[jira] [Updated] (RAMPARTC-154) Body signature generation ignores data source request payloads

Fri, 08 Apr 2011 17:22:45 -0700 

     [ 
https://issues.apache.org/jira/browse/RAMPARTC-154?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Garrett Holmstrom updated RAMPARTC-154:
---------------------------------------

    Attachment: rampart-trunk-c14n.patch

Patch that includes payloads of type AXIOM_DATA_SOURCE in body signature 
calculations

> Body signature generation ignores data source request payloads
> --------------------------------------------------------------
>
>                 Key: RAMPARTC-154
>                 URL: https://issues.apache.org/jira/browse/RAMPARTC-154
>             Project: Rampart/C
>          Issue Type: Bug
>          Components: OMXMLSecurity
>    Affects Versions: 1.3.0
>         Environment: Linux (all distributions)
>            Reporter: Garrett Holmstrom
>            Assignee: Malinda Kaushalye Kapuruge
>              Labels: patch
>         Attachments: rampart-trunk-c14n.patch
>
>
> In our web services implementation, we generate Axis/2c code with WSDL2C and 
> use rampart/c as a module. On the server and client side we require that all 
> SOAP requests contain timestamps and signed request bodies. However, we found 
> that enabling signature checking of <Body> elements in the policy:
> <sp:SignedParts 
> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
>         <sp:Body/>
> </sp:SignedParts>
>  
> ...results in all requests being rejected by the receiver due to signature 
> verification failure. After investigation, we found that requests generated 
> by the auto-generated Axis/2C code contained signatures over an empty <Body>, 
> i.e. all its payload was ignored during element signing. On the other hand, 
> when the request was received, the entire <Body> was checked against the 
> signature. We determined that the problem is due to the fact that rampart/c 
> code ignores the payloads of requests with type AXIOM_DATA_SOURCE.
> Attached is a patch that makes the checksum include the bodies of such 
> requests when they are generated.

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to