Order of security actions may result in validation failing
----------------------------------------------------------
Key: WSS-197
URL: https://issues.apache.org/jira/browse/WSS-197
Project: WSS4J
Issue Type: Bug
Components: WSS4J Handlers
Affects Versions: 1.5.7
Environment: Tomcat (5.5, 6.0), Spring WS Security 1.5.7
Reporter: Dave Ortman
Assignee: Ruchith Udayanga Fernando
I have found that the order of security actions is particularly relevant when
they are processed. That is, the XSD which defines the security header seems
to imply no necessary order. However, swapping the order of two elements (in
this case, UsernameToken and Signature) will result in the a failure.
I have attached a sample application with a working service and a client that
calls that service. It works as expected. It is using Spring Web Security
1.5.7. It is setup to use both a Signature and a UsernameToken.
The problem occurred when a client was calling a service and sending a message
in which the UsernameToken element was put *after* the BinarySecurityToken
element. I tracked the problem down to the
org.apache.ws.security.handler.WSHandler.checkReceiverResults(Vector wsResult,
Vector actions) method. This class is being extended by Spring in the
Wss4jHandler class - but the checkReceiverResults simply calls
super.checkReceiverResults().
This method assumes that the actions and the results are in the same order.
However, by altering the order of these elements (either on the client or on
the server), this assumption becomes incorrect. What I am not clear on is
whether the issue is with the underlying Apache class, or with the Spring
class. When checkReceiverResults() is called, should the results and the
actions be in the same order?
protected boolean checkReceiverResults(Vector wsResult, Vector actions) {
int resultActions = wsResult.size();
int size = actions.size();
int ai = 0;
for (int i = 0; i < resultActions; i++) {
final Integer actInt = (Integer) ((WSSecurityEngineResult) wsResult
.get(i)).get(WSSecurityEngineResult.TAG_ACTION);
int act = actInt.intValue();
if (act == WSConstants.SC || act == WSConstants.BST) {
continue;
}
if (ai >= size || ((Integer) actions.get(ai++)).intValue() != act) {
return false;
}
}
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
