Re: [jira] Updated: (WSS-145) Problem in upgrading to xml-sec 1.4.2

Thu, 16 Oct 2008 11:37:06 -0700 

This works, sure.

There is some discussion at xml-sec if the decision to declare
some specific elements as "Signature" internal. I'll file a JIRA
to xml-sec against the modification may cause failures on other
xml-sec elements also not only for KeyInfo.

But as a security  mesure we should use this patch for WSS4J.

Regards,
Werner



Colm O hEigeartaigh (JIRA) schrieb:

     [ 
https://issues.apache.org/jira/browse/WSS-145?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Colm O hEigeartaigh updated WSS-145:
------------------------------------

    Attachment: wss4j_wss145.patch
Werner, please have a look at the attached patch for this issue and let me know if this is acceptable to you. 
I followed the discussion on security-dev on this issue...it seemed to me that 
there wasn't a consensus on whether the bug was in WSS4J or xml-sec. In any 
case, a simple fix in WSS4J solves the problem, which essentially amounts to 
doing this whenever a KeyInfo object is created:

Element keyInfoElement = keyInfo.getElement();
keyInfoElement.setAttributeNS(WSConstants.XMLNS_NS, "xmlns:"
        + WSConstants.SIG_PREFIX, WSConstants.SIG_NS);

This way, the "ds" namespace gets set properly on the DOM element.

There are no backwards compatibility issues, as I've tested the changes with 
both xmlsec 1.4.0 and 1.4.2, and the tests all pass.





Problem in upgrading to xml-sec 1.4.2
-------------------------------------

                Key: WSS-145
                URL: https://issues.apache.org/jira/browse/WSS-145
            Project: WSS4J
         Issue Type: Improvement
         Components: WSS4J Core
   Affects Versions: 1.5.4
           Reporter: Colm O hEigeartaigh
           Assignee: Werner Dittmann
            Fix For: 1.5.5

        Attachments: wss4j_wss145.patch


WSS4J 1.5.4 has a dependency on xml-sec 1.4.0. xml-sec 1.4.1 has a major c14n 
fix, but we ran into a critical problem with encryption, see:
http://issues.apache.org/jira/browse/WSS-128
Ideally we'd like to release WSS4J 1.5.5 with xml-sec 1.4.2. However, there's a 
problem with namespace prefixes when signing a request:
http://www.nabble.com/Undeclared-namespace-prefix-"ds"-error-tt19668706.html#a19668706
It's still not clear at this stage whether it's a problem in WSS4J or xml-sec, 
or why this problem doesn't appear when xml-sec 1.4.0 or 1.4.1 is used.





---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to