You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ws.apache.org by Colm O hEigeartaigh <co...@progress.com> on 2009/03/10 18:41:13 UTC
[VOTE] release wss4j-1.5.6
To the Apache Web Services Community,
This is a call for votes for the wss4j-1.5.6 release.
The distribution can be found at the following URL:
http://people.apache.org/~coheigea/stage/wss4j/1.5.6/dist/
You can also point maven at the following URL to pull down the 1.5.6
release POM, source, and class JARs:
http://people.apache.org/~coheigea/stage/wss4j/1.5.6/maven/
Additionally, the generated version of the web site can be found at
http://people.apache.org/~coheigea/stage/wss4j/1.5.6/site/
The list of bugs fixed in this release can be seen here:
https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=1231006
3&styleName=Html&version=12313623
This vote will stay open for at least 72 hours.
Here is my (non-binding and advisory) +1.
Thanks,
Colm.
Re: [VOTE] release wss4j-1.5.6
Posted by Fred Dushin <fa...@apache.org>.
+1
On Mar 10, 2009, at 1:41 PM, Colm O hEigeartaigh wrote:
> To the Apache Web Services Community,
>
> This is a call for votes for the wss4j-1.5.6 release.
>
> The distribution can be found at the following URL:
>
> http://people.apache.org/~coheigea/stage/wss4j/1.5.6/dist/
>
> You can also point maven at the following URL to pull down the 1.5.6
> release POM, source, and class JARs:
>
> http://people.apache.org/~coheigea/stage/wss4j/1.5.6/maven/
>
> Additionally, the generated version of the web site can be found at
>
> http://people.apache.org/~coheigea/stage/wss4j/1.5.6/site/
>
> The list of bugs fixed in this release can be seen here:
>
> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=1231006
> 3&styleName=Html&version=12313623
>
> This vote will stay open for at least 72 hours.
>
> Here is my (non-binding and advisory) +1.
>
> Thanks,
>
> Colm.
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
Re: [VOTE] release wss4j-1.5.6
Posted by Fred Dushin <fa...@apache.org>.
+1
On Mar 10, 2009, at 1:41 PM, Colm O hEigeartaigh wrote:
> To the Apache Web Services Community,
>
> This is a call for votes for the wss4j-1.5.6 release.
>
> The distribution can be found at the following URL:
>
> http://people.apache.org/~coheigea/stage/wss4j/1.5.6/dist/
>
> You can also point maven at the following URL to pull down the 1.5.6
> release POM, source, and class JARs:
>
> http://people.apache.org/~coheigea/stage/wss4j/1.5.6/maven/
>
> Additionally, the generated version of the web site can be found at
>
> http://people.apache.org/~coheigea/stage/wss4j/1.5.6/site/
>
> The list of bugs fixed in this release can be seen here:
>
> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=1231006
> 3&styleName=Html&version=12313623
>
> This vote will stay open for at least 72 hours.
>
> Here is my (non-binding and advisory) +1.
>
> Thanks,
>
> Colm.
Fwd: [VOTE] release wss4j-1.5.6
Posted by Ruchith Fernando <ru...@gmail.com>.
fwd to wss4j-dev@
---------- Forwarded message ----------
From: Ruchith Fernando <ru...@gmail.com>
Date: Fri, Mar 13, 2009 at 12:07 AM
Subject: Re: [VOTE] release wss4j-1.5.6
To: general@ws.apache.org
+1
Thanks,
Ruchith
On Thu, Mar 12, 2009 at 9:56 AM, Glen Daniels <gl...@thoughtcraft.com> wrote:
>
> Nandana Mihindukulasooriya wrote:
>> +1. Tested the rampart trunk with the staged wss4j 1.5.6 with Clom's patch.
>
> Here's my +1. Thanks Nandana, and once again great job to the WSS4J team!
>
> --Glen
>
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
Re: [VOTE] release wss4j-1.5.6
Posted by Ruchith Fernando <ru...@gmail.com>.
+1
Thanks,
Ruchith
On Thu, Mar 12, 2009 at 9:56 AM, Glen Daniels <gl...@thoughtcraft.com> wrote:
>
> Nandana Mihindukulasooriya wrote:
>> +1. Tested the rampart trunk with the staged wss4j 1.5.6 with Clom's patch.
>
> Here's my +1. Thanks Nandana, and once again great job to the WSS4J team!
>
> --Glen
>
--
http://blog.ruchith.org
Re: [VOTE] release wss4j-1.5.6
Posted by Glen Daniels <gl...@thoughtcraft.com>.
Nandana Mihindukulasooriya wrote:
> +1. Tested the rampart trunk with the staged wss4j 1.5.6 with Clom's patch.
Here's my +1. Thanks Nandana, and once again great job to the WSS4J team!
--Glen
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
Re: [VOTE] release wss4j-1.5.6
Posted by Glen Daniels <gl...@thoughtcraft.com>.
Nandana Mihindukulasooriya wrote:
> +1. Tested the rampart trunk with the staged wss4j 1.5.6 with Clom's patch.
Here's my +1. Thanks Nandana, and once again great job to the WSS4J team!
--Glen
Re: [VOTE] release wss4j-1.5.6
Posted by Glen Daniels <gl...@thoughtcraft.com>.
Nandana Mihindukulasooriya wrote:
> +1. Tested the rampart trunk with the staged wss4j 1.5.6 with Clom's patch.
Here's my +1. Thanks Nandana, and once again great job to the WSS4J team!
--Glen
Re: [VOTE] release wss4j-1.5.6
Posted by Nandana Mihindukulasooriya <na...@gmail.com>.
+1. Tested the rampart trunk with the staged wss4j 1.5.6 with Clom's patch.
thanks,
Nandana
On Wed, Mar 11, 2009 at 6:59 AM, Nandana Mihindukulasooriya <
nandana.cse@gmail.com> wrote:
> Hi Clom,
> I will test this first thing today morning and update the vote.
>
> thanks,
> Nandana
>
> P.S. : Congratulations on getting WSS4J 1.5.6 out and getting WS Trust
> stuff working.
>
>
> On Wed, Mar 11, 2009 at 6:44 AM, Glen Daniels <gl...@thoughtcraft.com>wrote:
>
>> Hey Dan, Colm, all:
>>
>> This makes sense, and you can consider my -1 withdrawn.
>> .
>> I would, however, like to see Nandana's +1 on this before it goes out.
>>
>> Thanks,
>> --Glen
>>
>> Daniel Kulp wrote:
>> > As Colm mentioned, there is a patch on the Jira already. (actually,
>> Colm
>> > could just commit it probably, but I suppose having someone look at it
>> is a
>> > good idea)
>> >
>> > Basically, this is a bug in Rampart. Rampart is suffering from the
>> same
>> > "blindly strip the first char" problem that wss4j did. If you put some
>> > printlns in the rampart token store, with 1.5.5, you can see:
>> >
>> > add: 7EA37A075C8888C7BE12367220453773
>> > add: #sctId-1176318351
>> > get: #sctId-1176318351: org.apache.rahas.Token@364e50ee
>> > get: 7EA37A075C8888C7BE12367220453773: org.apache.rahas.Token@420253af
>> > Service invoked
>> > get: sctId-1176318351: org.apache.rahas.Token@420253af
>> > get: EA37A075C8888C7BE12367220453773: org.apache.rahas.Token@364e50ee
>> >
>> > The last line is the tell tale sign. That ID is NOT a valid token ID,
>> but the
>> > token store is finding a token for it. That's probably some sort of
>> security
>> > violation or something. Not sure how exploitable it is. What's
>> worse, in
>> > SOME cases, if you pass the VALID id in, the store doesn't find the
>> token for
>> > it.
>> >
>> > Actually, I would take the patch one furthur and update the
>> > STSClient.findIdentifier method to check the unattached first instead of
>> the
>> > attached. With that, all the "add" calls would be with the full id and
>> not
>> > the wsu:Id. The lookups later would be a bit quicker then as well.
>> >
>> >
>> > My recommendation would be to get wss4j 1.5.6 out and then follow it up
>> with a
>> > rampart release that fixes those issues.
>> >
>> > Dan
>> >
>> >
>> > On Tue March 10 2009 4:53:23 pm Glen Daniels wrote:
>> >> Hi Colm, all:
>> >>
>> >> -1 from me, unfortunately, since running the Rampart build with the new
>> >> WSS4J produced a test failure. In particular the testWithPolicy() test
>> >> in RampartTest (integration module) fails.
>> >>
>> >> DanK believes this might have to do with the way WSS4J has corrected
>> its
>> >> URL handling (it was previously truncating the 1st char of all urls
>> >> assuming that they'd be of the form "#urn...").
>> >>
>> >> Could someone from rampart-dev have a look at this?
