You are viewing a plain text version of this content. The canonical link for it is here.
Posted to rampart-dev@ws.apache.org by "Uwe Kylau (JIRA)" <ji...@apache.org> on 2007/04/21 11:40:15 UTC
[jira] Updated: (RAMPART-32) Processing of and
in class
org.apache.ws.secpolicy.builders.IssuedTokenBuilder is wrong.
[ https://issues.apache.org/jira/browse/RAMPART-32?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Uwe Kylau updated RAMPART-32:
-----------------------------
Description:
There is a bug in method build(...) of class org.apache.ws.secpolicy.builders.IssuedTokenBuilder,
which processes the <IssuedToken> assertion.
Instead of fetching the <RequestSecurityTokenTemplate> and calling issuedToken.setRstTemplate(...),
the <Issuer> element is fetched again and issuedToken.setIssuerEpr(...) is called a second time.
extract of the incorrect code:
public Assertion build(OMElement element, AssertionBuilderFactory factory)
throws IllegalArgumentException {
IssuedToken issuedToken = new IssuedToken();
// Extract Issuer
OMElement issuerElem = element.getFirstChildWithName(Constants.ISSUER);
if (issuerElem != null && issuerElem.getFirstElement() != null) {
issuedToken.setIssuerEpr(issuerElem.getFirstElement());
}
// Extract RSTTemplate
OMElement rstTmplElem = element.getFirstChildWithName(Constants.ISSUER);
if (rstTmplElem != null) {
issuedToken.setIssuerEpr(rstTmplElem);
}
...
}
As can be seen, getFirstChildWithName(Constants.ISSUER) is called twice, as well as setIssuerEpr(...).
In result, the <RequestSecurityTokenTemplate> element will not be included in the policy of the deployed service.
A client must must obtain it locally (e.g. from a file) and cannot extract it from the response of a metadata exchange.
Moreover, the complete <Issuer> element will be stored, rather than just the endpoint reference that it contains.
This affects serialization of the element (<IssuedToken><Issuer><Issuer>...</Issuer></Issuer></IssuedToken>).
Thx in advance for fixing this issue.
Best regards,
Uwe Kylau
was:
There is a bug in method build(...) of class org.apache.ws.secpolicy.builders.IssuedTokenBuilder,
which processes the <IssuedToken> assertion.
Instead of fetching the <RequestSecurityTokenTemplate> and calling issuedToken.setRstTemplate(...),
the <Issuer> element is fetched again and issuedToken.setIssuerEpr(...) is called a second time.
extract of the incorrect code:
public Assertion build(OMElement element, AssertionBuilderFactory factory)
throws IllegalArgumentException {
IssuedToken issuedToken = new IssuedToken();
// Extract Issuer
OMElement issuerElem = element.getFirstChildWithName(Constants.ISSUER);
if (issuerElem != null && issuerElem.getFirstElement() != null) {
issuedToken.setIssuerEpr(issuerElem.getFirstElement());
}
// Extract RSTTemplate
OMElement rstTmplElem = element.getFirstChildWithName(Constants.ISSUER);
if (rstTmplElem != null) {
issuedToken.setIssuerEpr(rstTmplElem);
}
...
}
As can be seen, getFirstChildWithName(Constants.ISSUER) is called twice, as well as setIssuerEpr(...).
In result, the <RequestSecurityTokenTemplate> element will not be included in the policy of the deployed service.
A client must must obtain it locally (e.g. from a file) and cannot extract it from the response of a metadata exchange.
Thx in advance for fixing this issue.
Best regards,
Uwe Kylau
forgot the second effect of the bug
> Processing of <Issuer> and <RequestSecurityTokenTemplate> in class org.apache.ws.secpolicy.builders.IssuedTokenBuilder is wrong.
> --------------------------------------------------------------------------------------------------------------------------------
>
> Key: RAMPART-32
> URL: https://issues.apache.org/jira/browse/RAMPART-32
> Project: Rampart
> Issue Type: Bug
> Components: rampart-policy
> Affects Versions: 1.1
> Reporter: Uwe Kylau
>
> There is a bug in method build(...) of class org.apache.ws.secpolicy.builders.IssuedTokenBuilder,
> which processes the <IssuedToken> assertion.
> Instead of fetching the <RequestSecurityTokenTemplate> and calling issuedToken.setRstTemplate(...),
> the <Issuer> element is fetched again and issuedToken.setIssuerEpr(...) is called a second time.
> extract of the incorrect code:
> public Assertion build(OMElement element, AssertionBuilderFactory factory)
> throws IllegalArgumentException {
> IssuedToken issuedToken = new IssuedToken();
> // Extract Issuer
> OMElement issuerElem = element.getFirstChildWithName(Constants.ISSUER);
> if (issuerElem != null && issuerElem.getFirstElement() != null) {
> issuedToken.setIssuerEpr(issuerElem.getFirstElement());
> }
> // Extract RSTTemplate
> OMElement rstTmplElem = element.getFirstChildWithName(Constants.ISSUER);
> if (rstTmplElem != null) {
> issuedToken.setIssuerEpr(rstTmplElem);
> }
> ...
> }
> As can be seen, getFirstChildWithName(Constants.ISSUER) is called twice, as well as setIssuerEpr(...).
> In result, the <RequestSecurityTokenTemplate> element will not be included in the policy of the deployed service.
> A client must must obtain it locally (e.g. from a file) and cannot extract it from the response of a metadata exchange.
> Moreover, the complete <Issuer> element will be stored, rather than just the endpoint reference that it contains.
> This affects serialization of the element (<IssuedToken><Issuer><Issuer>...</Issuer></Issuer></IssuedToken>).
> Thx in advance for fixing this issue.
> Best regards,
> Uwe Kylau
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.