You are viewing a plain text version of this content. The canonical link for it is here.
Posted to java-dev@axis.apache.org by "Nandana Mihindukulasooriya (JIRA)" <ji...@apache.org> on 2010/12/23 01:40:00 UTC
[jira] Resolved: (RAMPART-218) EncryptedElements assertion failed
validation in PolicyBasedResultsValidator
[ https://issues.apache.org/jira/browse/RAMPART-218?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Nandana Mihindukulasooriya resolved RAMPART-218.
------------------------------------------------
Resolution: Fixed
Fix Version/s: 1.5.1
This is fixed in the trunk. Added a test case with the attached policy to verify the fix.
> EncryptedElements assertion failed validation in PolicyBasedResultsValidator
> ----------------------------------------------------------------------------
>
> Key: RAMPART-218
> URL: https://issues.apache.org/jira/browse/RAMPART-218
> Project: Rampart
> Issue Type: Bug
> Components: rampart-core
> Reporter: Stefan Vladov
> Assignee: Nandana Mihindukulasooriya
> Fix For: 1.5.1
>
> Attachments: securityPolicy.xml
>
>
> I've encountered some problems using the EncryptedElements assertion:
> 1) Rampart is not executed when the EncryptedElements assertion is the only protection assertion in the message (no other encryption / signature / timestamp), since the RampartUtil#isSecHeaderReuired check fails. Essentially the execution does not get in the following block
> if (rpd.isEncryptBody() || rpd.getEncryptedParts().size() != 0 && rpd.getEncryptedElements().size() != 0 ) {
> return true;
> }
> and thus the method returns false. Shouldn't it be enough to have an EncryptedElements assertion to trigger rampart and why is it required to also have EncryptedParts ?
> 2) In the PolicyBasedResultsValidator#validateEncryptedParts when calling isRefIdPresent(encrRefs, encPart.getEncId()) the encId of the encrypted element has a "#" before the id (as if it ware a reference). Essentially after decrypting the element, the EncryptedKeyProcessor in WSS4J adds a wsu:Id attribute to that element with the "#" sign (EncryptedKeyProcessor#decryptDataRef in the end of the method it calls
> ((Element)node).setAttributeNS(WSConstants.WSU_NS, wsuPrefix + ":Id", dataRefURI);
> wsDataRef.setWsuId(dataRefURI.substring(1));
> where the dataRefURI is the encrypted element id with the "#" in front.
> ). Since the wsu:Id attribute contains the "#" character the method isRefIdPresent fails to find the element id in the list of references and the validation fails. I'm not sure whether this is a problem in wss4j or in rampart but a simple workaround would be to add the following lines in the validateEncryptedParts method:
> if (encPart.getEncId() == null) {
> throw new RampartException("encryptedPartMissing",
> new String[]{encPart.getNamespace()+":"+encPart.getName()});
> } else {
> String encId = encPart.getEncId();
> if (encId != null && encId.startsWith("#")) {
> encId = encId.substring(1);
> }
> if (!isRefIdPresent(encrRefs, encId)) {
> throw new RampartException("encryptedPartMissing",
> new String[]{encPart.getNamespace()+":"+encPart.getName()});
> }
> }
> instead of
> if (encPart.getEncId() == null) {
> throw new RampartException("encryptedPartMissing",
> new String[]{encPart.getNamespace()+":"+encPart.getName()});
> } else if (!isRefIdPresent(encrRefs, encPart.getEncId())) {
> throw new RampartException("encryptedPartMissing",
> new String[]{encPart.getNamespace()+":"+encPart.getName()});
> }
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscribe@axis.apache.org
For additional commands, e-mail: java-dev-help@axis.apache.org