|
I have just discovered that
if a client message does not have the action Encrypt but the server does then
wss4j 1.5.0 still allows the message into the system. Older version of wss4j
forced the message the same amount of actions on both the client and the
server. Looking at the wss4j code
it looks as if the cause of the problem is in WSHandler.java: protected boolean
checkReceiverResults(Vector wsResult, Vector actions) { int resultActions
= wsResult.size(); int size =
actions.size(); // if (size !=
resultActions) { // throw new
AxisFault( //
"WSDoAllReceiver: security processing failed (actions number //
mismatch)"); // } int ai = 0; for (int i = 0; i
< resultActions; i++) { int act =
((WSSecurityEngineResult) wsResult.get(i)).getAction(); if (act ==
WSConstants.SC) { continue;
} if (ai >=
size || ((Integer) actions.get(ai++)).intValue() != act) { return
false; } } return true; } This code checks that the
size of actions is not greater than the size of wsResult. However it does not
take into account the fact that in some situations it should be an error if the
size of action is less then the size of wsResult. We have fixed this is our
code by overriding the checkReceiverResults and then cloning the wsResult.
Using the clone of wsResult we removed the action for SC, then check that the
size of cloned wsResult is equal to the size of the actions and the finally
check that the actions are in the same order. Regards, Chris |
