You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@cxf.apache.org by "Alessio Soldano (JIRA)" <ji...@apache.org> on 2013/02/07 15:13:13 UTC

[jira] [Commented] (CXF-4789) EndorsingSupportingTokens do not respect ProtectTokens assertion from paired binding policy

    [ https://issues.apache.org/jira/browse/CXF-4789?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13573518#comment-13573518 ] 

Alessio Soldano commented on CXF-4789:
--------------------------------------

In order for fixing this issue, the WSS-421 fix needs to be included. Moreover the following patch is also required to allow validating the incoming message on server side:

{code}
Index: src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSupportingTokenPolicyValidator.java
===================================================================
--- src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSupportingTokenPolicyValidator.java	(revision 1442960)
+++ src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSupportingTokenPolicyValidator.java	(working copy)
@@ -539,7 +539,7 @@
                 CastUtils.cast((List<?>)signedResult.get(
                     WSSecurityEngineResult.TAG_DATA_REF_URIS
                 ));
-            if (sl != null && sl.size() == 1) {
+            if (sl != null && sl.size() >= 1) {
                 for (WSDataRef dataRef : sl) {
                     QName signedQName = dataRef.getName();
                     if (WSSecurityEngine.SIGNATURE.equals(signedQName)
{code}
                
> EndorsingSupportingTokens do not respect ProtectTokens assertion from paired binding policy 
> --------------------------------------------------------------------------------------------
>
>                 Key: CXF-4789
>                 URL: https://issues.apache.org/jira/browse/CXF-4789
>             Project: CXF
>          Issue Type: Bug
>          Components: WS-* Components
>    Affects Versions: 2.4.8
>            Reporter: Alessio Soldano
>
> I've a wsdl containing both a SymmetricBinding and an EndorsingSupportingTokens policies. The binding one specifies ProtectTokens assertion. As a consequence as per WS-SecurityPolicy 1.2 Section 8.9, the signature for the endorsing supporting token should sign both the first signature and the endorsing token, while it seems the latter is currently not covered.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira