You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@ws.apache.org by "Roland Mueller (JIRA)" <ji...@apache.org> on 2014/06/18 14:00:56 UTC

[jira] [Created] (WSS-504) False warning "No Subject DN Certificate Constraints were defined. This could be a security issue"

Roland Mueller created WSS-504:
----------------------------------

             Summary: False warning "No Subject DN Certificate Constraints were defined. This could be a security issue"
                 Key: WSS-504
                 URL: https://issues.apache.org/jira/browse/WSS-504
             Project: WSS4J
          Issue Type: Bug
          Components: WSS4J Core
    Affects Versions: 1.6.15, 1.6.12
            Reporter: Roland Mueller
            Assignee: Colm O hEigeartaigh


Since an upgrade to WSS 1.6.12 my log files are flooded by WARNings of the SignatureTrustValidator class "No Subject DN Certificate Constraints were defined. This could be a security issue".
The certificate in my request is contained in the keystore and according to the SIG_SUBJECT_CERT_CONSTRAINTS explanation in the WSHandlerConstants class "These constraints are not used when the certificate is contained in the keystore (direct trust)."
The commit https://fisheye6.atlassian.com/changelog/wss4j?cs=1511796 introduced the behavior change, now also calling the SignatureTrustValidator.matches(...) constraints validation function where it previously did not, and according to above description, should not.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For additional commands, e-mail: dev-help@ws.apache.org