RAMPART : Incoming policy validation of Bulk Encryption Algorithms.
-------------------------------------------------------------------
Key: AXIS2-2018
URL: https://issues.apache.org/jira/browse/AXIS2-2018
Project: Apache Axis 2.0 (Axis2)
Issue Type: Bug
Components: modules
Reporter: Hans G Knudsen
Hi!
Rampart does not seem to validate the bulk encryption algorithm on an incoming
message againts the algorithm specified in the policy.
eg
when <sp:Basic256/> / <sp:Basic256Rsa15/> is specified - check that received
algorithm url is http://www.w3.org/2001/04/xmlenc#aes256-cbc
- same for 128 + 192 bit aes..
when <sp:TripleDes> -> http://www.w3.org/2001/04/xmlenc#tripledes-cbc
Would it conform to WS-standards to make these checks/validations ??
The needed information from the received messages is not collected by WSS4J /
WSSecurityEngineResult, and the original encrypted parts has been
decrypted/replaced when reaching PolicyBasedResultsValidator, so a few changes
would be needed...
Should I add a "Collect Encryption algs for Encrypted Parts" on WSS4J issue :
https://issues.apache.org/jira/browse/WSS-57 ??
/hans
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
