Hi,
On Tue, Jun 19, 2012 at 1:34 PM, Colm O hEigeartaigh <[email protected]>wrote:
> It works with any element in the SOAP Envelope. Basically, WSS4J validates
> the signature and each of the references, by searching for the reference
> element in the SOAP Envelope corresponding to the Id of the Reference. It
> then stores the Reference Element, as well as an XPath corresponding to the
> location of the Element in the SOAP Envelope. Downstream code can then
> extract the list of signed elements and compare the location to the
> location that was "expected".
>
>
Yep, that's a good solution, to get out the xpath from the WSDataRef, and
compare it with
the actual position in the tree.
I see a possible DoS, isn't? One can forge fake xmls with valid signatures
wrapped, then
send to the service provider. Instead of rejecting the fake message, it
validates the signature, performs xpath query, and check the error.
But I think this can be avoided by a priori framework agreements, on the
exact content
of the structure.
Thanks again,
Massi
--
Massimiliano Masi
http://www.mascanc.net/~max
