You are viewing a plain text version of this content. The canonical link for it is here.
Posted to java-dev@axis.apache.org by Angel Todorov <at...@gmail.com> on 2007/06/28 13:54:12 UTC
[rampart] PolicyBasedResultsValidator
Hi all,
I've found this piece of code in the RampartPolicyBasedResultsValidator.java
:
int refCount = 0;
refCount += encryptedParts.size();
if(encrRefs.size() != refCount) {
throw new RampartException("invalidNumberOfEncryptedParts",
new String[]{Integer.toString(refCount)});
}
How can you be sure that if the number is the same, the parts themselves
aren't different? This can lead to a big security compromise IMO , maybe I
am mistaken -:)
Regards,
Angel
Re: [rampart] PolicyBasedResultsValidator
Posted by Ruchith Fernando <ru...@gmail.com>.
Yes ... this certainly can be improved to check whether we actually
received the parts that we expected or not!
Thanks,
Ruchith
On 6/28/07, Angel Todorov <at...@gmail.com> wrote:
> Hi all,
>
> I've found this piece of code in the
> RampartPolicyBasedResultsValidator.java:
>
> int refCount = 0;
>
> refCount += encryptedParts.size();
>
> if(encrRefs.size() != refCount) {
> throw new
> RampartException("invalidNumberOfEncryptedParts",
> new String[]{Integer.toString(refCount)});
> }
>
>
> How can you be sure that if the number is the same, the parts themselves
> aren't different? This can lead to a big security compromise IMO , maybe I
> am mistaken -:)
>
> Regards,
> Angel
>
--
www.ruchith.org
www.wso2.org
Re: [rampart] PolicyBasedResultsValidator
Posted by Ruchith Fernando <ru...@gmail.com>.
Yes ... this certainly can be improved to check whether we actually
received the parts that we expected or not!
Thanks,
Ruchith
On 6/28/07, Angel Todorov <at...@gmail.com> wrote:
> Hi all,
>
> I've found this piece of code in the
> RampartPolicyBasedResultsValidator.java:
>
> int refCount = 0;
>
> refCount += encryptedParts.size();
>
> if(encrRefs.size() != refCount) {
> throw new
> RampartException("invalidNumberOfEncryptedParts",
> new String[]{Integer.toString(refCount)});
> }
>
>
> How can you be sure that if the number is the same, the parts themselves
> aren't different? This can lead to a big security compromise IMO , maybe I
> am mistaken -:)
>
> Regards,
> Angel
>
--
www.ruchith.org
www.wso2.org
---------------------------------------------------------------------
To unsubscribe, e-mail: axis-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: axis-dev-help@ws.apache.org