>> >>
>> >> Thanks,
>> >> --Glen
>> >>
>> >> P.S. A huge +1, by the way, to the congratulations on all the hard
>> work
>> >> and interop success!
>> >>
>> >> Colm O hEigeartaigh wrote:
>> >>> To the Apache Web Services Community,
>> >>>
>> >>> This is a call for votes for the wss4j-1.5.6 release.
>> >>>
>> >>> The distribution can be found at the following URL:
>> >>>
>> >>> http://people.apache.org/~coheigea/stage/wss4j/1.5.6/dist/<http://people.apache.org/%7Ecoheigea/stage/wss4j/1.5.6/dist/>
>> >>>
>> >>> You can also point maven at the following URL to pull down the 1.5.6
>> >>> release POM, source, and class JARs:
>> >>>
>> >>> http://people.apache.org/~coheigea/stage/wss4j/1.5.6/maven/<http://people.apache.org/%7Ecoheigea/stage/wss4j/1.5.6/maven/>
>> >>>
>> >>> Additionally, the generated version of the web site can be found at
>> >>>
>> >>> http://people.apache.org/~coheigea/stage/wss4j/1.5.6/site/<http://people.apache.org/%7Ecoheigea/stage/wss4j/1.5.6/site/>
>> >>>
>> >>> The list of bugs fixed in this release can be seen here:
>> >>>
>> >>>
>> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=1231006
>> >>> 3&styleName=Html&version=12313623
>> >>>
>> >>> This vote will stay open for at least 72 hours.
>> >>>
>> >>> Here is my (non-binding and advisory) +1.
>> >>>
>> >>> Thanks,
>> >>>
>> >>> Colm.
>> >> ---------------------------------------------------------------------
>> >> To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
>> >> For additional commands, e-mail: wss4j-dev-help@ws.apache.org
>> >
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
>> For additional commands, e-mail: wss4j-dev-help@ws.apache.org
>>
>>
Re: [VOTE] release wss4j-1.5.6
Posted by Nandana Mihindukulasooriya <na...@gmail.com>.
+1. Tested the rampart trunk with the staged wss4j 1.5.6 with Clom's patch.
thanks,
Nandana
On Wed, Mar 11, 2009 at 6:59 AM, Nandana Mihindukulasooriya <
nandana.cse@gmail.com> wrote:
> Hi Clom,
> I will test this first thing today morning and update the vote.
>
> thanks,
> Nandana
>
> P.S. : Congratulations on getting WSS4J 1.5.6 out and getting WS Trust
> stuff working.
>
>
> On Wed, Mar 11, 2009 at 6:44 AM, Glen Daniels <gl...@thoughtcraft.com>wrote:
>
>> Hey Dan, Colm, all:
>>
>> This makes sense, and you can consider my -1 withdrawn.
>> .
>> I would, however, like to see Nandana's +1 on this before it goes out.
>>
>> Thanks,
>> --Glen
>>
>> Daniel Kulp wrote:
>> > As Colm mentioned, there is a patch on the Jira already. (actually,
>> Colm
>> > could just commit it probably, but I suppose having someone look at it
>> is a
>> > good idea)
>> >
>> > Basically, this is a bug in Rampart. Rampart is suffering from the
>> same
>> > "blindly strip the first char" problem that wss4j did. If you put some
>> > printlns in the rampart token store, with 1.5.5, you can see:
>> >
>> > add: 7EA37A075C8888C7BE12367220453773
>> > add: #sctId-1176318351
>> > get: #sctId-1176318351: org.apache.rahas.Token@364e50ee
>> > get: 7EA37A075C8888C7BE12367220453773: org.apache.rahas.Token@420253af
>> > Service invoked
>> > get: sctId-1176318351: org.apache.rahas.Token@420253af
>> > get: EA37A075C8888C7BE12367220453773: org.apache.rahas.Token@364e50ee
>> >
>> > The last line is the tell tale sign. That ID is NOT a valid token ID,
>> but the
>> > token store is finding a token for it. That's probably some sort of
>> security
>> > violation or something. Not sure how exploitable it is. What's
>> worse, in
>> > SOME cases, if you pass the VALID id in, the store doesn't find the
>> token for
>> > it.
>> >
>> > Actually, I would take the patch one furthur and update the
>> > STSClient.findIdentifier method to check the unattached first instead of
>> the
>> > attached. With that, all the "add" calls would be with the full id and
>> not
>> > the wsu:Id. The lookups later would be a bit quicker then as well.
>> >
>> >
>> > My recommendation would be to get wss4j 1.5.6 out and then follow it up
>> with a
>> > rampart release that fixes those issues.
>> >
>> > Dan
>> >
>> >
>> > On Tue March 10 2009 4:53:23 pm Glen Daniels wrote:
>> >> Hi Colm, all:
>> >>
>> >> -1 from me, unfortunately, since running the Rampart build with the new
>> >> WSS4J produced a test failure. In particular the testWithPolicy() test
>> >> in RampartTest (integration module) fails.
>> >>
>> >> DanK believes this might have to do with the way WSS4J has corrected
>> its
>> >> URL handling (it was previously truncating the 1st char of all urls
>> >> assuming that they'd be of the form "#urn...").
>> >>
>> >> Could someone from rampart-dev have a look at this?
>> >>
>> >> Thanks,
>> >> --Glen
>> >>
>> >> P.S. A huge +1, by the way, to the congratulations on all the hard
>> work
>> >> and interop success!
>> >>
>> >> Colm O hEigeartaigh wrote:
>> >>> To the Apache Web Services Community,
>> >>>
>> >>> This is a call for votes for the wss4j-1.5.6 release.
>> >>>
>> >>> The distribution can be found at the following URL:
>> >>>
>> >>> http://people.apache.org/~coheigea/stage/wss4j/1.5.6/dist/<http://people.apache.org/%7Ecoheigea/stage/wss4j/1.5.6/dist/>
>> >>>
>> >>> You can also point maven at the following URL to pull down the 1.5.6
>> >>> release POM, source, and class JARs:
>> >>>
>> >>> http://people.apache.org/~coheigea/stage/wss4j/1.5.6/maven/<http://people.apache.org/%7Ecoheigea/stage/wss4j/1.5.6/maven/>
>> >>>
>> >>> Additionally, the generated version of the web site can be found at
>> >>>
>> >>> http://people.apache.org/~coheigea/stage/wss4j/1.5.6/site/<http://people.apache.org/%7Ecoheigea/stage/wss4j/1.5.6/site/>
>> >>>
>> >>> The list of bugs fixed in this release can be seen here:
>> >>>
>> >>>
>> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=1231006
>> >>> 3&styleName=Html&version=12313623
>> >>>
>> >>> This vote will stay open for at least 72 hours.
>> >>>
>> >>> Here is my (non-binding and advisory) +1.
>> >>>
>> >>> Thanks,
>> >>>
>> >>> Colm.
>> >> ---------------------------------------------------------------------
>> >> To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
>> >> For additional commands, e-mail: wss4j-dev-help@ws.apache.org
>> >
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
>> For additional commands, e-mail: wss4j-dev-help@ws.apache.org
>>
>>
Re: [VOTE] release wss4j-1.5.6
Posted by Nandana Mihindukulasooriya <na...@gmail.com>.
+1. Tested the rampart trunk with the staged wss4j 1.5.6 with Clom's patch.
thanks,
Nandana
On Wed, Mar 11, 2009 at 6:59 AM, Nandana Mihindukulasooriya <
nandana.cse@gmail.com> wrote:
> Hi Clom,
> I will test this first thing today morning and update the vote.
>
> thanks,
> Nandana
>
> P.S. : Congratulations on getting WSS4J 1.5.6 out and getting WS Trust
> stuff working.
>
>
> On Wed, Mar 11, 2009 at 6:44 AM, Glen Daniels <gl...@thoughtcraft.com>wrote:
>
>> Hey Dan, Colm, all:
>>
>> This makes sense, and you can consider my -1 withdrawn.
>> .
>> I would, however, like to see Nandana's +1 on this before it goes out.
>>
>> Thanks,
>> --Glen
>>
>> Daniel Kulp wrote:
>> > As Colm mentioned, there is a patch on the Jira already. (actually,
>> Colm
>> > could just commit it probably, but I suppose having someone look at it
>> is a
>> > good idea)
>> >
>> > Basically, this is a bug in Rampart. Rampart is suffering from the
>> same
>> > "blindly strip the first char" problem that wss4j did. If you put some
>> > printlns in the rampart token store, with 1.5.5, you can see:
>> >
>> > add: 7EA37A075C8888C7BE12367220453773
>> > add: #sctId-1176318351
>> > get: #sctId-1176318351: org.apache.rahas.Token@364e50ee
>> > get: 7EA37A075C8888C7BE12367220453773: org.apache.rahas.Token@420253af
>> > Service invoked
>> > get: sctId-1176318351: org.apache.rahas.Token@420253af
>> > get: EA37A075C8888C7BE12367220453773: org.apache.rahas.Token@364e50ee
>> >
>> > The last line is the tell tale sign. That ID is NOT a valid token ID,
>> but the
>> > token store is finding a token for it. That's probably some sort of
>> security
>> > violation or something. Not sure how exploitable it is. What's
>> worse, in
>> > SOME cases, if you pass the VALID id in, the store doesn't find the
>> token for
>> > it.
>> >
>> > Actually, I would take the patch one furthur and update the
>> > STSClient.findIdentifier method to check the unattached first instead of
>> the
>> > attached. With that, all the "add" calls would be with the full id and
>> not
>> > the wsu:Id. The lookups later would be a bit quicker then as well.
>> >
>> >
>> > My recommendation would be to get wss4j 1.5.6 out and then follow it up
>> with a
>> > rampart release that fixes those issues.
>> >
>> > Dan
>> >
>> >
>> > On Tue March 10 2009 4:53:23 pm Glen Daniels wrote:
>> >> Hi Colm, all:
>> >>
>> >> -1 from me, unfortunately, since running the Rampart build with the new
>> >> WSS4J produced a test failure. In particular the testWithPolicy() test
>> >> in RampartTest (integration module) fails.
>> >>
>> >> DanK believes this might have to do with the way WSS4J has corrected
>> its
>> >> URL handling (it was previously truncating the 1st char of all urls
>> >> assuming that they'd be of the form "#urn...").
>> >>
>> >> Could someone from rampart-dev have a look at this?
>> >>
>> >> Thanks,
>> >> --Glen
>> >>
>> >> P.S. A huge +1, by the way, to the congratulations on all the hard
>> work
>> >> and interop success!
>> >>
>> >> Colm O hEigeartaigh wrote:
>> >>> To the Apache Web Services Community,
>> >>>
>> >>> This is a call for votes for the wss4j-1.5.6 release.
>> >>>
>> >>> The distribution can be found at the following URL:
>> >>>
>> >>> http://people.apache.org/~coheigea/stage/wss4j/1.5.6/dist/<http://people.apache.org/%7Ecoheigea/stage/wss4j/1.5.6/dist/>
>> >>>
>> >>> You can also point maven at the following URL to pull down the 1.5.6
>> >>> release POM, source, and class JARs:
>> >>>
>> >>> http://people.apache.org/~coheigea/stage/wss4j/1.5.6/maven/<http://people.apache.org/%7Ecoheigea/stage/wss4j/1.5.6/maven/>
>> >>>
>> >>> Additionally, the generated version of the web site can be found at
>> >>>
>> >>> http://people.apache.org/~coheigea/stage/wss4j/1.5.6/site/<http://people.apache.org/%7Ecoheigea/stage/wss4j/1.5.6/site/>
>> >>>
>> >>> The list of bugs fixed in this release can be seen here:
>> >>>
>> >>>
>> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=1231006
>> >>> 3&styleName=Html&version=12313623
>> >>>
>> >>> This vote will stay open for at least 72 hours.
>> >>>
>> >>> Here is my (non-binding and advisory) +1.
>> >>>
>> >>> Thanks,
>> >>>
>> >>> Colm.
>> >> ---------------------------------------------------------------------
>> >> To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
>> >> For additional commands, e-mail: wss4j-dev-help@ws.apache.org
>> >
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
>> For additional commands, e-mail: wss4j-dev-help@ws.apache.org
>>
>>
Re: [VOTE] release wss4j-1.5.6
Posted by Nandana Mihindukulasooriya <na...@gmail.com>.
Hi Clom,
I will test this first thing today morning and update the vote.
thanks,
Nandana
P.S. : Congratulations on getting WSS4J 1.5.6 out and getting WS Trust
stuff working.
On Wed, Mar 11, 2009 at 6:44 AM, Glen Daniels <gl...@thoughtcraft.com> wrote:
> Hey Dan, Colm, all:
>
> This makes sense, and you can consider my -1 withdrawn.
> .
> I would, however, like to see Nandana's +1 on this before it goes out.
>
> Thanks,
> --Glen
>
> Daniel Kulp wrote:
> > As Colm mentioned, there is a patch on the Jira already. (actually,
> Colm
> > could just commit it probably, but I suppose having someone look at it is
> a
> > good idea)
> >
> > Basically, this is a bug in Rampart. Rampart is suffering from the same
> > "blindly strip the first char" problem that wss4j did. If you put some
> > printlns in the rampart token store, with 1.5.5, you can see:
> >
> > add: 7EA37A075C8888C7BE12367220453773
> > add: #sctId-1176318351
> > get: #sctId-1176318351: org.apache.rahas.Token@364e50ee
> > get: 7EA37A075C8888C7BE12367220453773: org.apache.rahas.Token@420253af
> > Service invoked
> > get: sctId-1176318351: org.apache.rahas.Token@420253af
> > get: EA37A075C8888C7BE12367220453773: org.apache.rahas.Token@364e50ee
> >
> > The last line is the tell tale sign. That ID is NOT a valid token ID,
> but the
> > token store is finding a token for it. That's probably some sort of
> security
> > violation or something. Not sure how exploitable it is. What's worse,
> in
> > SOME cases, if you pass the VALID id in, the store doesn't find the token
> for
> > it.
> >
> > Actually, I would take the patch one furthur and update the
> > STSClient.findIdentifier method to check the unattached first instead of
> the
> > attached. With that, all the "add" calls would be with the full id and
> not
> > the wsu:Id. The lookups later would be a bit quicker then as well.
> >
> >
> > My recommendation would be to get wss4j 1.5.6 out and then follow it up
> with a
> > rampart release that fixes those issues.
> >
> > Dan
> >
> >
> > On Tue March 10 2009 4:53:23 pm Glen Daniels wrote:
> >> Hi Colm, all:
> >>
> >> -1 from me, unfortunately, since running the Rampart build with the new
> >> WSS4J produced a test failure. In particular the testWithPolicy() test
> >> in RampartTest (integration module) fails.
> >>
> >> DanK believes this might have to do with the way WSS4J has corrected its
> >> URL handling (it was previously truncating the 1st char of all urls
> >> assuming that they'd be of the form "#urn...").
> >>
> >> Could someone from rampart-dev have a look at this?
> >>
> >> Thanks,
> >> --Glen
> >>
> >> P.S. A huge +1, by the way, to the congratulations on all the hard work
> >> and interop success!
> >>
> >> Colm O hEigeartaigh wrote:
> >>> To the Apache Web Services Community,
> >>>
> >>> This is a call for votes for the wss4j-1.5.6 release.
> >>>
> >>> The distribution can be found at the following URL:
> >>>
> >>> http://people.apache.org/~coheigea/stage/wss4j/1.5.6/dist/<http://people.apache.org/%7Ecoheigea/stage/wss4j/1.5.6/dist/>
> >>>
> >>> You can also point maven at the following URL to pull down the 1.5.6
> >>> release POM, source, and class JARs:
> >>>
> >>> http://people.apache.org/~coheigea/stage/wss4j/1.5.6/maven/<http://people.apache.org/%7Ecoheigea/stage/wss4j/1.5.6/maven/>
> >>>
> >>> Additionally, the generated version of the web site can be found at
> >>>
> >>> http://people.apache.org/~coheigea/stage/wss4j/1.5.6/site/<http://people.apache.org/%7Ecoheigea/stage/wss4j/1.5.6/site/>
> >>>
> >>> The list of bugs fixed in this release can be seen here:
> >>>
> >>>
> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=1231006
> >>> 3&styleName=Html&version=12313623
> >>>
> >>> This vote will stay open for at least 72 hours.
> >>>
> >>> Here is my (non-binding and advisory) +1.
> >>>
> >>> Thanks,
> >>>
> >>> Colm.
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
> >> For additional commands, e-mail: wss4j-dev-help@ws.apache.org
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
> For additional commands, e-mail: wss4j-dev-help@ws.apache.org
>
>
Re: [VOTE] release wss4j-1.5.6
Posted by Nandana Mihindukulasooriya <na...@gmail.com>.
Hi Clom,
I will test this first thing today morning and update the vote.
thanks,
Nandana
P.S. : Congratulations on getting WSS4J 1.5.6 out and getting WS Trust
stuff working.
On Wed, Mar 11, 2009 at 6:44 AM, Glen Daniels <gl...@thoughtcraft.com> wrote:
> Hey Dan, Colm, all:
>
> This makes sense, and you can consider my -1 withdrawn.
> .
