Axis2: Rampart module is not checking the existence of signature value within
wsse:security tag
-----------------------------------------------------------------------------------------------
Key: AXIS2-4352
URL: https://issues.apache.org/jira/browse/AXIS2-4352
Project: Axis 2.0 (Axis2)
Issue Type: Bug
Environment: Linux 2.6.9-78.0.1.ELsmp
Reporter: Peter Kim
Rampart module works well if correct signature value exist or incorrect
signature value exit, but still allows the message go through even without any
signature value defined. What seems to be missing is checking for whether
signature value exist after getting back wsResult vector from wss4j processing
header api call (WSDoAllReceiver.java).
I have added the following lines to check for the existence.
**********
boolean isSigned = false;
if (wsResult != null) {
if ((doAction & WSConstants.SIGN) == WSConstants.SIGN) {
log.info("WSDoAllReceiver: SOAP message MUST contain sinature
values");
for (int i = 0; i < wsResult.size(); i++){
WSSecurityEngineResult secengine =
(WSSecurityEngineResult) wsResult.elementAt(i);
log.info("WSDoAllReceiver: Find sig value : "+
secengine.get(secengine.TAG_SIGNATURE_VALUE));
Object tempstr =
secengine.get(secengine.TAG_SIGNATURE_VALUE);
if (tempstr != null) {
isSigned = true;
break;
}
}
log.info("WSDoAllReceiver: contains signature : "+isSigned);
if (!isSigned) {
throw new AxisFault(
"WSDoAllReceiver: Incoming message does not contain
signature");
}
}
**********
Please review and rectify if necessary.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
