You are viewing a plain text version of this content. The canonical link for it is here.

Posted to java-dev@axis.apache.org by "Samisa Abeysinghe (JIRA)" <ji...@apache.org> on 2010/12/21 14:38:01 UTC

[jira] Resolved: (RAMPART-238) Axis2: Rampart module is not checking the existence of signature value within wsse:security tag

     [ https://issues.apache.org/jira/browse/RAMPART-238?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Samisa Abeysinghe resolved RAMPART-238.
---------------------------------------

    Resolution: Invalid

WSDoAllReceiver is deprecated. Please use the policy based approach. 

> Axis2: Rampart module is not checking the existence of signature value within wsse:security tag
> -----------------------------------------------------------------------------------------------
>
>                 Key: RAMPART-238
>                 URL: https://issues.apache.org/jira/browse/RAMPART-238
>             Project: Rampart
>          Issue Type: Bug
>         Environment: Linux  2.6.9-78.0.1.ELsmp
>            Reporter: Peter Kim
>            Assignee: Nandana Mihindukulasooriya
>   Original Estimate: 24h
>  Remaining Estimate: 24h
>
> Rampart module works well if correct signature value exist or incorrect signature value exit, but still allows the message go through even without any signature value defined. What seems to be missing is checking for whether signature value exist after getting back wsResult vector from wss4j processing header api call (WSDoAllReceiver.java).
> I have added the following lines to check for the existence.
> **********
>         boolean isSigned = false;
>         if (wsResult != null) {
>         	if ((doAction & WSConstants.SIGN) == WSConstants.SIGN) {
>             	log.info("WSDoAllReceiver: SOAP message MUST contain sinature values");
>             	for (int i = 0; i < wsResult.size(); i++){
>         		WSSecurityEngineResult secengine = (WSSecurityEngineResult) wsResult.elementAt(i);
>         			
>                 	log.info("WSDoAllReceiver: Find sig value : "+
>                 			secengine.get(secengine.TAG_SIGNATURE_VALUE));
>                 	Object tempstr = secengine.get(secengine.TAG_SIGNATURE_VALUE);
>                 	if (tempstr != null) {
>                 		isSigned = true;
>                 		break;
>                 	}
>                 }
>             	log.info("WSDoAllReceiver: contains signature : "+isSigned);
>             	if (!isSigned) {
>                     throw new AxisFault(
>                     "WSDoAllReceiver: Incoming message does not contain signature");
>             		
>             	}
>         	}
> **********
> Please review and rectify if necessary.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscribe@axis.apache.org
For additional commands, e-mail: java-dev-help@axis.apache.org