You are viewing a plain text version of this content. The canonical link for it is here.

Posted to java-dev@axis.apache.org by Ruchith Fernando <ru...@gmail.com> on 2007/07/11 10:29:55 UTC

Re: [rampart] PolicyBasedResultsValidator

Yes ... this certainly can be improved to check whether we actually
received the parts that we expected or not!

Thanks,
Ruchith

On 6/28/07, Angel Todorov <at...@gmail.com> wrote:
> Hi all,
>
> I've found this piece of code in the
> RampartPolicyBasedResultsValidator.java:
>
>   int refCount = 0;
>
>         refCount += encryptedParts.size();
>
>         if(encrRefs.size() != refCount) {
>             throw new
> RampartException("invalidNumberOfEncryptedParts",
>                     new String[]{Integer.toString(refCount)});
>         }
>
>
> How can you be sure that if the number is the same, the parts themselves
> aren't different? This can lead to a big security compromise IMO , maybe I
> am mistaken -:)
>
> Regards,
> Angel
>


-- 
www.ruchith.org
www.wso2.org

---------------------------------------------------------------------
To unsubscribe, e-mail: axis-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: axis-dev-help@ws.apache.org