[jira] Commented: (WSS-222) SignatureProcessor does not provide correct signature coverage results with STR Dereference Transform

Mon, 17 May 2010 07:28:09 -0700 

    [ 
https://issues.apache.org/jira/browse/WSS-222?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12868235#action_12868235
 ] 

Colm O hEigeartaigh commented on WSS-222:
-----------------------------------------


Merge log for 1_5_x-fixes branch:

Log:
[WS-222] - Applied patch for "SignatureProcessor does not provide correct 
signature coverage results with STR Dereference Transform".
 - Many thanks David for the patch and test-case.

Added:
    
webservices/wss4j/branches/1_5_x-fixes/src/org/apache/ws/security/transform/STRTransformUtil.java
   (with props)
Modified:
    
webservices/wss4j/branches/1_5_x-fixes/src/org/apache/ws/security/processor/SignatureProcessor.java
    
webservices/wss4j/branches/1_5_x-fixes/src/org/apache/ws/security/transform/STRTransform.java
    webservices/wss4j/branches/1_5_x-fixes/test/log4j.properties
    
webservices/wss4j/branches/1_5_x-fixes/test/wssec/TestWSSecuritySignatureParts.java

Colm.

> SignatureProcessor does not provide correct signature coverage results with 
> STR Dereference Transform
> -----------------------------------------------------------------------------------------------------
>
>                 Key: WSS-222
>                 URL: https://issues.apache.org/jira/browse/WSS-222
>             Project: WSS4J
>          Issue Type: Bug
>          Components: WSS4J Core
>    Affects Versions: 1.5.8
>            Reporter: David Valeri
>            Assignee: Colm O hEigeartaigh
>             Fix For: 1.5.9, 1.6
>
>         Attachments: patch.txt
>
>
> SignatureProcessor does not report correct info when STR Dereference 
> Transform is used.  The implementation does not follow the dereference 
> pointer to the security token and reports that the signed content is the 
> SecurityTokenReference itself and not the referenced token.  The URI in the 
> signature part is dereferenced with no regard to the transform used in the 
> signature part.
> This issue makes it difficult to validate signature coverage over something 
> like an embedded SAML assertion when that assertion is also used as the key 
> material for the signature and is referenced and signed through a 
> SecurityTokenReference.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to