[
https://issues.apache.org/jira/browse/WSS-70?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12519709
]
Gürkan Vural commented on WSS-70:
---------------------------------
6 months has passed since I mentioned that issue. You can also test this issue
by sending security headers with no action. No security headers will throw
exception. But security headers with no action will be enough. This is
suprising that nobody noticed this issue except you.
> WSHandler checkReceiverResults causes security problem
> ------------------------------------------------------
>
> Key: WSS-70
> URL: https://issues.apache.org/jira/browse/WSS-70
> Project: WSS4J
> Issue Type: Bug
> Reporter: Gürkan Vural
> Assignee: Davanum Srinivas
> Priority: Critical
>
> In WSS4J 1.1.0 in WSDoAllReceiver there is a check of security actions
> which also checks the size of actions. However this part is moved in
> WSS4J 1.5 to WSHandler.java using checkReceiverResults function and
> action size check is commented out. However the checking for loop is
> controled against the size of actions received in the SOAP message. This
> cause a security problem when an empty security header is sent. It omits
> the for loop and throws no exception!
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
