You are viewing a plain text version of this content. The canonical link for it is here.
Posted to fx-dev@ws.apache.org by ji...@apache.org on 2004/05/14 17:23:56 UTC

[jira] Closed: (WSFX-7) UsernameToken should be prepended to the security header

Message:

   The following issue has been closed.

---------------------------------------------------------------------
View the issue:
  http://issues.apache.org/jira/browse/WSFX-7

Here is an overview of the issue:
---------------------------------------------------------------------
        Key: WSFX-7
    Summary: UsernameToken should be prepended to the security header
       Type: Bug

     Status: Closed
   Priority: Minor
 Resolution: FIXED

    Project: WSFX
 Components: 
             WSS4J

   Assignee: 
   Reporter: Christof Soehngen

    Created: Fri, 14 May 2004 3:29 AM
    Updated: Fri, 14 May 2004 8:22 AM
Environment: CVS snapshot from 2004/14/05

Description:
When told to do the following actions, WSS4J throws a fault on receveiverside:
    <parameter name="action" value="Signature UsernameToken Encrypt"/>
The fault is:
    WSDoAllReceiver: security processing failed (actions mismatch)

The reason for this error is the following:
Normally (i.e. for signature and encryption), the security header elements are created according to the order given in the action paramter. The elements are prepended to the existing elements in the header.
The receiver processes those elements and prepends them to the result vector, thus restoring the original order as described in the action paramter of the sender. The actions of the result vector are then compared to the actions given in the action parameter of the receiver. This is were the above mentioned fault is thrown.

The problem is the creation of the UsernameToken. Is is not prependended but instead appended after the existing headers (this does not cause any trouble if the UsernameToken is the first action).
Furthermore, the WSSE spec says, new header elements SHOULD be prepended to existing elements to reduce forward dependency.

I suggest the following patch to WSSAddUsernameToken.java: Replace the line
    WSSecurityUtil.appendChildElement(doc, securityHeader, ut.getElement());
with
    WSSecurityUtil.prependChildElement(doc, securityHeader, ut.getElement(), true);


---------------------------------------------------------------------
JIRA INFORMATION:
This message is automatically generated by JIRA.

If you think it was sent incorrectly contact one of the administrators:
   http://issues.apache.org/jira/secure/Administrators.jspa

If you want more information on JIRA, or have a bug to report see:
   http://www.atlassian.com/software/jira