You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ws.apache.org by "Colm O hEigeartaigh (JIRA)" <ji...@apache.org> on 2014/07/15 16:10:06 UTC
[jira] [Updated] (WSS-505) WSSecurityUtil .storeElementInContext
throws ArrayIndexOutOfBoundsException
[ https://issues.apache.org/jira/browse/WSS-505?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Colm O hEigeartaigh updated WSS-505:
------------------------------------
Fix Version/s: 1.6.17
> WSSecurityUtil .storeElementInContext throws ArrayIndexOutOfBoundsException
> ---------------------------------------------------------------------------
>
> Key: WSS-505
> URL: https://issues.apache.org/jira/browse/WSS-505
> Project: WSS4J
> Issue Type: Bug
> Components: WSS4J Core
> Affects Versions: 1.6.16
> Environment: Windows 7, Java 7
> Reporter: Bruno Campolo
> Assignee: Colm O hEigeartaigh
> Fix For: 1.6.17
>
>
> When calling an Apache CXF STS, a RSTR is sent along with a corresponding Signature element in the Security header. The XML Signature specification states that a Reference URI="" should be allowed, but WSS4J throws an ArrayIndexOutOfBoundsException in this case.
> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
> <SignedInfo>
> <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
> <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
> <Reference URI="">
> <Transforms>
> <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
> </Transforms>
> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
> <DigestValue>#### REMOVED ####</DigestValue>
> </Reference>
> </SignedInfo>
> <SignatureValue>#### REMOVED ####</SignatureValue>
> <KeyInfo>
> <wsse:SecurityTokenReference wsu:Id="STR-96B0809D81C151981114049297131153">
> <wsse:Reference URI="1058eb35-d9a6-4ff8-84ac-4f6d35ba3b3c"
> ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" />
> </wsse:SecurityTokenReference>
> </KeyInfo>
> </Signature>
> It appears that the code that fails is in org.apache.ws.security.util.SecurityUtil:
> public static void storeElementInContext(DOMCryptoContext context, String uri, Element element) {
> String id = uri;
> if (uri.charAt(0) == '#') { <---- Exception thrown here since uri = ""
> id = id.substring(1);
> }
>
--
This message was sent by Atlassian JIRA
(v6.2#6252)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For additional commands, e-mail: dev-help@ws.apache.org