[jira] Created: (RAMPART-277) Rampart ignores token inclusion settings when using the asymmetric security binding

Tue, 12 Jan 2010 18:04:28 -0800 

Rampart ignores token inclusion settings when using the asymmetric security 
binding
-----------------------------------------------------------------------------------

                 Key: RAMPART-277
                 URL: https://issues.apache.org/jira/browse/RAMPART-277
             Project: Rampart
          Issue Type: Bug
          Components: rampart-core
    Affects Versions: 1.5
            Reporter: Dave Bryant
            Assignee: Ruchith Udayanga Fernando
            Priority: Minor
         Attachments: tokenReference.patch

Consider the abbhreviated policy below.  It defines x509 tokens for the 
initiator and recipient: the initiator's token must be included in all messages 
from the initiator to the recepient, and the recipient's token must not be 
included at all.

{code:xml}
<wsp:Policy wsu:Id="servicePolicy">
  <sp:AsymmetricBinding>
    <sp:InitiatorToken>
      <sp:X509Token 
sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient"/>
    </sp:InitiatorToken>
    <sp:RecipientToken>
      <sp:X509Token 
sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never"/>
    </sp:RecipientToken>
</wsp:Policy>
{code}

When Rampart is used as both the client and server for a web service using this 
policy, the client's certificate is correctly included as a binary security 
token in the request.  However, the response message from the server to the 
client also includes this as a binary security token when reference which token 
was used to encrypt the encrypted symmetric key.  This is incorrect as the 
token was marked as only to be included in messages from the initiator to the 
recipient.

The problem is that the asymmetric security binding uses 
RampartUtil.setKeyIdentifierType() to determine what type of key references 
should be used.  As present it will always include a binary security token 
unless the token inclusion parameter is set to never - i.e. it does not take 
into account whether we are the initiator or not, and so doesn't handle the 
alwaysToInitiator and alwaysToRecipient inclusion modes.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

Reply via email to