Body signature generation ignores data source request payloads
--------------------------------------------------------------
Key: RAMPARTC-154
URL: https://issues.apache.org/jira/browse/RAMPARTC-154
Project: Rampart/C
Issue Type: Bug
Components: OMXMLSecurity
Affects Versions: 1.3.0
Environment: Linux (all distributions)
Reporter: Garrett Holmstrom
Assignee: Malinda Kaushalye Kapuruge
In our web services implementation, we generate Axis/2c code with WSDL2C and
use rampart/c as a module. On the server and client side we require that all
SOAP requests contain timestamps and signed request bodies. However, we found
that enabling signature checking of <Body> elements in the policy:
<sp:SignedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
<sp:Body/>
</sp:SignedParts>
...results in all requests being rejected by the receiver due to signature
verification failure. After investigation, we found that requests generated by
the auto-generated Axis/2C code contained signatures over an empty <Body>, i.e.
all its payload was ignored during element signing. On the other hand, when the
request was received, the entire <Body> was checked against the signature. We
determined that the problem is due to the fact that rampart/c code ignores the
payloads of requests with type AXIOM_DATA_SOURCE.
Attached is a patch that makes the checksum include the bodies of such requests
when they are generated.
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
