Hi Matt, Thanks for pointing this out!
I checked in the implementation of checkProofOfPossession(), please have a look: http://svn.apache.org/viewvc?view=rev&rev=451727 http://svn.apache.org/viewvc?view=rev&rev=451728 Thanks, Ruchith On 9/28/06, Matthew Lovett <[EMAIL PROTECTED]> wrote:
Hi all, I just attached a new patch to https://issues.apache.org/jira/browse/SANDESHA2-16, to implement the TODOs left behind from some refactoring. While putting that in I had a quick look at the rampart security manager, and I think that it is missing a bit of logic in the checkProofOfPossession() method. The purpose if that check is to ensure that the sender of 'this' message has possession of the token that was embedded in the create sequence message. See the public review draft of the WS-RM 1.1 spec for the justification for this - in short it is to prevent hijacking of the Sequence by another authorized user. If you have a no-op there then I expect that you have left this hole open, though I can't be 100% sure as I've not used rampart. Thanks Matt --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
-- www.ruchith.org --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
