WS-Security rampart uses wrong token in service response
--------------------------------------------------------
Key: RAMPART-189
URL: https://issues.apache.org/jira/browse/RAMPART-189
Project: Rampart
Issue Type: Bug
Components: rampart-core, rampart-policy
Affects Versions: 1.4
Reporter: Gary Snider
Assignee: Ruchith Udayanga Fernando
Priority: Critical
In rampart 1.4:
AsymmetricBindingBuilder.doSignBeforeEncrypt line 457:
Token encrToken = rpd.getRecipientToken();
The problem is that if this is recipient mode (i.e. service side) then the
encryption token should be the initiator's token.
It looks like it's handled correctly in the signature portion. The same check
should be made for encrypting.
AsymmetricBindingBuilder.doSignature lines 566-570: This block of code checks
for the direction and uses the policy token assertion correctly
if(rmd.isInitiator()) {
sigToken = rpd.getInitiatorToken();
} else {
sigToken = rpd.getRecipientToken();
}
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
