X509TokenValidator uses signature-crypto-provider instead of
encryption-crypto-provider
---------------------------------------------------------------------------------------
Key: CXF-4028
URL: https://issues.apache.org/jira/browse/CXF-4028
Project: CXF
Issue Type: Bug
Components: Core
Affects Versions: 2.5
Reporter: Jan Bernhardt
I found a bug in X509TokenValidator class.
There are two crypto handler which can be configured:
<entry key="ws-security.signature.crypto" value-ref="..."/>
<entry key="ws-security.encryption.crypto" value-ref="..."/>
ws-security.signature.crypto is for my own signature, when sending messages,
and to decrypt messages, which have been send to me. (here is my private key)
ws-security.encryption.crypto is for encrypting messages before sending and
validating of signatures in received messages. (here are all my trusted public
keys/CAs)
In X509TokenValidator the signature crypto provider is used to validate a
received message signature. But instead the encryption provider should be used!
See line 101 in X509TokenValidator.java:
Crypto sigCrypto = stsProperties.getSignatureCrypto();
There might be other sections which needs to be updated as well...
Best regards
Jan
See post on the mailinglist regarding this topic also:
http://cxf.547215.n5.nabble.com/X509TokenValidator-td5139681.html
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
