You are viewing a plain text version of this content. The canonical link for it is here.

Posted to java-dev@axis.apache.org by Angel Todorov <at...@gmail.com> on 2007/06/28 13:54:12 UTC

[rampart] PolicyBasedResultsValidator

Hi all,

I've found this piece of code in the RampartPolicyBasedResultsValidator.java
:

  int refCount = 0;

        refCount += encryptedParts.size();

        if(encrRefs.size() != refCount) {
            throw new RampartException("invalidNumberOfEncryptedParts",
                    new String[]{Integer.toString(refCount)});
        }


How can you be sure that if the number is the same, the parts themselves
aren't different? This can lead to a big security compromise IMO , maybe I
am mistaken -:)

Regards,
Angel

Re: [rampart] PolicyBasedResultsValidator

Posted by Ruchith Fernando <ru...@gmail.com>.

Yes ... this certainly can be improved to check whether we actually
received the parts that we expected or not!

Thanks,
Ruchith

On 6/28/07, Angel Todorov <at...@gmail.com> wrote:
> Hi all,
>
> I've found this piece of code in the
> RampartPolicyBasedResultsValidator.java:
>
>   int refCount = 0;
>
>         refCount += encryptedParts.size();
>
>         if(encrRefs.size() != refCount) {
>             throw new
> RampartException("invalidNumberOfEncryptedParts",
>                     new String[]{Integer.toString(refCount)});
>         }
>
>
> How can you be sure that if the number is the same, the parts themselves
> aren't different? This can lead to a big security compromise IMO , maybe I
> am mistaken -:)
>
> Regards,
> Angel
>


-- 
www.ruchith.org
www.wso2.org

Re: [rampart] PolicyBasedResultsValidator

Posted by Ruchith Fernando <ru...@gmail.com>.

Yes ... this certainly can be improved to check whether we actually
received the parts that we expected or not!

Thanks,
Ruchith

On 6/28/07, Angel Todorov <at...@gmail.com> wrote:
> Hi all,
>
> I've found this piece of code in the
> RampartPolicyBasedResultsValidator.java:
>
>   int refCount = 0;
>
>         refCount += encryptedParts.size();
>
>         if(encrRefs.size() != refCount) {
>             throw new
> RampartException("invalidNumberOfEncryptedParts",
>                     new String[]{Integer.toString(refCount)});
>         }
>
>
> How can you be sure that if the number is the same, the parts themselves
> aren't different? This can lead to a big security compromise IMO , maybe I
> am mistaken -:)
>
> Regards,
> Angel
>


-- 
www.ruchith.org
www.wso2.org

---------------------------------------------------------------------
To unsubscribe, e-mail: axis-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: axis-dev-help@ws.apache.org