> I would, however, like to see Nandana's +1 on this before it goes out.
>
> Thanks,
> --Glen
>
> Daniel Kulp wrote:
> > As Colm mentioned, there is a patch on the Jira already. (actually,
> Colm
> > could just commit it probably, but I suppose having someone look at it is
> a
> > good idea)
> >
> > Basically, this is a bug in Rampart. Rampart is suffering from the same
> > "blindly strip the first char" problem that wss4j did. If you put some
> > printlns in the rampart token store, with 1.5.5, you can see:
> >
> > add: 7EA37A075C8888C7BE12367220453773
> > add: #sctId-1176318351
> > get: #sctId-1176318351: org.apache.rahas.Token@364e50ee
> > get: 7EA37A075C8888C7BE12367220453773: org.apache.rahas.Token@420253af
> > Service invoked
> > get: sctId-1176318351: org.apache.rahas.Token@420253af
> > get: EA37A075C8888C7BE12367220453773: org.apache.rahas.Token@364e50ee
> >
> > The last line is the tell tale sign. That ID is NOT a valid token ID,
> but the
> > token store is finding a token for it. That's probably some sort of
> security
> > violation or something. Not sure how exploitable it is. What's worse,
> in
> > SOME cases, if you pass the VALID id in, the store doesn't find the token
> for
> > it.
> >
> > Actually, I would take the patch one furthur and update the
> > STSClient.findIdentifier method to check the unattached first instead of
> the
> > attached. With that, all the "add" calls would be with the full id and
> not
> > the wsu:Id. The lookups later would be a bit quicker then as well.
> >
> >
> > My recommendation would be to get wss4j 1.5.6 out and then follow it up
> with a
> > rampart release that fixes those issues.
> >
> > Dan
> >
> >
> > On Tue March 10 2009 4:53:23 pm Glen Daniels wrote:
> >> Hi Colm, all:
> >>
> >> -1 from me, unfortunately, since running the Rampart build with the new
> >> WSS4J produced a test failure. In particular the testWithPolicy() test
> >> in RampartTest (integration module) fails.
> >>
> >> DanK believes this might have to do with the way WSS4J has corrected its
> >> URL handling (it was previously truncating the 1st char of all urls
> >> assuming that they'd be of the form "#urn...").
> >>
> >> Could someone from rampart-dev have a look at this?
> >>
> >> Thanks,
> >> --Glen
> >>
> >> P.S. A huge +1, by the way, to the congratulations on all the hard work
> >> and interop success!
> >>
> >> Colm O hEigeartaigh wrote:
> >>> To the Apache Web Services Community,
> >>>
> >>> This is a call for votes for the wss4j-1.5.6 release.
> >>>
> >>> The distribution can be found at the following URL:
> >>>
> >>> http://people.apache.org/~coheigea/stage/wss4j/1.5.6/dist/<http://people.apache.org/%7Ecoheigea/stage/wss4j/1.5.6/dist/>
> >>>
> >>> You can also point maven at the following URL to pull down the 1.5.6
> >>> release POM, source, and class JARs:
> >>>
> >>> http://people.apache.org/~coheigea/stage/wss4j/1.5.6/maven/<http://people.apache.org/%7Ecoheigea/stage/wss4j/1.5.6/maven/>
> >>>
> >>> Additionally, the generated version of the web site can be found at
> >>>
> >>> http://people.apache.org/~coheigea/stage/wss4j/1.5.6/site/<http://people.apache.org/%7Ecoheigea/stage/wss4j/1.5.6/site/>
> >>>
> >>> The list of bugs fixed in this release can be seen here:
> >>>
> >>>
> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=1231006
> >>> 3&styleName=Html&version=12313623
> >>>
> >>> This vote will stay open for at least 72 hours.
> >>>
> >>> Here is my (non-binding and advisory) +1.
> >>>
> >>> Thanks,
> >>>
> >>> Colm.
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
> >> For additional commands, e-mail: wss4j-dev-help@ws.apache.org
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
> For additional commands, e-mail: wss4j-dev-help@ws.apache.org
>
>
Re: [VOTE] release wss4j-1.5.6
Posted by Nandana Mihindukulasooriya <na...@gmail.com>.
Hi Clom,
I will test this first thing today morning and update the vote.
thanks,
Nandana
P.S. : Congratulations on getting WSS4J 1.5.6 out and getting WS Trust
stuff working.
On Wed, Mar 11, 2009 at 6:44 AM, Glen Daniels <gl...@thoughtcraft.com> wrote:
> Hey Dan, Colm, all:
>
> This makes sense, and you can consider my -1 withdrawn.
> .
> I would, however, like to see Nandana's +1 on this before it goes out.
>
> Thanks,
> --Glen
>
> Daniel Kulp wrote:
> > As Colm mentioned, there is a patch on the Jira already. (actually,
> Colm
> > could just commit it probably, but I suppose having someone look at it is
> a
> > good idea)
> >
> > Basically, this is a bug in Rampart. Rampart is suffering from the same
> > "blindly strip the first char" problem that wss4j did. If you put some
> > printlns in the rampart token store, with 1.5.5, you can see:
> >
> > add: 7EA37A075C8888C7BE12367220453773
> > add: #sctId-1176318351
> > get: #sctId-1176318351: org.apache.rahas.Token@364e50ee
> > get: 7EA37A075C8888C7BE12367220453773: org.apache.rahas.Token@420253af
> > Service invoked
> > get: sctId-1176318351: org.apache.rahas.Token@420253af
> > get: EA37A075C8888C7BE12367220453773: org.apache.rahas.Token@364e50ee
> >
> > The last line is the tell tale sign. That ID is NOT a valid token ID,
> but the
> > token store is finding a token for it. That's probably some sort of
> security
> > violation or something. Not sure how exploitable it is. What's worse,
> in
> > SOME cases, if you pass the VALID id in, the store doesn't find the token
> for
> > it.
> >
> > Actually, I would take the patch one furthur and update the
> > STSClient.findIdentifier method to check the unattached first instead of
> the
> > attached. With that, all the "add" calls would be with the full id and
> not
> > the wsu:Id. The lookups later would be a bit quicker then as well.
> >
> >
> > My recommendation would be to get wss4j 1.5.6 out and then follow it up
> with a
> > rampart release that fixes those issues.
> >
> > Dan
> >
> >
> > On Tue March 10 2009 4:53:23 pm Glen Daniels wrote:
> >> Hi Colm, all:
> >>
> >> -1 from me, unfortunately, since running the Rampart build with the new
> >> WSS4J produced a test failure. In particular the testWithPolicy() test
> >> in RampartTest (integration module) fails.
> >>
> >> DanK believes this might have to do with the way WSS4J has corrected its
> >> URL handling (it was previously truncating the 1st char of all urls
> >> assuming that they'd be of the form "#urn...").
> >>
> >> Could someone from rampart-dev have a look at this?
> >>
> >> Thanks,
> >> --Glen
> >>
> >> P.S. A huge +1, by the way, to the congratulations on all the hard work
> >> and interop success!
> >>
> >> Colm O hEigeartaigh wrote:
> >>> To the Apache Web Services Community,
> >>>
> >>> This is a call for votes for the wss4j-1.5.6 release.
> >>>
> >>> The distribution can be found at the following URL:
> >>>
> >>> http://people.apache.org/~coheigea/stage/wss4j/1.5.6/dist/<http://people.apache.org/%7Ecoheigea/stage/wss4j/1.5.6/dist/>
> >>>
> >>> You can also point maven at the following URL to pull down the 1.5.6
> >>> release POM, source, and class JARs:
> >>>
> >>> http://people.apache.org/~coheigea/stage/wss4j/1.5.6/maven/<http://people.apache.org/%7Ecoheigea/stage/wss4j/1.5.6/maven/>
> >>>
> >>> Additionally, the generated version of the web site can be found at
> >>>
> >>> http://people.apache.org/~coheigea/stage/wss4j/1.5.6/site/<http://people.apache.org/%7Ecoheigea/stage/wss4j/1.5.6/site/>
> >>>
> >>> The list of bugs fixed in this release can be seen here:
> >>>
> >>>
> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=1231006
> >>> 3&styleName=Html&version=12313623
> >>>
> >>> This vote will stay open for at least 72 hours.
> >>>
> >>> Here is my (non-binding and advisory) +1.
> >>>
> >>> Thanks,
> >>>
> >>> Colm.
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
> >> For additional commands, e-mail: wss4j-dev-help@ws.apache.org
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
> For additional commands, e-mail: wss4j-dev-help@ws.apache.org
>
>
Re: [VOTE] release wss4j-1.5.6
Posted by Glen Daniels <gl...@thoughtcraft.com>.
Hey Dan, Colm, all:
This makes sense, and you can consider my -1 withdrawn.
