wss4j_wss145.patch
>
>
> WSS4J 1.5.4 has a dependency on xml-sec 1.4.0. xml-sec 1.4.1 has a major c14n fix, but we ran into a critical problem with encryption, see:
> http://issues.apache.org/jira/browse/WSS-128
> Ideally we'd like to release WSS4J 1.5.5 with xml-sec 1.4.2. However, there's a problem with namespace prefixes when signing a request:
> http://www.nabble.com/Undeclared-namespace-prefix-"ds"-error-tt19668706.html#a19668706
> It's still not clear at this stage whether it's a problem in WSS4J or xml-sec, or why this problem doesn't appear when xml-sec 1.4.0 or 1.4.1 is used.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org