You are viewing a plain text version of this content. The canonical link for it is here.
Posted to fx-dev@ws.apache.org by Chris Harris <ch...@thunderhead.com> on 2006/07/03 16:03:57 UTC
actions number mismatch
I have just discovered that if a client message does not have the action
Encrypt but the server does then wss4j 1.5.0 still allows the message
into the system. Older version of wss4j forced the message the same
amount of actions on both the client and the server.
Looking at the wss4j code it looks as if the cause of the problem is
in WSHandler.java:
protected boolean checkReceiverResults(Vector wsResult, Vector
actions) {
int resultActions = wsResult.size();
int size = actions.size();
// if (size != resultActions) {
// throw new AxisFault(
// "WSDoAllReceiver: security processing failed (actions
number
// mismatch)");
// }
int ai = 0;
for (int i = 0; i < resultActions; i++) {
int act = ((WSSecurityEngineResult)
wsResult.get(i)).getAction();
if (act == WSConstants.SC) {
continue;
}
if (ai >= size || ((Integer)
actions.get(ai++)).intValue() != act) {
return false;
}
}
return true;
}
This code checks that the size of actions is not greater than the
size of wsResult. However it does not take into account the fact that in
some situations it should be an error if the size of action is less then
the size of wsResult.
We have fixed this is our code by overriding the checkReceiverResults
and then cloning the wsResult. Using the clone of wsResult we removed
the action for SC, then check that the size of cloned wsResult is equal
to the size of the actions and the finally check that the actions are in
the same order.
Regards,
Chris