I would, however, like to see Nandana's +1 on this before it goes out.
Thanks,
--Glen
Daniel Kulp wrote:
> As Colm mentioned, there is a patch on the Jira already. (actually, Colm
> could just commit it probably, but I suppose having someone look at it is a
> good idea)
>
> Basically, this is a bug in Rampart. Rampart is suffering from the same
> "blindly strip the first char" problem that wss4j did. If you put some
> printlns in the rampart token store, with 1.5.5, you can see:
>
> add: 7EA37A075C8888C7BE12367220453773
> add: #sctId-1176318351
> get: #sctId-1176318351: org.apache.rahas.Token@364e50ee
> get: 7EA37A075C8888C7BE12367220453773: org.apache.rahas.Token@420253af
> Service invoked
> get: sctId-1176318351: org.apache.rahas.Token@420253af
> get: EA37A075C8888C7BE12367220453773: org.apache.rahas.Token@364e50ee
>
> The last line is the tell tale sign. That ID is NOT a valid token ID, but the
> token store is finding a token for it. That's probably some sort of security
> violation or something. Not sure how exploitable it is. What's worse, in
> SOME cases, if you pass the VALID id in, the store doesn't find the token for
> it.
>
> Actually, I would take the patch one furthur and update the
> STSClient.findIdentifier method to check the unattached first instead of the
> attached. With that, all the "add" calls would be with the full id and not
> the wsu:Id. The lookups later would be a bit quicker then as well.
>
>
> My recommendation would be to get wss4j 1.5.6 out and then follow it up with a
> rampart release that fixes those issues.
>
> Dan
>
>
> On Tue March 10 2009 4:53:23 pm Glen Daniels wrote:
>> Hi Colm, all:
>>
>> -1 from me, unfortunately, since running the Rampart build with the new
>> WSS4J produced a test failure. In particular the testWithPolicy() test
>> in RampartTest (integration module) fails.
>>
>> DanK believes this might have to do with the way WSS4J has corrected its
>> URL handling (it was previously truncating the 1st char of all urls
>> assuming that they'd be of the form "#urn...").
>>
>> Could someone from rampart-dev have a look at this?
>>
>> Thanks,
>> --Glen
>>
>> P.S. A huge +1, by the way, to the congratulations on all the hard work
>> and interop success!
>>
>> Colm O hEigeartaigh wrote:
>>> To the Apache Web Services Community,
>>>
>>> This is a call for votes for the wss4j-1.5.6 release.
>>>
>>> The distribution can be found at the following URL:
>>>
>>> http://people.apache.org/~coheigea/stage/wss4j/1.5.6/dist/
>>>
>>> You can also point maven at the following URL to pull down the 1.5.6
>>> release POM, source, and class JARs:
>>>
>>> http://people.apache.org/~coheigea/stage/wss4j/1.5.6/maven/
>>>
>>> Additionally, the generated version of the web site can be found at
>>>
>>> http://people.apache.org/~coheigea/stage/wss4j/1.5.6/site/
>>>
>>> The list of bugs fixed in this release can be seen here:
>>>
>>> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=1231006
>>> 3&styleName=Html&version=12313623
>>>
>>> This vote will stay open for at least 72 hours.
>>>
>>> Here is my (non-binding and advisory) +1.
>>>
>>> Thanks,
>>>
>>> Colm.
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
>> For additional commands, e-mail: wss4j-dev-help@ws.apache.org
>
Re: [VOTE] release wss4j-1.5.6
Posted by Glen Daniels <gl...@thoughtcraft.com>.
Hey Dan, Colm, all:
This makes sense, and you can consider my -1 withdrawn.
I would, however, like to see Nandana's +1 on this before it goes out.
Thanks,
--Glen
Daniel Kulp wrote:
> As Colm mentioned, there is a patch on the Jira already. (actually, Colm
> could just commit it probably, but I suppose having someone look at it is a
> good idea)
>
> Basically, this is a bug in Rampart. Rampart is suffering from the same
> "blindly strip the first char" problem that wss4j did. If you put some
> printlns in the rampart token store, with 1.5.5, you can see:
>
> add: 7EA37A075C8888C7BE12367220453773
> add: #sctId-1176318351
> get: #sctId-1176318351: org.apache.rahas.Token@364e50ee
> get: 7EA37A075C8888C7BE12367220453773: org.apache.rahas.Token@420253af
> Service invoked
> get: sctId-1176318351: org.apache.rahas.Token@420253af
> get: EA37A075C8888C7BE12367220453773: org.apache.rahas.Token@364e50ee
>
> The last line is the tell tale sign. That ID is NOT a valid token ID, but the
> token store is finding a token for it. That's probably some sort of security
> violation or something. Not sure how exploitable it is. What's worse, in
> SOME cases, if you pass the VALID id in, the store doesn't find the token for
> it.
>
> Actually, I would take the patch one furthur and update the
> STSClient.findIdentifier method to check the unattached first instead of the
> attached. With that, all the "add" calls would be with the full id and not
> the wsu:Id. The lookups later would be a bit quicker then as well.
>
>
> My recommendation would be to get wss4j 1.5.6 out and then follow it up with a
> rampart release that fixes those issues.
>
> Dan
>
>
> On Tue March 10 2009 4:53:23 pm Glen Daniels wrote:
>> Hi Colm, all:
>>
>> -1 from me, unfortunately, since running the Rampart build with the new
>> WSS4J produced a test failure. In particular the testWithPolicy() test
>> in RampartTest (integration module) fails.
>>
>> DanK believes this might have to do with the way WSS4J has corrected its
>> URL handling (it was previously truncating the 1st char of all urls
>> assuming that they'd be of the form "#urn...").
>>
>> Could someone from rampart-dev have a look at this?
>>
>> Thanks,
>> --Glen
>>
>> P.S. A huge +1, by the way, to the congratulations on all the hard work
>> and interop success!
>>
>> Colm O hEigeartaigh wrote:
>>> To the Apache Web Services Community,
>>>
>>> This is a call for votes for the wss4j-1.5.6 release.
>>>
>>> The distribution can be found at the following URL:
>>>
>>> http://people.apache.org/~coheigea/stage/wss4j/1.5.6/dist/
>>>
>>> You can also point maven at the following URL to pull down the 1.5.6
>>> release POM, source, and class JARs:
>>>
>>> http://people.apache.org/~coheigea/stage/wss4j/1.5.6/maven/
>>>
>>> Additionally, the generated version of the web site can be found at
>>>
>>> http://people.apache.org/~coheigea/stage/wss4j/1.5.6/site/
>>>
>>> The list of bugs fixed in this release can be seen here:
>>>
>>> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=1231006
>>> 3&styleName=Html&version=12313623
>>>
>>> This vote will stay open for at least 72 hours.
>>>
>>> Here is my (non-binding and advisory) +1.
>>>
>>> Thanks,
>>>
>>> Colm.
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
>> For additional commands, e-mail: wss4j-dev-help@ws.apache.org
>
Re: [VOTE] release wss4j-1.5.6
Posted by Glen Daniels <gl...@thoughtcraft.com>.
Hey Dan, Colm, all:
This makes sense, and you can consider my -1 withdrawn.
I would, however, like to see Nandana's +1 on this before it goes out.
Thanks,
--Glen
Daniel Kulp wrote:
> As Colm mentioned, there is a patch on the Jira already. (actually, Colm
> could just commit it probably, but I suppose having someone look at it is a
> good idea)
>
> Basically, this is a bug in Rampart. Rampart is suffering from the same
> "blindly strip the first char" problem that wss4j did. If you put some
> printlns in the rampart token store, with 1.5.5, you can see:
>
> add: 7EA37A075C8888C7BE12367220453773
> add: #sctId-1176318351
> get: #sctId-1176318351: org.apache.rahas.Token@364e50ee
> get: 7EA37A075C8888C7BE12367220453773: org.apache.rahas.Token@420253af
> Service invoked
> get: sctId-1176318351: org.apache.rahas.Token@420253af
> get: EA37A075C8888C7BE12367220453773: org.apache.rahas.Token@364e50ee
>
> The last line is the tell tale sign. That ID is NOT a valid token ID, but the
> token store is finding a token for it. That's probably some sort of security
> violation or something. Not sure how exploitable it is. What's worse, in
> SOME cases, if you pass the VALID id in, the store doesn't find the token for
> it.
>
> Actually, I would take the patch one furthur and update the
> STSClient.findIdentifier method to check the unattached first instead of the
> attached. With that, all the "add" calls would be with the full id and not
> the wsu:Id. The lookups later would be a bit quicker then as well.
>
>
> My recommendation would be to get wss4j 1.5.6 out and then follow it up with a
> rampart release that fixes those issues.
