You are viewing a plain text version of this content. The canonical link for it is here.
Posted to wss4j-dev@ws.apache.org by "David Valeri (JIRA)" <ji...@apache.org> on 2010/01/15 21:50:54 UTC
[jira] Created: (WSS-222) SignatureProcessor does not provide
correct signature coverage results with STR Dereference Transform
SignatureProcessor does not provide correct signature coverage results with STR Dereference Transform
-----------------------------------------------------------------------------------------------------
Key: WSS-222
URL: https://issues.apache.org/jira/browse/WSS-222
Project: WSS4J
Issue Type: Bug
Components: WSS4J Core
Affects Versions: 1.5.8, 1.5.9
Reporter: David Valeri
Assignee: Ruchith Udayanga Fernando
SignatureProcessor does not report correct info when STR Dereference Transform is used. The implementation does not follow the dereference pointer to the security token and reports that the signed content is the SecurityTokenReference itself and not the referenced token. The URI in the signature part is dereferenced with no regard to the transform used in the signature part.
This issue makes it difficult to validate signature coverage over something like an embedded SAML assertion when that assertion is also used as the key material for the signature and is referenced and signed through a SecurityTokenReference.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
[jira] Updated: (WSS-222) SignatureProcessor does not provide
correct signature coverage results with STR Dereference Transform
Posted by "David Valeri (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WSS-222?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
David Valeri updated WSS-222:
-----------------------------
Attachment: patch.txt
Attached test case and patch.
> SignatureProcessor does not provide correct signature coverage results with STR Dereference Transform
> -----------------------------------------------------------------------------------------------------
>
> Key: WSS-222
> URL: https://issues.apache.org/jira/browse/WSS-222
> Project: WSS4J
> Issue Type: Bug
> Components: WSS4J Core
> Affects Versions: 1.5.8, 1.5.9
> Reporter: David Valeri
> Assignee: Ruchith Udayanga Fernando
> Attachments: patch.txt
>
>
> SignatureProcessor does not report correct info when STR Dereference Transform is used. The implementation does not follow the dereference pointer to the security token and reports that the signed content is the SecurityTokenReference itself and not the referenced token. The URI in the signature part is dereferenced with no regard to the transform used in the signature part.
> This issue makes it difficult to validate signature coverage over something like an embedded SAML assertion when that assertion is also used as the key material for the signature and is referenced and signed through a SecurityTokenReference.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
[jira] Commented: (WSS-222) SignatureProcessor does not provide
correct signature coverage results with STR Dereference Transform
Posted by "Colm O hEigeartaigh (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WSS-222?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12868235#action_12868235 ]
Colm O hEigeartaigh commented on WSS-222:
-----------------------------------------
Merge log for 1_5_x-fixes branch:
Log:
[WS-222] - Applied patch for "SignatureProcessor does not provide correct signature coverage results with STR Dereference Transform".
- Many thanks David for the patch and test-case.
Added:
webservices/wss4j/branches/1_5_x-fixes/src/org/apache/ws/security/transform/STRTransformUtil.java (with props)
Modified:
webservices/wss4j/branches/1_5_x-fixes/src/org/apache/ws/security/processor/SignatureProcessor.java
webservices/wss4j/branches/1_5_x-fixes/src/org/apache/ws/security/transform/STRTransform.java
webservices/wss4j/branches/1_5_x-fixes/test/log4j.properties
webservices/wss4j/branches/1_5_x-fixes/test/wssec/TestWSSecuritySignatureParts.java
Colm.
> SignatureProcessor does not provide correct signature coverage results with STR Dereference Transform
> -----------------------------------------------------------------------------------------------------
>
> Key: WSS-222
> URL: https://issues.apache.org/jira/browse/WSS-222
> Project: WSS4J
> Issue Type: Bug
> Components: WSS4J Core
> Affects Versions: 1.5.8
> Reporter: David Valeri
> Assignee: Colm O hEigeartaigh
> Fix For: 1.5.9, 1.6
>
> Attachments: patch.txt
>
>
> SignatureProcessor does not report correct info when STR Dereference Transform is used. The implementation does not follow the dereference pointer to the security token and reports that the signed content is the SecurityTokenReference itself and not the referenced token. The URI in the signature part is dereferenced with no regard to the transform used in the signature part.
