axis-java-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "S.Uthaiyashankar (JIRA)" <j...@apache.org>
Subject [jira] Resolved: (RAMPART-277) Rampart ignores token inclusion settings when using the asymmetric security binding
Date Wed, 22 Dec 2010 07:10:00 GMT

     [ https://issues.apache.org/jira/browse/RAMPART-277?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

S.Uthaiyashankar resolved RAMPART-277.
--------------------------------------

       Resolution: Fixed
    Fix Version/s: NextVersion

Applied the patch in revision 1051777.

Thank you Dave and Thilina for the patch. 

> Rampart ignores token inclusion settings when using the asymmetric security binding
> -----------------------------------------------------------------------------------
>
>                 Key: RAMPART-277
>                 URL: https://issues.apache.org/jira/browse/RAMPART-277
>             Project: Rampart
>          Issue Type: Bug
>          Components: rampart-core
>    Affects Versions: 1.5
>            Reporter: Dave Bryant
>            Assignee: S.Uthaiyashankar
>            Priority: Minor
>             Fix For: NextVersion
>
>         Attachments: RAMPART-277.patch, tokenReference.patch
>
>
> Consider the abbhreviated policy below.  It defines x509 tokens for the initiator and
recipient: the initiator's token must be included in all messages from the initiator to the
recepient, and the recipient's token must not be included at all.
> {code:xml}
> <wsp:Policy wsu:Id="servicePolicy">
>   <sp:AsymmetricBinding>
>     <sp:InitiatorToken>
>       <sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient"/>
>     </sp:InitiatorToken>
>     <sp:RecipientToken>
>       <sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never"/>
>     </sp:RecipientToken>
> </wsp:Policy>
> {code}
> When Rampart is used as both the client and server for a web service using this policy,
the client's certificate is correctly included as a binary security token in the request.
 However, the response message from the server to the client also includes this as a binary
security token when reference which token was used to encrypt the encrypted symmetric key.
 This is incorrect as the token was marked as only to be included in messages from the initiator
to the recipient.
> The problem is that the asymmetric security binding uses RampartUtil.setKeyIdentifierType()
to determine what type of key references should be used.  As present it will always include
a binary security token unless the token inclusion parameter is set to never - i.e. it does
not take into account whether we are the initiator or not, and so doesn't handle the alwaysToInitiator
and alwaysToRecipient inclusion modes.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscribe@axis.apache.org
For additional commands, e-mail: java-dev-help@axis.apache.org


Mime
View raw message