You are viewing a plain text version of this content. The canonical link for it is here.
Posted to java-dev@axis.apache.org by "Peter Kim (JIRA)" <ji...@apache.org> on 2009/05/19 01:42:45 UTC
[jira] Created: (AXIS2-4352) Axis2: Rampart module is not checking
the existence of signature value within wsse:security tag
Axis2: Rampart module is not checking the existence of signature value within wsse:security tag
-----------------------------------------------------------------------------------------------
Key: AXIS2-4352
URL: https://issues.apache.org/jira/browse/AXIS2-4352
Project: Axis 2.0 (Axis2)
Issue Type: Bug
Environment: Linux 2.6.9-78.0.1.ELsmp
Reporter: Peter Kim
Rampart module works well if correct signature value exist or incorrect signature value exit, but still allows the message go through even without any signature value defined. What seems to be missing is checking for whether signature value exist after getting back wsResult vector from wss4j processing header api call (WSDoAllReceiver.java).
I have added the following lines to check for the existence.
**********
boolean isSigned = false;
if (wsResult != null) {
if ((doAction & WSConstants.SIGN) == WSConstants.SIGN) {
log.info("WSDoAllReceiver: SOAP message MUST contain sinature values");
for (int i = 0; i < wsResult.size(); i++){
WSSecurityEngineResult secengine = (WSSecurityEngineResult) wsResult.elementAt(i);
log.info("WSDoAllReceiver: Find sig value : "+
secengine.get(secengine.TAG_SIGNATURE_VALUE));
Object tempstr = secengine.get(secengine.TAG_SIGNATURE_VALUE);
if (tempstr != null) {
isSigned = true;
break;
}
}
log.info("WSDoAllReceiver: contains signature : "+isSigned);
if (!isSigned) {
throw new AxisFault(
"WSDoAllReceiver: Incoming message does not contain signature");
}
}
**********
Please review and rectify if necessary.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Assigned: (AXIS2-4352) Axis2: Rampart module is not checking
the existence of signature value within wsse:security tag
Posted by "Deepal Jayasinghe (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/AXIS2-4352?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Deepal Jayasinghe reassigned AXIS2-4352:
----------------------------------------
Assignee: Nandana Mihindukulasooriya
> Axis2: Rampart module is not checking the existence of signature value within wsse:security tag
> -----------------------------------------------------------------------------------------------
>
> Key: AXIS2-4352
> URL: https://issues.apache.org/jira/browse/AXIS2-4352
> Project: Axis 2.0 (Axis2)
> Issue Type: Bug
> Environment: Linux 2.6.9-78.0.1.ELsmp
> Reporter: Peter Kim
> Assignee: Nandana Mihindukulasooriya
> Original Estimate: 24h
> Remaining Estimate: 24h
>
> Rampart module works well if correct signature value exist or incorrect signature value exit, but still allows the message go through even without any signature value defined. What seems to be missing is checking for whether signature value exist after getting back wsResult vector from wss4j processing header api call (WSDoAllReceiver.java).
> I have added the following lines to check for the existence.
> **********
> boolean isSigned = false;
> if (wsResult != null) {
> if ((doAction & WSConstants.SIGN) == WSConstants.SIGN) {
> log.info("WSDoAllReceiver: SOAP message MUST contain sinature values");
> for (int i = 0; i < wsResult.size(); i++){
> WSSecurityEngineResult secengine = (WSSecurityEngineResult) wsResult.elementAt(i);
>
> log.info("WSDoAllReceiver: Find sig value : "+
> secengine.get(secengine.TAG_SIGNATURE_VALUE));
> Object tempstr = secengine.get(secengine.TAG_SIGNATURE_VALUE);
> if (tempstr != null) {
> isSigned = true;
> break;
> }
> }
> log.info("WSDoAllReceiver: contains signature : "+isSigned);
> if (!isSigned) {
> throw new AxisFault(
> "WSDoAllReceiver: Incoming message does not contain signature");
>
> }
> }
> **********
> Please review and rectify if necessary.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.