>
> Dan
>
>
> On Tue March 10 2009 4:53:23 pm Glen Daniels wrote:
>> Hi Colm, all:
>>
>> -1 from me, unfortunately, since running the Rampart build with the new
>> WSS4J produced a test failure. In particular the testWithPolicy() test
>> in RampartTest (integration module) fails.
>>
>> DanK believes this might have to do with the way WSS4J has corrected its
>> URL handling (it was previously truncating the 1st char of all urls
>> assuming that they'd be of the form "#urn...").
>>
>> Could someone from rampart-dev have a look at this?
>>
>> Thanks,
>> --Glen
>>
>> P.S. A huge +1, by the way, to the congratulations on all the hard work
>> and interop success!
>>
>> Colm O hEigeartaigh wrote:
>>> To the Apache Web Services Community,
>>>
>>> This is a call for votes for the wss4j-1.5.6 release.
>>>
>>> The distribution can be found at the following URL:
>>>
>>> http://people.apache.org/~coheigea/stage/wss4j/1.5.6/dist/
>>>
>>> You can also point maven at the following URL to pull down the 1.5.6
>>> release POM, source, and class JARs:
>>>
>>> http://people.apache.org/~coheigea/stage/wss4j/1.5.6/maven/
>>>
>>> Additionally, the generated version of the web site can be found at
>>>
>>> http://people.apache.org/~coheigea/stage/wss4j/1.5.6/site/
>>>
>>> The list of bugs fixed in this release can be seen here:
>>>
>>> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=1231006
>>> 3&styleName=Html&version=12313623
>>>
>>> This vote will stay open for at least 72 hours.
>>>
>>> Here is my (non-binding and advisory) +1.
>>>
>>> Thanks,
>>>
>>> Colm.
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
>> For additional commands, e-mail: wss4j-dev-help@ws.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
Re: [VOTE] release wss4j-1.5.6
Posted by Daniel Kulp <dk...@apache.org>.
Glen,
As Colm mentioned, there is a patch on the Jira already. (actually, Colm
could just commit it probably, but I suppose having someone look at it is a
good idea)
Basically, this is a bug in Rampart. Rampart is suffering from the same
"blindly strip the first char" problem that wss4j did. If you put some
printlns in the rampart token store, with 1.5.5, you can see:
add: 7EA37A075C8888C7BE12367220453773
add: #sctId-1176318351
get: #sctId-1176318351: org.apache.rahas.Token@364e50ee
get: 7EA37A075C8888C7BE12367220453773: org.apache.rahas.Token@420253af
Service invoked
get: sctId-1176318351: org.apache.rahas.Token@420253af
get: EA37A075C8888C7BE12367220453773: org.apache.rahas.Token@364e50ee
The last line is the tell tale sign. That ID is NOT a valid token ID, but the
token store is finding a token for it. That's probably some sort of security
violation or something. Not sure how exploitable it is. What's worse, in
SOME cases, if you pass the VALID id in, the store doesn't find the token for
it.
Actually, I would take the patch one furthur and update the
STSClient.findIdentifier method to check the unattached first instead of the
attached. With that, all the "add" calls would be with the full id and not
the wsu:Id. The lookups later would be a bit quicker then as well.
My recommendation would be to get wss4j 1.5.6 out and then follow it up with a
rampart release that fixes those issues.
Dan
On Tue March 10 2009 4:53:23 pm Glen Daniels wrote:
> Hi Colm, all:
>
> -1 from me, unfortunately, since running the Rampart build with the new
> WSS4J produced a test failure. In particular the testWithPolicy() test
> in RampartTest (integration module) fails.
>
> DanK believes this might have to do with the way WSS4J has corrected its
> URL handling (it was previously truncating the 1st char of all urls
> assuming that they'd be of the form "#urn...").
>
> Could someone from rampart-dev have a look at this?
>
> Thanks,
> --Glen
>
> P.S. A huge +1, by the way, to the congratulations on all the hard work
> and interop success!
>
> Colm O hEigeartaigh wrote:
> > To the Apache Web Services Community,
> >
> > This is a call for votes for the wss4j-1.5.6 release.
> >
> > The distribution can be found at the following URL:
> >
> > http://people.apache.org/~coheigea/stage/wss4j/1.5.6/dist/
> >
> > You can also point maven at the following URL to pull down the 1.5.6
> > release POM, source, and class JARs:
> >
> > http://people.apache.org/~coheigea/stage/wss4j/1.5.6/maven/
> >
> > Additionally, the generated version of the web site can be found at
> >
> > http://people.apache.org/~coheigea/stage/wss4j/1.5.6/site/
> >
> > The list of bugs fixed in this release can be seen here:
> >
> > https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=1231006
> > 3&styleName=Html&version=12313623
> >
> > This vote will stay open for at least 72 hours.
> >
> > Here is my (non-binding and advisory) +1.
> >
> > Thanks,
> >
> > Colm.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
> For additional commands, e-mail: wss4j-dev-help@ws.apache.org
--
Daniel Kulp
dkulp@apache.org
http://www.dankulp.com/blog
Re: [VOTE] release wss4j-1.5.6
Posted by Daniel Kulp <dk...@apache.org>.
Glen,
As Colm mentioned, there is a patch on the Jira already. (actually, Colm
could just commit it probably, but I suppose having someone look at it is a
good idea)
Basically, this is a bug in Rampart. Rampart is suffering from the same
"blindly strip the first char" problem that wss4j did. If you put some
printlns in the rampart token store, with 1.5.5, you can see:
add: 7EA37A075C8888C7BE12367220453773
add: #sctId-1176318351
get: #sctId-1176318351: org.apache.rahas.Token@364e50ee
get: 7EA37A075C8888C7BE12367220453773: org.apache.rahas.Token@420253af
Service invoked
get: sctId-1176318351: org.apache.rahas.Token@420253af
get: EA37A075C8888C7BE12367220453773: org.apache.rahas.Token@364e50ee
The last line is the tell tale sign. That ID is NOT a valid token ID, but the
token store is finding a token for it. That's probably some sort of security
violation or something. Not sure how exploitable it is. What's worse, in
SOME cases, if you pass the VALID id in, the store doesn't find the token for
it.
Actually, I would take the patch one furthur and update the
STSClient.findIdentifier method to check the unattached first instead of the
attached. With that, all the "add" calls would be with the full id and not
the wsu:Id. The lookups later would be a bit quicker then as well.
My recommendation would be to get wss4j 1.5.6 out and then follow it up with a
rampart release that fixes those issues.
Dan
On Tue March 10 2009 4:53:23 pm Glen Daniels wrote:
> Hi Colm, all:
>
> -1 from me, unfortunately, since running the Rampart build with the new
> WSS4J produced a test failure. In particular the testWithPolicy() test
> in RampartTest (integration module) fails.
>
> DanK believes this might have to do with the way WSS4J has corrected its
> URL handling (it was previously truncating the 1st char of all urls
> assuming that they'd be of the form "#urn...").
>
> Could someone from rampart-dev have a look at this?
>
> Thanks,
> --Glen
>
> P.S. A huge +1, by the way, to the congratulations on all the hard work
> and interop success!
>
> Colm O hEigeartaigh wrote:
> > To the Apache Web Services Community,
> >
> > This is a call for votes for the wss4j-1.5.6 release.
> >
> > The distribution can be found at the following URL:
> >
> > http://people.apache.org/~coheigea/stage/wss4j/1.5.6/dist/
> >
> > You can also point maven at the following URL to pull down the 1.5.6
> > release POM, source, and class JARs:
> >
> > http://people.apache.org/~coheigea/stage/wss4j/1.5.6/maven/
> >
> > Additionally, the generated version of the web site can be found at
> >
> > http://people.apache.org/~coheigea/stage/wss4j/1.5.6/site/
> >
> > The list of bugs fixed in this release can be seen here:
> >
> > https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=1231006
> > 3&styleName=Html&version=12313623
> >
> > This vote will stay open for at least 72 hours.
> >
> > Here is my (non-binding and advisory) +1.
> >
> > Thanks,
> >
> > Colm.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
> For additional commands, e-mail: wss4j-dev-help@ws.apache.org
--
Daniel Kulp
dkulp@apache.org
http://www.dankulp.com/blog
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
Re: [VOTE] release wss4j-1.5.6
Posted by Daniel Kulp <dk...@apache.org>.
