You are viewing a plain text version of this content. The canonical link for it is here.
Posted to java-commits@axis.apache.org by ve...@apache.org on 2012/01/24 00:24:13 UTC

svn commit: r1235059 - /axis/axis2/java/rampart/trunk/modules/rampart-core/src/main/java/org/apache/rampart/util/Axis2Util.java

Author: veithen
Date: Mon Jan 23 23:24:13 2012
New Revision: 1235059

URL: http://svn.apache.org/viewvc?rev=1235059&view=rev
Log:
Fixed an issue in Rampart that occured because it was implicitly relying on a non-conformance of DOOM's DOM implementation.

The issue occurs if all of the following conditions are satisfied:
1. The service uses DOOM to create the response message.
2. The content of the response message is prepared using the DOM API and no provisions are made to ensure that the object model is well formed with respect to namespaces (i.e. that all namespace declarations are present).
3. The response message is signed or encrypted by WSS4J/Santuario.

In practice these conditions are only satisfied by Rampart's STS.

Modified:
    axis/axis2/java/rampart/trunk/modules/rampart-core/src/main/java/org/apache/rampart/util/Axis2Util.java

Modified: axis/axis2/java/rampart/trunk/modules/rampart-core/src/main/java/org/apache/rampart/util/Axis2Util.java
URL: http://svn.apache.org/viewvc/axis/axis2/java/rampart/trunk/modules/rampart-core/src/main/java/org/apache/rampart/util/Axis2Util.java?rev=1235059&r1=1235058&r2=1235059&view=diff
==============================================================================
--- axis/axis2/java/rampart/trunk/modules/rampart-core/src/main/java/org/apache/rampart/util/Axis2Util.java (original)
+++ axis/axis2/java/rampart/trunk/modules/rampart-core/src/main/java/org/apache/rampart/util/Axis2Util.java Mon Jan 23 23:24:13 2012
@@ -36,6 +36,7 @@ import org.apache.axiom.soap.impl.builde
 import org.apache.rampart.handler.WSSHandlerConstants;
 import org.apache.ws.security.WSSecurityException;
 import org.apache.xml.security.utils.XMLUtils;
+import org.w3c.dom.DOMConfiguration;
 import org.w3c.dom.Document;
 import org.w3c.dom.Element;
 
@@ -100,6 +101,23 @@ public class Axis2Util {
                 if (element.getParentNode() != document) {
                     document.appendChild(element);
                 }
+                // If the Axiom implementation supports DOM, then it is possible/likely that the
+                // DOM API was used to create the object model (or parts of it). In this case, the
+                // object model is not necessarily well formed with respect to namespaces because
+                // DOM doesn't generate namespace declarations automatically. This is an issue
+                // because WSS4J/Santuario expects that all namespace declarations are present.
+                // If this is not the case, then signature values or encryptions will be incorrect.
+                // To avoid this, we normalize the document. Note that if we disable the other
+                // normalizations supported by DOM, this is generally not a heavy operation.
+                // In particular, the Axiom implementation is not required to expand the object
+                // model (including OMSourcedElements) because the Axiom builder is required to
+                // perform namespace repairing, so that no modifications to unexpanded parts of
+                // the message are required.
+                DOMConfiguration domConfig = document.getDomConfig();
+                domConfig.setParameter("split-cdata-sections", Boolean.FALSE);
+                domConfig.setParameter("well-formed", Boolean.FALSE);
+                domConfig.setParameter("namespaces", Boolean.TRUE);
+                document.normalizeDocument();
                 return document;
             }