You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ws.apache.org by co...@apache.org on 2013/10/03 18:56:56 UTC
svn commit: r1528933 - in /webservices/wss4j/trunk:
ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/
ws-security-policy-stax/src/test/java/org/apache/wss4j/policy/stax/test/
ws-security-stax/src/main/java/org/apache/wss4j/stax/
Author: coheigea
Date: Thu Oct 3 16:56:55 2013
New Revision: 1528933
URL: http://svn.apache.org/r1528933
Log:
Relax signature username requirement for symmetric signature + leave SOAP Spoofing detection to the SOAP Stack
Modified:
webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/PolicyEnforcer.java
webservices/wss4j/trunk/ws-security-policy-stax/src/test/java/org/apache/wss4j/policy/stax/test/VulnerabliltyVectorsTest.java
webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/WSSec.java
Modified: webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/PolicyEnforcer.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/PolicyEnforcer.java?rev=1528933&r1=1528932&r2=1528933&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/PolicyEnforcer.java (original)
+++ webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/PolicyEnforcer.java Thu Oct 3 16:56:55 2013
@@ -573,12 +573,7 @@ public class PolicyEnforcer implements S
if (WSSecurityEventConstants.Operation.equals(securityEvent.getSecurityEventType())) {
operationSecurityEventOccured = true;
final OperationSecurityEvent operationSecurityEvent = (OperationSecurityEvent) securityEvent;
- if (effectivePolicy != null) {
- //soap-action spoofing detection
- if (!effectivePolicy.getOperationName().equals(operationSecurityEvent.getOperation().getLocalPart())) {
- throw new WSSecurityException(WSSecurityException.ErrorCode.INVALID_SECURITY, new WSSPolicyException("SOAPAction (" + effectivePolicy.getOperationName() + ") does not match with the current Operation: " + operationSecurityEvent.getOperation()));
- }
- } else {
+ if (effectivePolicy == null) {
effectivePolicy = findPolicyBySOAPOperationName(operationPolicies, operationSecurityEvent.getOperation().getLocalPart());
if (effectivePolicy == null) {
//no policy to the operation given
Modified: webservices/wss4j/trunk/ws-security-policy-stax/src/test/java/org/apache/wss4j/policy/stax/test/VulnerabliltyVectorsTest.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-policy-stax/src/test/java/org/apache/wss4j/policy/stax/test/VulnerabliltyVectorsTest.java?rev=1528933&r1=1528932&r2=1528933&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-policy-stax/src/test/java/org/apache/wss4j/policy/stax/test/VulnerabliltyVectorsTest.java (original)
+++ webservices/wss4j/trunk/ws-security-policy-stax/src/test/java/org/apache/wss4j/policy/stax/test/VulnerabliltyVectorsTest.java Thu Oct 3 16:56:55 2013
@@ -48,8 +48,9 @@ public class VulnerabliltyVectorsTest ex
/**
* Tests what happens when an soapAction from an other operation is provided.
* Can the policy framework be bypassed?
+ * @Ignoring as SOAP Action spoofing detection should be left to the SOAP stack
*/
- @Test
+ @Test(enabled=false)
public void testSOAPActionSpoofing() throws Exception {
WSSSecurityProperties outSecurityProperties = new WSSSecurityProperties();
outSecurityProperties.setCallbackHandler(new CallbackHandlerImpl());
Modified: webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/WSSec.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/WSSec.java?rev=1528933&r1=1528932&r2=1528933&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/WSSec.java (original)
+++ webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/WSSec.java Thu Oct 3 16:56:55 2013
@@ -115,7 +115,8 @@ public class WSSec {
&& securityProperties.getSignatureCrypto() == null) {
throw new WSSConfigurationException(WSSConfigurationException.ErrorCode.FAILURE, "signatureKeyStoreNotSet");
}
- if (securityProperties.getSignatureUser() == null) {
+ if (securityProperties.getSignatureUser() == null
+ && !WSSConstants.NS_XMLDSIG_HMACSHA1.equals(securityProperties.getSignatureAlgorithm())) {
throw new WSSConfigurationException(WSSConfigurationException.ErrorCode.FAILURE, "noSignatureUser");
}
if (securityProperties.getCallbackHandler() == null