> This issue makes it difficult to validate signature coverage over something like an embedded SAML assertion when that assertion is also used as the key material for the signature and is referenced and signed through a SecurityTokenReference.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
[jira] Assigned: (WSS-222) SignatureProcessor does not provide
correct signature coverage results with STR Dereference Transform
Posted by "Colm O hEigeartaigh (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WSS-222?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Colm O hEigeartaigh reassigned WSS-222:
---------------------------------------
Assignee: Colm O hEigeartaigh (was: Ruchith Udayanga Fernando)
> SignatureProcessor does not provide correct signature coverage results with STR Dereference Transform
> -----------------------------------------------------------------------------------------------------
>
> Key: WSS-222
> URL: https://issues.apache.org/jira/browse/WSS-222
> Project: WSS4J
> Issue Type: Bug
> Components: WSS4J Core
> Affects Versions: 1.5.8
> Reporter: David Valeri
> Assignee: Colm O hEigeartaigh
> Fix For: 1.5.9, 1.6
>
> Attachments: patch.txt
>
>
> SignatureProcessor does not report correct info when STR Dereference Transform is used. The implementation does not follow the dereference pointer to the security token and reports that the signed content is the SecurityTokenReference itself and not the referenced token. The URI in the signature part is dereferenced with no regard to the transform used in the signature part.
> This issue makes it difficult to validate signature coverage over something like an embedded SAML assertion when that assertion is also used as the key material for the signature and is referenced and signed through a SecurityTokenReference.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
[jira] Closed: (WSS-222) SignatureProcessor does not provide
correct signature coverage results with STR Dereference Transform
Posted by "Colm O hEigeartaigh (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WSS-222?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Colm O hEigeartaigh closed WSS-222.
-----------------------------------
> SignatureProcessor does not provide correct signature coverage results with STR Dereference Transform
> -----------------------------------------------------------------------------------------------------
>
> Key: WSS-222
> URL: https://issues.apache.org/jira/browse/WSS-222
> Project: WSS4J
> Issue Type: Bug
> Components: WSS4J Core
> Affects Versions: 1.5.8
> Reporter: David Valeri
> Assignee: Colm O hEigeartaigh
> Fix For: 1.5.9, 1.6
>
> Attachments: patch.txt
>
>
> SignatureProcessor does not report correct info when STR Dereference Transform is used. The implementation does not follow the dereference pointer to the security token and reports that the signed content is the SecurityTokenReference itself and not the referenced token. The URI in the signature part is dereferenced with no regard to the transform used in the signature part.
> This issue makes it difficult to validate signature coverage over something like an embedded SAML assertion when that assertion is also used as the key material for the signature and is referenced and signed through a SecurityTokenReference.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
[jira] Resolved: (WSS-222) SignatureProcessor does not provide
correct signature coverage results with STR Dereference Transform
Posted by "Colm O hEigeartaigh (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WSS-222?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Colm O hEigeartaigh resolved WSS-222.
-------------------------------------
Resolution: Fixed
> SignatureProcessor does not provide correct signature coverage results with STR Dereference Transform
> -----------------------------------------------------------------------------------------------------
>
> Key: WSS-222
> URL: https://issues.apache.org/jira/browse/WSS-222
> Project: WSS4J
> Issue Type: Bug
> Components: WSS4J Core
> Affects Versions: 1.5.8
> Reporter: David Valeri
> Assignee: Colm O hEigeartaigh
> Fix For: 1.5.9, 1.6
>
> Attachments: patch.txt
>
>
> SignatureProcessor does not report correct info when STR Dereference Transform is used. The implementation does not follow the dereference pointer to the security token and reports that the signed content is the SecurityTokenReference itself and not the referenced token. The URI in the signature part is dereferenced with no regard to the transform used in the signature part.
> This issue makes it difficult to validate signature coverage over something like an embedded SAML assertion when that assertion is also used as the key material for the signature and is referenced and signed through a SecurityTokenReference.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
[jira] Updated: (WSS-222) SignatureProcessor does not provide
correct signature coverage results with STR Dereference Transform
Posted by "Colm O hEigeartaigh (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WSS-222?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Colm O hEigeartaigh updated WSS-222:
------------------------------------
Fix Version/s: 1.5.9
1.6
Affects Version/s: (was: 1.5.9)
> SignatureProcessor does not provide correct signature coverage results with STR Dereference Transform
> -----------------------------------------------------------------------------------------------------
>
> Key: WSS-222
> URL: https://issues.apache.org/jira/browse/WSS-222
> Project: WSS4J
> Issue Type: Bug
> Components: WSS4J Core
> Affects Versions: 1.5.8
> Reporter: David Valeri
> Assignee: Colm O hEigeartaigh
> Fix For: 1.5.9, 1.6
>
> Attachments: patch.txt
>
>
> SignatureProcessor does not report correct info when STR Dereference Transform is used. The implementation does not follow the dereference pointer to the security token and reports that the signed content is the SecurityTokenReference itself and not the referenced token. The URI in the signature part is dereferenced with no regard to the transform used in the signature part.
> This issue makes it difficult to validate signature coverage over something like an embedded SAML assertion when that assertion is also used as the key material for the signature and is referenced and signed through a SecurityTokenReference.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org