Hi Clom,
I will test this first thing today morning and update the vote.
thanks,
Nandana
P.S. : Congratulations on getting WSS4J 1.5.6 out and getting WS Trust
stuff working.
On Wed, Mar 11, 2009 at 6:44 AM, Glen Daniels <g...@thoughtcraft.com> wrote:
> Hey Dan, Colm, all:
>
> This makes sense, and you can consider my -1 withdrawn.
> .
> I would, however, like to see Nandana's +1 on this before it goes out.
>
> Thanks,
> --Glen
>
> Daniel Kulp wrote:
> > As Colm mentioned, there is a patch on the Jira already. (actually,
> Colm
> > could just commit it probably, but I suppose having someone look at it is
> a
> > good idea)
> >
> > Basically, this is a bug in Rampart. Rampart is suffering from the same
> > "blindly strip the first char" problem that wss4j did. If you put some
> > printlns in the rampart token store, with 1.5.5, you can see:
> >
> > add: 7EA37A075C8888C7BE12367220453773
> > add: #sctId-1176318351
> > get: #sctId-1176318351: org.apache.rahas.to...@364e50ee
> > get: 7EA37A075C8888C7BE12367220453773: org.apache.rahas.to...@420253af
> > Service invoked
> > get: sctId-1176318351: org.apache.rahas.to...@420253af
> > get: EA37A075C8888C7BE12367220453773: org.apache.rahas.to...@364e50ee
> >
> > The last line is the tell tale sign. That ID is NOT a valid token ID,
> but the
> > token store is finding a token for it. That's probably some sort of
> security
> > violation or something. Not sure how exploitable it is. What's worse,
> in
> > SOME cases, if you pass the VALID id in, the store doesn't find the token
> for
> > it.
> >
> > Actually, I would take the patch one furthur and update the
> > STSClient.findIdentifier method to check the unattached first instead of
> the
> > attached. With that, all the "add" calls would be with the full id and
> not
> > the wsu:Id. The lookups later would be a bit quicker then as well.
> >
> >
> > My recommendation would be to get wss4j 1.5.6 out and then follow it up
> with a
> > rampart release that fixes those issues.
> >
> > Dan
> >
> >
> > On Tue March 10 2009 4:53:23 pm Glen Daniels wrote:
> >> Hi Colm, all:
> >>
> >> -1 from me, unfortunately, since running the Rampart build with the new
> >> WSS4J produced a test failure. In particular the testWithPolicy() test
> >> in RampartTest (integration module) fails.
> >>
> >> DanK believes this might have to do with the way WSS4J has corrected its
> >> URL handling (it was previously truncating the 1st char of all urls
> >> assuming that they'd be of the form "#urn...").
> >>
> >> Could someone from rampart-dev have a look at this?
> >>
> >> Thanks,
> >> --Glen
> >>
> >> P.S. A huge +1, by the way, to the congratulations on all the hard work
> >> and interop success!
> >>
> >> Colm O hEigeartaigh wrote:
> >>> To the Apache Web Services Community,
> >>>
> >>> This is a call for votes for the wss4j-1.5.6 release.
> >>>
> >>> The distribution can be found at the following URL:
> >>>
> >>> http://people.apache.org/~coheigea/stage/wss4j/1.5.6/dist/<http://people.apache.org/%7Ecoheigea/stage/wss4j/1.5.6/dist/>
> >>>
> >>> You can also point maven at the following URL to pull down the 1.5.6
> >>> release POM, source, and class JARs:
> >>>
> >>> http://people.apache.org/~coheigea/stage/wss4j/1.5.6/maven/<http://people.apache.org/%7Ecoheigea/stage/wss4j/1.5.6/maven/>
> >>>
> >>> Additionally, the generated version of the web site can be found at
> >>>
> >>> http://people.apache.org/~coheigea/stage/wss4j/1.5.6/site/<http://people.apache.org/%7Ecoheigea/stage/wss4j/1.5.6/site/>
> >>>
> >>> The list of bugs fixed in this release can be seen here:
> >>>
> >>>
> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=1231006
> >>> 3&styleName=Html&version=12313623
> >>>
> >>> This vote will stay open for at least 72 hours.
> >>>
> >>> Here is my (non-binding and advisory) +1.
> >>>
> >>> Thanks,
> >>>
> >>> Colm.
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: wss4j-dev-unsubscr...@ws.apache.org
> >> For additional commands, e-mail: wss4j-dev-h...@ws.apache.org
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: wss4j-dev-unsubscr...@ws.apache.org
> For additional commands, e-mail: wss4j-dev-h...@ws.apache.org
>
>
