[jira] Closed: (RAMPART-32) Processing of and in class org.apache.ws.secpolicy.builders.IssuedTokenBuilder is wrong.

Mon, 17 Dec 2007 21:43:05 -0800 

     [ 
https://issues.apache.org/jira/browse/RAMPART-32?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Uwe Kylau closed RAMPART-32.
----------------------------


Should work fine now.

> Processing of <Issuer> and <RequestSecurityTokenTemplate> in class 
> org.apache.ws.secpolicy.builders.IssuedTokenBuilder is wrong.
> --------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: RAMPART-32
>                 URL: https://issues.apache.org/jira/browse/RAMPART-32
>             Project: Rampart
>          Issue Type: Bug
>          Components: rampart-policy
>    Affects Versions: 1.1
>            Reporter: Uwe Kylau
>             Fix For: 1.3
>
>
> There is a bug in method build(...) of class 
> org.apache.ws.secpolicy.builders.IssuedTokenBuilder,
> which processes the <IssuedToken> assertion.
> Instead of fetching the <RequestSecurityTokenTemplate> and calling 
> issuedToken.setRstTemplate(...),
> the <Issuer> element is fetched again and issuedToken.setIssuerEpr(...) is 
> called a second time.
> extract of the incorrect code:
>     public Assertion build(OMElement element, AssertionBuilderFactory factory)
>             throws IllegalArgumentException {
>         IssuedToken issuedToken = new IssuedToken();
>         // Extract Issuer
>         OMElement issuerElem = 
> element.getFirstChildWithName(Constants.ISSUER);
>         if (issuerElem != null && issuerElem.getFirstElement() != null) {
>             issuedToken.setIssuerEpr(issuerElem.getFirstElement());
>         }
>         // Extract RSTTemplate
>         OMElement rstTmplElem = 
> element.getFirstChildWithName(Constants.ISSUER);
>         if (rstTmplElem != null) {
>             issuedToken.setIssuerEpr(rstTmplElem);
>         }
>         ...
>     }
> As can be seen, getFirstChildWithName(Constants.ISSUER) is called twice, as 
> well as setIssuerEpr(...).
> In result, the <RequestSecurityTokenTemplate> element will not be included in 
> the policy of the deployed service.
> A client must must obtain it locally (e.g. from a file) and cannot extract it 
> from the response of a metadata exchange.
> Moreover, the complete <Issuer> element will be stored, rather than just the 
> endpoint reference that it contains.
> This affects serialization of the element 
> (<IssuedToken><Issuer><Issuer>...</Issuer></Issuer></IssuedToken>).
> Thx in advance for fixing this issue.
> Best regards,
> Uwe Kylau

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

Reply via email to