You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@cxf.apache.org by "Alexey Ilyin (JIRA)" <ji...@apache.org> on 2010/03/15 10:17:27 UTC
[jira] Created: (CXF-2714) SupportingToken UsernameToken is always
encrypted
SupportingToken UsernameToken is always encrypted
-------------------------------------------------
Key: CXF-2714
URL: https://issues.apache.org/jira/browse/CXF-2714
Project: CXF
Issue Type: Bug
Components: WS-* Components
Affects Versions: 2.2.6
Reporter: Alexey Ilyin
If no encryption is specified in the policy file and UsernameToken is used as supporting token, then this token is always encrypted.
org.apache.cxf.ws.security.wss4j.policyhandlers.AbstractBindingBuilder.handleSupportingTokens(SupportingToken, boolean , Map<Token, WSSecBase>) does not check if UsernameToken is an encrypted token and unconditionally adds it to the encryptedTokensIdList.
This can be easily fixed by modifying line 428 (as per src release 1.4) from
encryptedTokensIdList.add(utBuilder.getId());
to
if (suppTokens.isEncryptedToken()) {
encryptedTokensIdList.add(utBuilder.getId());
}
One more concern about comment that commented in file:
//WebLogic and WCF always encrypt these
//See: http://e-docs.bea.com/wls/docs103/webserv_intro/interop.html
Currently WebLogic doesn't encrypt UsernameToken and we got interoperability issue between CXF and WebLogic
Same bug already registered per RAMPART (RAMPART-225)
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (CXF-2714) SupportingToken UsernameToken is
always encrypted
Posted by "Daniel Kulp (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CXF-2714?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12854774#action_12854774 ]
Daniel Kulp commented on CXF-2714:
----------------------------------
If that change is made, we lose interopability with .NET. I've verified this by running the interop tests with that change and the tests fail. Interopability with .NET is likely more important than with WebLogic so I'm going to keep the default as is. However, I'm going to add a config property that can be set to turn this off.
//WebLogic and WCF always encrypt UsernameTokens whenever possible
//See: http://e-docs.bea.com/wls/docs103/webserv_intro/interop.html
//Be default, we will encrypt as well for interop reasons. However, this
//setting can be set to false to turn that off.
public static final String ALWAYS_ENCRYPT_UT = "ws-security.username-token.always.encrypted";
> SupportingToken UsernameToken is always encrypted
> -------------------------------------------------
>
> Key: CXF-2714
> URL: https://issues.apache.org/jira/browse/CXF-2714
> Project: CXF
> Issue Type: Bug
> Components: WS-* Components
> Affects Versions: 2.2.6
> Reporter: Alexey Ilyin
>
> If no encryption is specified in the policy file and UsernameToken is used as supporting token, then this token is always encrypted.
> org.apache.cxf.ws.security.wss4j.policyhandlers.AbstractBindingBuilder.handleSupportingTokens(SupportingToken, boolean , Map<Token, WSSecBase>) does not check if UsernameToken is an encrypted token and unconditionally adds it to the encryptedTokensIdList.
> This can be easily fixed by modifying line 428 (as per src release 1.4) from
> encryptedTokensIdList.add(utBuilder.getId());
> to
>
> if (suppTokens.isEncryptedToken()) {
> encryptedTokensIdList.add(utBuilder.getId());
> }
> One more concern about comment that commented in file:
> //WebLogic and WCF always encrypt these
> //See: http://e-docs.bea.com/wls/docs103/webserv_intro/interop.html
> Currently WebLogic doesn't encrypt UsernameToken and we got interoperability issue between CXF and WebLogic
> Same bug already registered per RAMPART (RAMPART-225)
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Assigned: (CXF-2714) SupportingToken UsernameToken is always
encrypted
Posted by "Daniel Kulp (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CXF-2714?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Daniel Kulp reassigned CXF-2714:
--------------------------------
Assignee: Daniel Kulp
> SupportingToken UsernameToken is always encrypted
> -------------------------------------------------
>
> Key: CXF-2714
> URL: https://issues.apache.org/jira/browse/CXF-2714
> Project: CXF
> Issue Type: Bug
> Components: WS-* Components
> Affects Versions: 2.2.6
> Reporter: Alexey Ilyin
> Assignee: Daniel Kulp
>
> If no encryption is specified in the policy file and UsernameToken is used as supporting token, then this token is always encrypted.
> org.apache.cxf.ws.security.wss4j.policyhandlers.AbstractBindingBuilder.handleSupportingTokens(SupportingToken, boolean , Map<Token, WSSecBase>) does not check if UsernameToken is an encrypted token and unconditionally adds it to the encryptedTokensIdList.
> This can be easily fixed by modifying line 428 (as per src release 1.4) from
> encryptedTokensIdList.add(utBuilder.getId());
> to
>
> if (suppTokens.isEncryptedToken()) {
> encryptedTokensIdList.add(utBuilder.getId());
> }
> One more concern about comment that commented in file:
> //WebLogic and WCF always encrypt these
> //See: http://e-docs.bea.com/wls/docs103/webserv_intro/interop.html
> Currently WebLogic doesn't encrypt UsernameToken and we got interoperability issue between CXF and WebLogic
> Same bug already registered per RAMPART (RAMPART-225)
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Resolved: (CXF-2714) SupportingToken UsernameToken is always
encrypted
Posted by "Daniel Kulp (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CXF-2714?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Daniel Kulp resolved CXF-2714.
------------------------------
Resolution: Fixed
Fix Version/s: 2.2.8
> SupportingToken UsernameToken is always encrypted
> -------------------------------------------------
>
> Key: CXF-2714
> URL: https://issues.apache.org/jira/browse/CXF-2714
> Project: CXF
> Issue Type: Bug
> Components: WS-* Components
> Affects Versions: 2.2.6
> Reporter: Alexey Ilyin
> Assignee: Daniel Kulp
> Fix For: 2.2.8
>
>
> If no encryption is specified in the policy file and UsernameToken is used as supporting token, then this token is always encrypted.
> org.apache.cxf.ws.security.wss4j.policyhandlers.AbstractBindingBuilder.handleSupportingTokens(SupportingToken, boolean , Map<Token, WSSecBase>) does not check if UsernameToken is an encrypted token and unconditionally adds it to the encryptedTokensIdList.
> This can be easily fixed by modifying line 428 (as per src release 1.4) from
> encryptedTokensIdList.add(utBuilder.getId());
> to
>
> if (suppTokens.isEncryptedToken()) {
> encryptedTokensIdList.add(utBuilder.getId());
> }
> One more concern about comment that commented in file:
> //WebLogic and WCF always encrypt these
> //See: http://e-docs.bea.com/wls/docs103/webserv_intro/interop.html
> Currently WebLogic doesn't encrypt UsernameToken and we got interoperability issue between CXF and WebLogic
> Same bug already registered per RAMPART (RAMPART-225)
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.