Glen,
As Colm mentioned, there is a patch on the Jira already. (actually, Colm
could just commit it probably, but I suppose having someone look at it is a
good idea)
Basically, this is a bug in Rampart. Rampart is suffering from the same
"blindly strip the first char" problem that wss4j did. If you put some
printlns in the rampart token store, with 1.5.5, you can see:
add: 7EA37A075C8888C7BE12367220453773
add: #sctId-1176318351
get: #sctId-1176318351: org.apache.rahas.Token@364e50ee
get: 7EA37A075C8888C7BE12367220453773: org.apache.rahas.Token@420253af
Service invoked
get: sctId-1176318351: org.apache.rahas.Token@420253af
get: EA37A075C8888C7BE12367220453773: org.apache.rahas.Token@364e50ee
The last line is the tell tale sign. That ID is NOT a valid token ID, but the
token store is finding a token for it. That's probably some sort of security
violation or something. Not sure how exploitable it is. What's worse, in
SOME cases, if you pass the VALID id in, the store doesn't find the token for
it.
Actually, I would take the patch one furthur and update the
STSClient.findIdentifier method to check the unattached first instead of the
attached. With that, all the "add" calls would be with the full id and not
the wsu:Id. The lookups later would be a bit quicker then as well.
My recommendation would be to get wss4j 1.5.6 out and then follow it up with a
rampart release that fixes those issues.
Dan
On Tue March 10 2009 4:53:23 pm Glen Daniels wrote:
> Hi Colm, all:
>
> -1 from me, unfortunately, since running the Rampart build with the new
> WSS4J produced a test failure. In particular the testWithPolicy() test
> in RampartTest (integration module) fails.
>
> DanK believes this might have to do with the way WSS4J has corrected its
> URL handling (it was previously truncating the 1st char of all urls
> assuming that they'd be of the form "#urn...").
>
> Could someone from rampart-dev have a look at this?
>
> Thanks,
> --Glen
>
> P.S. A huge +1, by the way, to the congratulations on all the hard work
> and interop success!
>
> Colm O hEigeartaigh wrote:
> > To the Apache Web Services Community,
> >
> > This is a call for votes for the wss4j-1.5.6 release.
> >
> > The distribution can be found at the following URL:
> >
> > http://people.apache.org/~coheigea/stage/wss4j/1.5.6/dist/
> >
> > You can also point maven at the following URL to pull down the 1.5.6
> > release POM, source, and class JARs:
> >
> > http://people.apache.org/~coheigea/stage/wss4j/1.5.6/maven/
> >
> > Additionally, the generated version of the web site can be found at
> >
> > http://people.apache.org/~coheigea/stage/wss4j/1.5.6/site/
> >
> > The list of bugs fixed in this release can be seen here:
> >
> > https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=1231006
> > 3&styleName=Html&version=12313623
> >
> > This vote will stay open for at least 72 hours.
> >
> > Here is my (non-binding and advisory) +1.
> >
> > Thanks,
> >
> > Colm.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
> For additional commands, e-mail: wss4j-dev-help@ws.apache.org
--
Daniel Kulp
dkulp@apache.org
http://www.dankulp.com/blog
RE: [VOTE] release wss4j-1.5.6
Posted by Colm O hEigeartaigh <co...@progress.com>.
Hi Glen,
I've already tested WSS4J 1.5.6 with Rampart, and submitted a patch to
rampart-dev earlier today for that URI issue. See:
https://issues.apache.org/jira/browse/RAMPART-219
Colm.
-----Original Message-----
From: Glen Daniels [mailto:glen@thoughtcraft.com]
Sent: 10 March 2009 20:53
To: general@ws.apache.org
Cc: wss4j-dev@ws.apache.org; rampart-dev@ws.apache.org
Subject: Re: [VOTE] release wss4j-1.5.6
Hi Colm, all:
-1 from me, unfortunately, since running the Rampart build with the new
WSS4J produced a test failure. In particular the testWithPolicy() test
in RampartTest (integration module) fails.
DanK believes this might have to do with the way WSS4J has corrected its
URL handling (it was previously truncating the 1st char of all urls
assuming that they'd be of the form "#urn...").
Could someone from rampart-dev have a look at this?
Thanks,
--Glen
P.S. A huge +1, by the way, to the congratulations on all the hard work
and interop success!
Colm O hEigeartaigh wrote:
> To the Apache Web Services Community,
>
> This is a call for votes for the wss4j-1.5.6 release.
>
> The distribution can be found at the following URL:
>
> http://people.apache.org/~coheigea/stage/wss4j/1.5.6/dist/
>
> You can also point maven at the following URL to pull down the 1.5.6
> release POM, source, and class JARs:
>
> http://people.apache.org/~coheigea/stage/wss4j/1.5.6/maven/
>
> Additionally, the generated version of the web site can be found at
>
> http://people.apache.org/~coheigea/stage/wss4j/1.5.6/site/
>
> The list of bugs fixed in this release can be seen here:
>
>
https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=1231006
> 3&styleName=Html&version=12313623
>
> This vote will stay open for at least 72 hours.
>
> Here is my (non-binding and advisory) +1.
>
> Thanks,
>
> Colm.
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
RE: [VOTE] release wss4j-1.5.6
Posted by Colm O hEigeartaigh <co...@progress.com>.
Hi Glen,
I've already tested WSS4J 1.5.6 with Rampart, and submitted a patch to
rampart-dev earlier today for that URI issue. See:
https://issues.apache.org/jira/browse/RAMPART-219
Colm.
-----Original Message-----
From: Glen Daniels [mailto:glen@thoughtcraft.com]
Sent: 10 March 2009 20:53
To: general@ws.apache.org
Cc: wss4j-dev@ws.apache.org; rampart-dev@ws.apache.org
Subject: Re: [VOTE] release wss4j-1.5.6
Hi Colm, all:
-1 from me, unfortunately, since running the Rampart build with the new
WSS4J produced a test failure. In particular the testWithPolicy() test
in RampartTest (integration module) fails.
DanK believes this might have to do with the way WSS4J has corrected its
URL handling (it was previously truncating the 1st char of all urls
assuming that they'd be of the form "#urn...").
Could someone from rampart-dev have a look at this?
Thanks,
--Glen
P.S. A huge +1, by the way, to the congratulations on all the hard work
and interop success!
Colm O hEigeartaigh wrote:
> To the Apache Web Services Community,
>
> This is a call for votes for the wss4j-1.5.6 release.
>
> The distribution can be found at the following URL:
>
> http://people.apache.org/~coheigea/stage/wss4j/1.5.6/dist/
>
> You can also point maven at the following URL to pull down the 1.5.6
> release POM, source, and class JARs:
>
> http://people.apache.org/~coheigea/stage/wss4j/1.5.6/maven/
>
> Additionally, the generated version of the web site can be found at
>
> http://people.apache.org/~coheigea/stage/wss4j/1.5.6/site/
>
> The list of bugs fixed in this release can be seen here:
>
>
https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=1231006
> 3&styleName=Html&version=12313623
>
> This vote will stay open for at least 72 hours.
>
> Here is my (non-binding and advisory) +1.
>
> Thanks,
>
> Colm.
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
RE: [VOTE] release wss4j-1.5.6
Posted by Colm O hEigeartaigh <co...@progress.com>.
Hi Glen,
I've already tested WSS4J 1.5.6 with Rampart, and submitted a patch to
rampart-dev earlier today for that URI issue. See:
https://issues.apache.org/jira/browse/RAMPART-219
Colm.
-----Original Message-----
From: Glen Daniels [mailto:glen@thoughtcraft.com]
Sent: 10 March 2009 20:53
To: general@ws.apache.org
Cc: wss4j-dev@ws.apache.org; rampart-dev@ws.apache.org
Subject: Re: [VOTE] release wss4j-1.5.6
Hi Colm, all:
-1 from me, unfortunately, since running the Rampart build with the new
WSS4J produced a test failure. In particular the testWithPolicy() test
in RampartTest (integration module) fails.
DanK believes this might have to do with the way WSS4J has corrected its
URL handling (it was previously truncating the 1st char of all urls
assuming that they'd be of the form "#urn...").
Could someone from rampart-dev have a look at this?
Thanks,
--Glen
P.S. A huge +1, by the way, to the congratulations on all the hard work
and interop success!
Colm O hEigeartaigh wrote:
> To the Apache Web Services Community,
>
> This is a call for votes for the wss4j-1.5.6 release.
>
> The distribution can be found at the following URL:
>
> http://people.apache.org/~coheigea/stage/wss4j/1.5.6/dist/
>
> You can also point maven at the following URL to pull down the 1.5.6
> release POM, source, and class JARs:
>
> http://people.apache.org/~coheigea/stage/wss4j/1.5.6/maven/
>
> Additionally, the generated version of the web site can be found at
>
> http://people.apache.org/~coheigea/stage/wss4j/1.5.6/site/
>
> The list of bugs fixed in this release can be seen here:
>
>
https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=1231006
> 3&styleName=Html&version=12313623
>
> This vote will stay open for at least 72 hours.
