[jira] Created: (RAMPART-264) PolicyBasedResultsValidator fails on ContentEncryptedElements and EncryptedElements

Mon, 21 Sep 2009 03:38:52 -0700 

PolicyBasedResultsValidator fails on ContentEncryptedElements and 
EncryptedElements
-----------------------------------------------------------------------------------

                 Key: RAMPART-264
                 URL: https://issues.apache.org/jira/browse/RAMPART-264
             Project: Rampart
          Issue Type: Bug
          Components: rampart-core
    Affects Versions: 1.4
         Environment: tomcat6
axis2 1.4
            Reporter: Christian Connert
            Assignee: Ruchith Udayanga Fernando


The validation of ContentEncryptedElements or EncryptedElements fails:

Caused by: org.apache.rampart.RampartException: Missing encryption result for 
id : http://test.at/:name
        at 
org.apache.rampart.PolicyBasedResultsValidator.validateEncryptedParts(PolicyBasedResultsValidator.java:448)
        at 
org.apache.rampart.PolicyBasedResultsValidator.validate(PolicyBasedResultsValidator.java:144)
        at org.apache.rampart.RampartEngine.process(RampartEngine.java:204)
        at 
org.apache.rampart.handler.RampartReceiver.invoke(RampartReceiver.java:92)
        ... 21 more

This error is caused by line number 447 - 448 of the 
PolicyBasedResultsValidator class.
The problem is, that decrypted elements have no encryption id attribute and 
thus the check if(encPart.getEncId() == null) evaluates to true resulting in 
the given RampartException.

>From my point of view the error lies within the Validation process. The 
>behavior that no id attributes are present in decrypted elment is intended by 
>the WS-SecurityPolicy specification.

I would suggest two fixes:

1.) (Quick and Dirty) :

Extend the PolicyBasedResultsValidator and override the validateEncryptedParts 
(almost the same as in base class):

protected void validateEncryptedParts(ValidatorData data,
                        Vector encryptedParts, Vector results) throws 
RampartException {
        RampartMessageData rmd = data.getRampartMessageData();
        
        ArrayList encrRefs = getEncryptedReferences(results);
        
        RampartPolicyData rpd = rmd.getPolicyData();
        
        //Check for encrypted body
        if(rpd.isEncryptBody()) {
            
            if( !isRefIdPresent(encrRefs, data.getBodyEncrDataId())){
                throw new RampartException("encryptedPartMissing", 
                        new String[]{data.getBodyEncrDataId()});
            }
        }

        for (int i = 0 ; i < encryptedParts.size() ; i++) {
            
            WSEncryptionPart encPart = (WSEncryptionPart)encryptedParts.get(i);
            
            //This is the encrypted Body and we already checked encrypted body
            if (encPart.getType() == WSConstants.PART_TYPE_BODY) {
                continue;
            }
            
            if ((WSConstants.SIG_LN.equals(encPart.getName()) &&
                    WSConstants.SIG_NS.equals(encPart.getNamespace()))
                   || encPart.getType() == WSConstants.PART_TYPE_HEADER ) {
                if (!isRefIdPresent(encrRefs, new 
QName(encPart.getNamespace(),encPart.getName()))) {
                    throw new RampartException("encryptedPartMissing", 
                            new 
String[]{encPart.getNamespace()+":"+encPart.getName()}); 
                }
                continue;
            }
            
            if (encPart.getEncId() == null) {
               // !!! this line is added !!!
                if(!isRefIdPresent(encrRefs, new 
QName(encPart.getNamespace(),encPart.getName())))
                        throw new RampartException("encryptedPartMissing", 
                                        new 
String[]{encPart.getNamespace()+":"+encPart.getName()});
            } else if (!isRefIdPresent(encrRefs, encPart.getEncId())) {
                throw new RampartException("encryptedPartMissing", 
                        new 
String[]{encPart.getNamespace()+":"+encPart.getName()});                
            }
            
        }
        }

one also needs to copy the private methods isRefIdPresent(ArrayList refList , 
QName qname) and isRefIdPresent(ArrayList refList , String id) from the 
PolicyBasedResultsValdator class.

Then the Rampart Config can be adapted to use the new 
PolicyValidatorCallbackHandler (ramp:policyValidatorCbClass).

2.) (Clean but more work)
>From my point of view the WSEncryptionPart should be of type 
>WSConstant.PART_TYPE_ELEMENT. This must be set within the methods 
>getContentEncryptedElements and getPartsAndElements. Those methods iterate 
>over the XPaths of the corresponding ContentEncryptedElements or 
>EncryptedElements. They create new WSEncryptionParts but don't set any type. 
>If the type would be set correctly, then one could check fo this type within 
>the PolicyBasedResultsValdator (Line 437) as followed: 

  if ((WSConstants.SIG_LN.equals(encPart.getName()) &&
                    WSConstants.SIG_NS.equals(encPart.getNamespace()))
                   || encPart.getType() == WSConstants.PART_TYPE_HEADER
                   || encPart.getType() == WSConstants.PART_TYPE_ELEMENT ) {
                if (!isRefIdPresent(encrRefs, new 
QName(encPart.getNamespace(),encPart.getName()))) {

Hopefully this helps to locate and fix the bug.

Note:
As in (http://issues.apache.org/jira/browse/RAMPART-218) the policy isn't 
processed, if ContentEncryptedElements or EncryptedElements are the only 
assertions.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

Reply via email to