You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@cxf.apache.org by "Alessio Soldano (JIRA)" <ji...@apache.org> on 2013/02/07 15:13:13 UTC
[jira] [Commented] (CXF-4789) EndorsingSupportingTokens do not
respect ProtectTokens assertion from paired binding policy
[ https://issues.apache.org/jira/browse/CXF-4789?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13573518#comment-13573518 ]
Alessio Soldano commented on CXF-4789:
--------------------------------------
In order for fixing this issue, the WSS-421 fix needs to be included. Moreover the following patch is also required to allow validating the incoming message on server side:
{code}
Index: src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSupportingTokenPolicyValidator.java
===================================================================
--- src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSupportingTokenPolicyValidator.java (revision 1442960)
+++ src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSupportingTokenPolicyValidator.java (working copy)
@@ -539,7 +539,7 @@
CastUtils.cast((List<?>)signedResult.get(
WSSecurityEngineResult.TAG_DATA_REF_URIS
));
- if (sl != null && sl.size() == 1) {
+ if (sl != null && sl.size() >= 1) {
for (WSDataRef dataRef : sl) {
QName signedQName = dataRef.getName();
if (WSSecurityEngine.SIGNATURE.equals(signedQName)
{code}
> EndorsingSupportingTokens do not respect ProtectTokens assertion from paired binding policy
> --------------------------------------------------------------------------------------------
>
> Key: CXF-4789
> URL: https://issues.apache.org/jira/browse/CXF-4789
> Project: CXF
> Issue Type: Bug
> Components: WS-* Components
> Affects Versions: 2.4.8
> Reporter: Alessio Soldano
>
> I've a wsdl containing both a SymmetricBinding and an EndorsingSupportingTokens policies. The binding one specifies ProtectTokens assertion. As a consequence as per WS-SecurityPolicy 1.2 Section 8.9, the signature for the endorsing supporting token should sign both the first signature and the endorsing token, while it seems the latter is currently not covered.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira