[
https://issues.apache.org/jira/browse/WSS-197?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Colm O hEigeartaigh closed WSS-197.
-----------------------------------
> Order of security actions may result in validation failing
> ----------------------------------------------------------
>
> Key: WSS-197
> URL: https://issues.apache.org/jira/browse/WSS-197
> Project: WSS4J
> Issue Type: Bug
> Components: WSS4J Handlers
> Affects Versions: 1.5.7
> Environment: Tomcat (5.5, 6.0), Spring WS Security 1.5.7
> Reporter: Dave Ortman
> Assignee: Colm O hEigeartaigh
> Attachments: book-wss.zip
>
>
> I have found that the order of security actions is particularly relevant when
> they are processed. That is, the XSD which defines the security header seems
> to imply no necessary order. However, swapping the order of two elements (in
> this case, UsernameToken and Signature) will result in the a failure.
> I have attached a sample application with a working service and a client that
> calls that service. It works as expected. It is using Spring Web Security
> 1.5.7. It is setup to use both a Signature and a UsernameToken.
> The problem occurred when a client was calling a service and sending a
> message in which the UsernameToken element was put *after* the
> BinarySecurityToken element. I tracked the problem down to the
> org.apache.ws.security.handler.WSHandler.checkReceiverResults(Vector
> wsResult, Vector actions) method. This class is being extended by Spring in
> the Wss4jHandler class - but the checkReceiverResults simply calls
> super.checkReceiverResults().
> This method assumes that the actions and the results are in the same order.
> However, by altering the order of these elements (either on the client or on
> the server), this assumption becomes incorrect. What I am not clear on is
> whether the issue is with the underlying Apache class, or with the Spring
> class. When checkReceiverResults() is called, should the results and the
> actions be in the same order?
> protected boolean checkReceiverResults(Vector wsResult, Vector actions) {
> int resultActions = wsResult.size();
> int size = actions.size();
> int ai = 0;
> for (int i = 0; i < resultActions; i++) {
> final Integer actInt = (Integer) ((WSSecurityEngineResult)
> wsResult
> .get(i)).get(WSSecurityEngineResult.TAG_ACTION);
> int act = actInt.intValue();
> if (act == WSConstants.SC || act == WSConstants.BST) {
> continue;
> }
> if (ai >= size || ((Integer) actions.get(ai++)).intValue() !=
> act) {
> return false;
> }
> }
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
