axis-java-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Thilina Buddhika (JIRA)" <j...@apache.org>
Subject [jira] Resolved: (RAMPART-264) PolicyBasedResultsValidator fails on ContentEncryptedElements and EncryptedElements
Date Fri, 25 Feb 2011 13:15:38 GMT

     [ https://issues.apache.org/jira/browse/RAMPART-264?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Thilina Buddhika resolved RAMPART-264.
--------------------------------------

       Resolution: Fixed
    Fix Version/s: 1.6.0

This has already been fixed in the trunk. Verified using a policy similar to the policy provided
by Christian.

> PolicyBasedResultsValidator fails on ContentEncryptedElements and EncryptedElements
> -----------------------------------------------------------------------------------
>
>                 Key: RAMPART-264
>                 URL: https://issues.apache.org/jira/browse/RAMPART-264
>             Project: Rampart
>          Issue Type: Bug
>          Components: rampart-core
>    Affects Versions: 1.4
>         Environment: tomcat6
> axis2 1.4
>            Reporter: Christian Connert
>            Assignee: Thilina Buddhika
>             Fix For: 1.6.0
>
>         Attachments: message.xml, testPolicy.xml
>
>
> The validation of ContentEncryptedElements or EncryptedElements fails:
> Caused by: org.apache.rampart.RampartException: Missing encryption result for id : http://test.at/:name
> 	at org.apache.rampart.PolicyBasedResultsValidator.validateEncryptedParts(PolicyBasedResultsValidator.java:448)
> 	at org.apache.rampart.PolicyBasedResultsValidator.validate(PolicyBasedResultsValidator.java:144)
> 	at org.apache.rampart.RampartEngine.process(RampartEngine.java:204)
> 	at org.apache.rampart.handler.RampartReceiver.invoke(RampartReceiver.java:92)
> 	... 21 more
> This error is caused by line number 447 - 448 of the PolicyBasedResultsValidator class.
> The problem is, that decrypted elements have no encryption id attribute and thus the
check if(encPart.getEncId() == null) evaluates to true resulting in the given RampartException.
> From my point of view the error lies within the Validation process. The behavior that
no id attributes are present in decrypted elment is intended by the WS-SecurityPolicy specification.
> I would suggest two fixes:
> 1.) (Quick and Dirty) :
> Extend the PolicyBasedResultsValidator and override the validateEncryptedParts (almost
the same as in base class):
> protected void validateEncryptedParts(ValidatorData data,
> 			Vector encryptedParts, Vector results) throws RampartException {
>         RampartMessageData rmd = data.getRampartMessageData();
>         
>         ArrayList encrRefs = getEncryptedReferences(results);
>         
>         RampartPolicyData rpd = rmd.getPolicyData();
>         
>         //Check for encrypted body
>         if(rpd.isEncryptBody()) {
>             
>             if( !isRefIdPresent(encrRefs, data.getBodyEncrDataId())){
>                 throw new RampartException("encryptedPartMissing", 
>                         new String[]{data.getBodyEncrDataId()});
>             }
>         }
>         for (int i = 0 ; i < encryptedParts.size() ; i++) {
>             
>             WSEncryptionPart encPart = (WSEncryptionPart)encryptedParts.get(i);
>             
>             //This is the encrypted Body and we already checked encrypted body
>             if (encPart.getType() == WSConstants.PART_TYPE_BODY) {
>                 continue;
>             }
>             
>             if ((WSConstants.SIG_LN.equals(encPart.getName()) &&
>                     WSConstants.SIG_NS.equals(encPart.getNamespace()))
>                    || encPart.getType() == WSConstants.PART_TYPE_HEADER ) {
>                 if (!isRefIdPresent(encrRefs, new QName(encPart.getNamespace(),encPart.getName())))
{
>                     throw new RampartException("encryptedPartMissing", 
>                             new String[]{encPart.getNamespace()+":"+encPart.getName()});

>                 }
>                 continue;
>             }
>             
>             if (encPart.getEncId() == null) {
>                // !!! this line is added !!!
>             	if(!isRefIdPresent(encrRefs, new QName(encPart.getNamespace(),encPart.getName())))
>                 	throw new RampartException("encryptedPartMissing", 
>                 			new String[]{encPart.getNamespace()+":"+encPart.getName()});
>             } else if (!isRefIdPresent(encrRefs, encPart.getEncId())) {
>                 throw new RampartException("encryptedPartMissing", 
>                         new String[]{encPart.getNamespace()+":"+encPart.getName()});
               
>             }
>             
>         }
> 	}
> one also needs to copy the private methods isRefIdPresent(ArrayList refList , QName qname)
and isRefIdPresent(ArrayList refList , String id) from the PolicyBasedResultsValdator class.
> Then the Rampart Config can be adapted to use the new PolicyValidatorCallbackHandler
(ramp:policyValidatorCbClass).
> 2.) (Clean but more work)
> From my point of view the WSEncryptionPart should be of type WSConstant.PART_TYPE_ELEMENT.
This must be set within the methods getContentEncryptedElements and getPartsAndElements. Those
methods iterate over the XPaths of the corresponding ContentEncryptedElements or EncryptedElements.
They create new WSEncryptionParts but don't set any type. If the type would be set correctly,
then one could check fo this type within the PolicyBasedResultsValdator (Line 437) as followed:

>   if ((WSConstants.SIG_LN.equals(encPart.getName()) &&
>                     WSConstants.SIG_NS.equals(encPart.getNamespace()))
>                    || encPart.getType() == WSConstants.PART_TYPE_HEADER
>                    || encPart.getType() == WSConstants.PART_TYPE_ELEMENT ) {
>                 if (!isRefIdPresent(encrRefs, new QName(encPart.getNamespace(),encPart.getName())))
{
> Hopefully this helps to locate and fix the bug.
> Note:
> As in (http://issues.apache.org/jira/browse/RAMPART-218) the policy isn't processed,
if ContentEncryptedElements or EncryptedElements are the only assertions.

-- 
This message is automatically generated by JIRA.
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscribe@axis.apache.org
For additional commands, e-mail: java-dev-help@axis.apache.org


Mime
View raw message