[
https://issues.apache.org/jira/browse/RAMPART-415?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Detelin Yordanov updated RAMPART-415:
-------------------------------------
Attachment: rampart_ut_nopasswd.patch
Unfortunately you are right, Rampart trunk also suffers from this problem, but
since there is no test with username token without password, there are no
failures in the nightly build.
I'm attaching a patch with such test and corresponding fix - the fix is to
check if UsernameToken assertion with no password requirement is present as a
supporting token and configure wss4j to allow it. Unfortunately this is a
global configuration in wss4j and cannot be applied to individual username
tokens, but considering that so far wss4j always allows such tokens, I think we
are fine now to allow them if at least one such token is present.
> Upgrade Rampart to use latest wss4j 1.6.16
> ------------------------------------------
>
> Key: RAMPART-415
> URL: https://issues.apache.org/jira/browse/RAMPART-415
> Project: Rampart
> Issue Type: Improvement
> Affects Versions: 1.6.2
> Reporter: Detelin Yordanov
> Assignee: Andreas Veithen
> Fix For: 1.7.0, 1.6.3
>
> Attachments: rampart16_wss4j.patch, rampart_bcprov.patch,
> rampart_ut_nopasswd.patch, rampart_wss4j.patch
>
>
> Rampart uses an outdated wss4j 1.6.4 version, while wss4j 1.6.16 was released
> just recently. I think it is important for Rampart to use latest stable
> wss4j, additionally my team is willing to contribute some Rampart extensions
> which require wss4j 1.6.16. I tested Rampart trunk with wss4j 1.6.16 and
> noticed two failing tests:
> - org.apache.rampart.RampartTest.testWithPolicy, scenario 7
> - org.apache.rahas.impl.util.CommonUtilTest.testGetDecryptedBytes
> The first issue is caused by a change in wss4j to add an "id" to the
> "Reference List" security processing results even when the value is an empty
> literal. I discussed the issue on wss4j mailing list and a fix for this will
> be available in next wss4j 1.6.17 version, see:
> http://mail-archives.apache.org/mod_mbox/ws-dev/201407.mbox/%3ccaeu2frpx1envbytejnyblnc1w1zb9ssjxskgh7m0adszamr...@mail.gmail.com%3E
> Meanwhile, I proposed a temporary fix in Rampart that skips results with
> empty Ids (attached).
> The second issue is triggered by a change in xmlsec 1.5.2 which adds cloning
> of KeyInfo elements, however the root cause seems to be a change is how Rahas
> TestUtil constructs a SOAP envelope:
> [Avoid direct references to Axiom implementation
> classes|http://svn.apache.org/viewvc/axis/axis2/java/rampart/trunk/modules/rampart-trust/src/test/java/org/apache/rahas/test/util/TestUtil.java?r1=1298295&r2=1299913]
> I have raised this issue on Axis2 dev list:
> http://mail-archives.apache.org/mod_mbox/axis-java-dev/201407.mbox/%3CCAEu2FROZusGJr%3DtzSRXe88hXYpV%3DzAyrNE-vwDYpi0tZG9Vy4Q%40mail.gmail.com%3E
> I will update this issue once a solution is found. I can help with further
> issues if such are found. Please note that all Rampart tests pass
> successfully with wss4j 1.6.16 after applying the provided Rampart wss4j
> workaround and reverting the Rampart Axiom-related changes done in revision
> [1299913|http://svn.apache.org/viewvc?view=revision&revision=1299913].
--
This message was sent by Atlassian JIRA
(v6.2#6252)
---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscr...@axis.apache.org
For additional commands, e-mail: java-dev-h...@axis.apache.org