>
> Here is my (non-binding and advisory) +1.
>
> Thanks,
>
> Colm.
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
Re: [VOTE] release wss4j-1.5.6
Posted by Glen Daniels <gl...@thoughtcraft.com>.
Hi Colm, all:
-1 from me, unfortunately, since running the Rampart build with the new
WSS4J produced a test failure. In particular the testWithPolicy() test
in RampartTest (integration module) fails.
DanK believes this might have to do with the way WSS4J has corrected its
URL handling (it was previously truncating the 1st char of all urls
assuming that they'd be of the form "#urn...").
Could someone from rampart-dev have a look at this?
Thanks,
--Glen
P.S. A huge +1, by the way, to the congratulations on all the hard work
and interop success!
Colm O hEigeartaigh wrote:
> To the Apache Web Services Community,
>
> This is a call for votes for the wss4j-1.5.6 release.
>
> The distribution can be found at the following URL:
>
> http://people.apache.org/~coheigea/stage/wss4j/1.5.6/dist/
>
> You can also point maven at the following URL to pull down the 1.5.6
> release POM, source, and class JARs:
>
> http://people.apache.org/~coheigea/stage/wss4j/1.5.6/maven/
>
> Additionally, the generated version of the web site can be found at
>
> http://people.apache.org/~coheigea/stage/wss4j/1.5.6/site/
>
> The list of bugs fixed in this release can be seen here:
>
> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=1231006
> 3&styleName=Html&version=12313623
>
> This vote will stay open for at least 72 hours.
>
> Here is my (non-binding and advisory) +1.
>
> Thanks,
>
> Colm.
Re: [VOTE] release wss4j-1.5.6
Posted by Daniel Kulp <dk...@apache.org>.
+1 non-binding
On a general note: this is the first version of wss4j that provides all the
functionality required to get the MS InteropPlugFest ws-trust10 stuff
completely working. With some changes to Rampart (mostly around the
RSAKeyValue stuff), it would be possible to get those scenarios passing for
Axis2/Rampart. So, from my perspective, this is a pretty big deal and
deserves a big "nice job" to everyone involved with wss4j.
Dan
On Tue March 10 2009 1:41:13 pm Colm O hEigeartaigh wrote:
> To the Apache Web Services Community,
>
> This is a call for votes for the wss4j-1.5.6 release.
>
> The distribution can be found at the following URL:
>
> http://people.apache.org/~coheigea/stage/wss4j/1.5.6/dist/
>
> You can also point maven at the following URL to pull down the 1.5.6
> release POM, source, and class JARs:
>
> http://people.apache.org/~coheigea/stage/wss4j/1.5.6/maven/
>
> Additionally, the generated version of the web site can be found at
>
> http://people.apache.org/~coheigea/stage/wss4j/1.5.6/site/
>
> The list of bugs fixed in this release can be seen here:
>
> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=1231006
> 3&styleName=Html&version=12313623
>
> This vote will stay open for at least 72 hours.
>
> Here is my (non-binding and advisory) +1.
>
> Thanks,
>
> Colm.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
> For additional commands, e-mail: wss4j-dev-help@ws.apache.org
--
Daniel Kulp
dkulp@apache.org
http://www.dankulp.com/blog
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
Re: [VOTE] release wss4j-1.5.6
Posted by Glen Daniels <gl...@thoughtcraft.com>.
Hi Colm, all:
-1 from me, unfortunately, since running the Rampart build with the new
WSS4J produced a test failure. In particular the testWithPolicy() test
in RampartTest (integration module) fails.
DanK believes this might have to do with the way WSS4J has corrected its
URL handling (it was previously truncating the 1st char of all urls
assuming that they'd be of the form "#urn...").
Could someone from rampart-dev have a look at this?
Thanks,
--Glen
P.S. A huge +1, by the way, to the congratulations on all the hard work
and interop success!
Colm O hEigeartaigh wrote:
> To the Apache Web Services Community,
>
> This is a call for votes for the wss4j-1.5.6 release.
>
> The distribution can be found at the following URL:
>
> http://people.apache.org/~coheigea/stage/wss4j/1.5.6/dist/
>
> You can also point maven at the following URL to pull down the 1.5.6
> release POM, source, and class JARs:
>
> http://people.apache.org/~coheigea/stage/wss4j/1.5.6/maven/
>
> Additionally, the generated version of the web site can be found at
>
> http://people.apache.org/~coheigea/stage/wss4j/1.5.6/site/
>
> The list of bugs fixed in this release can be seen here:
>
> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=1231006
> 3&styleName=Html&version=12313623
>
> This vote will stay open for at least 72 hours.
>
> Here is my (non-binding and advisory) +1.
>
> Thanks,
>
> Colm.
Re: [VOTE] release wss4j-1.5.6
Posted by Glen Daniels <gl...@thoughtcraft.com>.
Hi Colm, all:
-1 from me, unfortunately, since running the Rampart build with the new
WSS4J produced a test failure. In particular the testWithPolicy() test
in RampartTest (integration module) fails.
DanK believes this might have to do with the way WSS4J has corrected its
URL handling (it was previously truncating the 1st char of all urls
assuming that they'd be of the form "#urn...").
Could someone from rampart-dev have a look at this?
Thanks,
--Glen
P.S. A huge +1, by the way, to the congratulations on all the hard work
and interop success!
Colm O hEigeartaigh wrote:
> To the Apache Web Services Community,
>
> This is a call for votes for the wss4j-1.5.6 release.
>
> The distribution can be found at the following URL:
>
> http://people.apache.org/~coheigea/stage/wss4j/1.5.6/dist/
>
> You can also point maven at the following URL to pull down the 1.5.6
> release POM, source, and class JARs:
>
> http://people.apache.org/~coheigea/stage/wss4j/1.5.6/maven/
>
> Additionally, the generated version of the web site can be found at
>
> http://people.apache.org/~coheigea/stage/wss4j/1.5.6/site/
>
> The list of bugs fixed in this release can be seen here:
>
> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=1231006
> 3&styleName=Html&version=12313623
>
> This vote will stay open for at least 72 hours.
>
> Here is my (non-binding and advisory) +1.
>
> Thanks,
>
> Colm.
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
[PASSED] (was [VOTE] release wss4j-1.5.6)
Posted by Colm O hEigeartaigh <co...@progress.com>.
We have the following results:
4 binding +1's from the Apache WS PMC
2 non-binding +1's.
No other votes were cast.
I am therefore pleased to announce that the vote has passed!
Colm.
-----Original Message-----
From: Colm O hEigeartaigh [mailto:coheigea@progress.com]
Sent: 10 March 2009 17:41
To: wss4j-dev@ws.apache.org
Cc: general@ws.apache.org
Subject: [VOTE] release wss4j-1.5.6
To the Apache Web Services Community,
This is a call for votes for the wss4j-1.5.6 release.
The distribution can be found at the following URL:
http://people.apache.org/~coheigea/stage/wss4j/1.5.6/dist/
You can also point maven at the following URL to pull down the 1.5.6
release POM, source, and class JARs:
http://people.apache.org/~coheigea/stage/wss4j/1.5.6/maven/
Additionally, the generated version of the web site can be found at
http://people.apache.org/~coheigea/stage/wss4j/1.5.6/site/
The list of bugs fixed in this release can be seen here:
https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=1231006
3&styleName=Html&version=12313623
This vote will stay open for at least 72 hours.
Here is my (non-binding and advisory) +1.
Thanks,
Colm.
[PASSED] (was [VOTE] release wss4j-1.5.6)
Posted by Colm O hEigeartaigh <co...@progress.com>.
We have the following results:
4 binding +1's from the Apache WS PMC
2 non-binding +1's.
No other votes were cast.
I am therefore pleased to announce that the vote has passed!
Colm.
-----Original Message-----
From: Colm O hEigeartaigh [mailto:coheigea@progress.com]
Sent: 10 March 2009 17:41
To: wss4j-dev@ws.apache.org
Cc: general@ws.apache.org
Subject: [VOTE] release wss4j-1.5.6
To the Apache Web Services Community,
This is a call for votes for the wss4j-1.5.6 release.
The distribution can be found at the following URL:
http://people.apache.org/~coheigea/stage/wss4j/1.5.6/dist/
You can also point maven at the following URL to pull down the 1.5.6
release POM, source, and class JARs:
http://people.apache.org/~coheigea/stage/wss4j/1.5.6/maven/
Additionally, the generated version of the web site can be found at
http://people.apache.org/~coheigea/stage/wss4j/1.5.6/site/
The list of bugs fixed in this release can be seen here:
https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=1231006
3&styleName=Html&version=12313623
This vote will stay open for at least 72 hours.
Here is my (non-binding and advisory) +1.
Thanks,
Colm.
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org