axis-java-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ruchith Fernando" <ruchith.ferna...@gmail.com>
Subject Re: [rampart] PolicyBasedResultsValidator
Date Wed, 11 Jul 2007 08:29:55 GMT
Yes ... this certainly can be improved to check whether we actually
received the parts that we expected or not!

Thanks,
Ruchith

On 6/28/07, Angel Todorov <attodorov@gmail.com> wrote:
> Hi all,
>
> I've found this piece of code in the
> RampartPolicyBasedResultsValidator.java:
>
>   int refCount = 0;
>
>         refCount += encryptedParts.size();
>
>         if(encrRefs.size() != refCount) {
>             throw new
> RampartException("invalidNumberOfEncryptedParts",
>                     new String[]{Integer.toString(refCount)});
>         }
>
>
> How can you be sure that if the number is the same, the parts themselves
> aren't different? This can lead to a big security compromise IMO , maybe I
> am mistaken -:)
>
> Regards,
> Angel
>


-- 
www.ruchith.org
www.wso2.org

---------------------------------------------------------------------
To unsubscribe, e-mail: axis-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: axis-dev-help@ws.apache.org


Mime
View raw message