axis-java-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Thilina Buddhika (JIRA)" <>
Subject [jira] Resolved: (RAMPART-183) Rampart not correctly enforcing Signature validity if other security elements exist (ie - Timestamp)
Date Sat, 26 Feb 2011 14:08:00 GMT


Thilina Buddhika resolved RAMPART-183.

       Resolution: Fixed
    Fix Version/s: 1.6.0

This has already been fixed, most probably with WSS4J 1.5.4 release as Colm mentioned.

I verified it in the latest trunk using the basic sample04.

> Rampart not correctly enforcing Signature validity if other security elements exist (ie
- Timestamp)
> ----------------------------------------------------------------------------------------------------
>                 Key: RAMPART-183
>                 URL:
>             Project: Rampart
>          Issue Type: Bug
>          Components: rampart-core
>    Affects Versions: 1.3
>         Environment: IBM Rational Application Developer, Websphere 6.0 runtime on Windows
XP, Unix
>            Reporter: Wally Dennis
>            Assignee: Thilina Buddhika
>             Fix For: 1.6.0
> It appears as though Rampart/WSS4J is not enforcing the <InflowSecurity> settings
that I have in my services.xml file.  Here are the settings as I have them configured:
> <parameter name="InflowSecurity">
>     <action>
>         <items>Timestamp Signature</items>
>         <signaturePropFile>config/base/</signaturePropFile>
>     </action>
> </parameter>
> I discovered this issue during my testing - my test client is sending in a SOAP request
that contains a Timestamp but not a Signature.  This results in the creation of the <wsse:Security>
element in the SOAP header that contains only the <wsu:Timestamp> child as shown here:
> <wsse:Security xmlns:wsse=""
> <wsu:Timestamp xmlns:wsu=""
> <wsu:Created>2008-07-08T13:49:08.433Z</wsu:Created>
> <wsu:Expires>2008-07-08T13:54:08.433Z</wsu:Expires>
> </wsu:Timestamp>
> </wsse:Security>
> In Rampart's WSDoAllReciever class, I can see were it is decoding the actions configured,
but these actions are not then passed into the WSSecurityEngine to indicate which items should
be validated.  Therefore, the WSSecurityEngine and subsequent classes simply use the elements
in the <wsse:Security> header to determine what to validate.  This results in the timestamp
being validated correctly, but it does not throw an error due to the lack of the <ds:Signature>
> One additional thing - in debugging through this, I do see where the enableSignatureConfirmation
variable in WSSConfig is set to true, so this may be an issue with WSS4J.  If I need to submit
this report under WSS4J I will.
> Thanks.

This message is automatically generated by JIRA.
For more information on JIRA, see:


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message