[
https://issues.apache.org/jira/browse/WSS-70?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12569318#action_12569318
]
Fred Dushin commented on WSS-70:
--------------------------------
"This is not issue if there is no security sent in the header because an
exception will be thrown before this method gets called."
Unfortunately, this is an issue if an /empty/ security header is sent. The
issue is that specified policies are not being enforced.
We are implementing a similar workaround in CXF
(https://issues.apache.org/jira/browse/CXF-1433), until a fix for this is made.
(Yes, I supposedly have karma, so I should be able to fix it
> WSHandler checkReceiverResults causes security problem
> ------------------------------------------------------
>
> Key: WSS-70
> URL: https://issues.apache.org/jira/browse/WSS-70
> Project: WSS4J
> Issue Type: Bug
> Reporter: Gürkan Vural
> Priority: Critical
>
> In WSS4J 1.1.0 in WSDoAllReceiver there is a check of security actions
> which also checks the size of actions. However this part is moved in
> WSS4J 1.5 to WSHandler.java using checkReceiverResults function and
> action size check is commented out. However the checking for loop is
> controled against the size of actions received in the SOAP message. This
> cause a security problem when an empty security header is sent. It omits
> the for loop and throws no exception!
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
