You are viewing a plain text version of this content. The canonical link for it is here.
Posted to java-dev@axis.apache.org by "Thilina Buddhika (JIRA)" <ji...@apache.org> on 2010/12/22 08:00:05 UTC

[jira] Updated: (RAMPART-277) Rampart ignores token inclusion settings when using the asymmetric security binding

     [ https://issues.apache.org/jira/browse/RAMPART-277?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Thilina Buddhika updated RAMPART-277:
-------------------------------------

    Attachment: RAMPART-277.patch

Hi Dave,

I found some conflicts when applying this patch to current trunk. So I manually merged the changes and recreated the patch(RAMPART-277) out of your patch.

I verified the patch and it solves the aforementioned issue.

Thanks,
Thilina

> Rampart ignores token inclusion settings when using the asymmetric security binding
> -----------------------------------------------------------------------------------
>
>                 Key: RAMPART-277
>                 URL: https://issues.apache.org/jira/browse/RAMPART-277
>             Project: Rampart
>          Issue Type: Bug
>          Components: rampart-core
>    Affects Versions: 1.5
>            Reporter: Dave Bryant
>            Assignee: Ruchith Udayanga Fernando
>            Priority: Minor
>         Attachments: RAMPART-277.patch, tokenReference.patch
>
>
> Consider the abbhreviated policy below.  It defines x509 tokens for the initiator and recipient: the initiator's token must be included in all messages from the initiator to the recepient, and the recipient's token must not be included at all.
> {code:xml}
> <wsp:Policy wsu:Id="servicePolicy">
>   <sp:AsymmetricBinding>
>     <sp:InitiatorToken>
>       <sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient"/>
>     </sp:InitiatorToken>
>     <sp:RecipientToken>
>       <sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never"/>
>     </sp:RecipientToken>
> </wsp:Policy>
> {code}
> When Rampart is used as both the client and server for a web service using this policy, the client's certificate is correctly included as a binary security token in the request.  However, the response message from the server to the client also includes this as a binary security token when reference which token was used to encrypt the encrypted symmetric key.  This is incorrect as the token was marked as only to be included in messages from the initiator to the recipient.
> The problem is that the asymmetric security binding uses RampartUtil.setKeyIdentifierType() to determine what type of key references should be used.  As present it will always include a binary security token unless the token inclusion parameter is set to never - i.e. it does not take into account whether we are the initiator or not, and so doesn't handle the alwaysToInitiator and alwaysToRecipient inclusion modes.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscribe@axis.apache.org
For additional commands, e-mail: java-dev-help@axis.apache.org