axis-java-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Samisa Abeysinghe (JIRA)" <j...@apache.org>
Subject [jira] Updated: (RAMPART-264) PolicyBasedResultsValidator fails on ContentEncryptedElements and EncryptedElements
Date Wed, 22 Dec 2010 11:06:10 GMT

     [ https://issues.apache.org/jira/browse/RAMPART-264?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Samisa Abeysinghe updated RAMPART-264:
--------------------------------------

    Assignee:     (was: Ruchith Udayanga Fernando)

> PolicyBasedResultsValidator fails on ContentEncryptedElements and EncryptedElements
> -----------------------------------------------------------------------------------
>
>                 Key: RAMPART-264
>                 URL: https://issues.apache.org/jira/browse/RAMPART-264
>             Project: Rampart
>          Issue Type: Bug
>          Components: rampart-core
>    Affects Versions: 1.4
>         Environment: tomcat6
> axis2 1.4
>            Reporter: Christian Connert
>         Attachments: message.xml, testPolicy.xml
>
>
> The validation of ContentEncryptedElements or EncryptedElements fails:
> Caused by: org.apache.rampart.RampartException: Missing encryption result for id : http://test.at/:name
> 	at org.apache.rampart.PolicyBasedResultsValidator.validateEncryptedParts(PolicyBasedResultsValidator.java:448)
> 	at org.apache.rampart.PolicyBasedResultsValidator.validate(PolicyBasedResultsValidator.java:144)
> 	at org.apache.rampart.RampartEngine.process(RampartEngine.java:204)
> 	at org.apache.rampart.handler.RampartReceiver.invoke(RampartReceiver.java:92)
> 	... 21 more
> This error is caused by line number 447 - 448 of the PolicyBasedResultsValidator class.
> The problem is, that decrypted elements have no encryption id attribute and thus the
check if(encPart.getEncId() == null) evaluates to true resulting in the given RampartException.
> From my point of view the error lies within the Validation process. The behavior that
no id attributes are present in decrypted elment is intended by the WS-SecurityPolicy specification.
> I would suggest two fixes:
> 1.) (Quick and Dirty) :
> Extend the PolicyBasedResultsValidator and override the validateEncryptedParts (almost
the same as in base class):
> protected void validateEncryptedParts(ValidatorData data,
> 			Vector encryptedParts, Vector results) throws RampartException {
>         RampartMessageData rmd = data.getRampartMessageData();
>         
>         ArrayList encrRefs = getEncryptedReferences(results);
>         
>         RampartPolicyData rpd = rmd.getPolicyData();
>         
>         //Check for encrypted body
>         if(rpd.isEncryptBody()) {
>             
>             if( !isRefIdPresent(encrRefs, data.getBodyEncrDataId())){
>                 throw new RampartException("encryptedPartMissing", 
>                         new String[]{data.getBodyEncrDataId()});
>             }
>         }
>         for (int i = 0 ; i < encryptedParts.size() ; i++) {
>             
>             WSEncryptionPart encPart = (WSEncryptionPart)encryptedParts.get(i);
>             
>             //This is the encrypted Body and we already checked encrypted body
>             if (encPart.getType() == WSConstants.PART_TYPE_BODY) {
>                 continue;
>             }
>             
>             if ((WSConstants.SIG_LN.equals(encPart.getName()) &&
>                     WSConstants.SIG_NS.equals(encPart.getNamespace()))
>                    || encPart.getType() == WSConstants.PART_TYPE_HEADER ) {
>                 if (!isRefIdPresent(encrRefs, new QName(encPart.getNamespace(),encPart.getName())))
{
>                     throw new RampartException("encryptedPartMissing", 
>                             new String[]{encPart.getNamespace()+":"+encPart.getName()});

>                 }
>                 continue;
>             }
>             
>             if (encPart.getEncId() == null) {
>                // !!! this line is added !!!
>             	if(!isRefIdPresent(encrRefs, new QName(encPart.getNamespace(),encPart.getName())))
>                 	throw new RampartException("encryptedPartMissing", 
>                 			new String[]{encPart.getNamespace()+":"+encPart.getName()});
>             } else if (!isRefIdPresent(encrRefs, encPart.getEncId())) {
>                 throw new RampartException("encryptedPartMissing", 
>                         new String[]{encPart.getNamespace()+":"+encPart.getName()});
               
>             }
>             
>         }
> 	}
> one also needs to copy the private methods isRefIdPresent(ArrayList refList , QName qname)
and isRefIdPresent(ArrayList refList , String id) from the PolicyBasedResultsValdator class.
> Then the Rampart Config can be adapted to use the new PolicyValidatorCallbackHandler
(ramp:policyValidatorCbClass).
> 2.) (Clean but more work)
> From my point of view the WSEncryptionPart should be of type WSConstant.PART_TYPE_ELEMENT.
This must be set within the methods getContentEncryptedElements and getPartsAndElements. Those
methods iterate over the XPaths of the corresponding ContentEncryptedElements or EncryptedElements.
They create new WSEncryptionParts but don't set any type. If the type would be set correctly,
then one could check fo this type within the PolicyBasedResultsValdator (Line 437) as followed:

>   if ((WSConstants.SIG_LN.equals(encPart.getName()) &&
>                     WSConstants.SIG_NS.equals(encPart.getNamespace()))
>                    || encPart.getType() == WSConstants.PART_TYPE_HEADER
>                    || encPart.getType() == WSConstants.PART_TYPE_ELEMENT ) {
>                 if (!isRefIdPresent(encrRefs, new QName(encPart.getNamespace(),encPart.getName())))
{
> Hopefully this helps to locate and fix the bug.
> Note:
> As in (http://issues.apache.org/jira/browse/RAMPART-218) the policy isn't processed,
if ContentEncryptedElements or EncryptedElements are the only assertions.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscribe@axis.apache.org
For additional commands, e-mail: java-dev-help@axis.apache.org


Mime
View raw message