axis-java-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Detelin Yordanov (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (RAMPART-415) Upgrade Rampart to use latest wss4j 1.6.16
Date Wed, 16 Jul 2014 11:20:05 GMT

     [ https://issues.apache.org/jira/browse/RAMPART-415?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Detelin Yordanov updated RAMPART-415:
-------------------------------------

    Attachment: rampart_ut_nopasswd.patch

Unfortunately you are right, Rampart trunk also suffers from this problem, but since there
is no test with username token without password, there are no failures in the nightly build.
I'm attaching a patch with such test and corresponding fix - the fix is to check if UsernameToken
assertion with no password requirement is present as a supporting token and configure wss4j
to allow it. Unfortunately this is a global configuration in wss4j and cannot be applied to
individual username tokens, but considering that so far wss4j always allows such tokens, I
think we are fine now to allow them if at least one such token is present.

> Upgrade Rampart to use latest wss4j 1.6.16
> ------------------------------------------
>
>                 Key: RAMPART-415
>                 URL: https://issues.apache.org/jira/browse/RAMPART-415
>             Project: Rampart
>          Issue Type: Improvement
>    Affects Versions: 1.6.2
>            Reporter: Detelin Yordanov
>            Assignee: Andreas Veithen
>             Fix For: 1.7.0, 1.6.3
>
>         Attachments: rampart16_wss4j.patch, rampart_bcprov.patch, rampart_ut_nopasswd.patch,
rampart_wss4j.patch
>
>
> Rampart uses an outdated wss4j 1.6.4 version, while wss4j 1.6.16 was released just recently.
I think it is important for Rampart to use latest stable wss4j, additionally my team is willing
to contribute some Rampart extensions which require wss4j 1.6.16. I tested Rampart trunk with
wss4j 1.6.16 and noticed two failing tests:
> - org.apache.rampart.RampartTest.testWithPolicy, scenario 7
> - org.apache.rahas.impl.util.CommonUtilTest.testGetDecryptedBytes
> The first issue is caused by a change in wss4j to add an "id" to the "Reference List"
security processing results even when the value is an empty literal. I discussed the issue
on wss4j mailing list and a fix for this will be available in next wss4j 1.6.17 version, see:
> http://mail-archives.apache.org/mod_mbox/ws-dev/201407.mbox/%3CCAEu2FRPX1ENvbytEJnybLnc1W1zB9SsjXskgH7M0AdSzaMRxyA@mail.gmail.com%3E
> Meanwhile, I proposed a temporary fix in Rampart that skips results with empty Ids (attached).
> The second issue is triggered by a change in xmlsec 1.5.2 which adds cloning of KeyInfo
elements, however the root cause seems to be a change is how Rahas TestUtil constructs a SOAP
envelope:
> [Avoid direct references to Axiom implementation classes|http://svn.apache.org/viewvc/axis/axis2/java/rampart/trunk/modules/rampart-trust/src/test/java/org/apache/rahas/test/util/TestUtil.java?r1=1298295&r2=1299913]
> I have raised this issue on Axis2 dev list:
> http://mail-archives.apache.org/mod_mbox/axis-java-dev/201407.mbox/%3CCAEu2FROZusGJr%3DtzSRXe88hXYpV%3DzAyrNE-vwDYpi0tZG9Vy4Q%40mail.gmail.com%3E
> I will update this issue once a solution is found. I can help with further issues if
such are found. Please note that all Rampart tests pass successfully with wss4j 1.6.16 after
applying the provided Rampart wss4j workaround and reverting the Rampart Axiom-related changes
done in revision [1299913|http://svn.apache.org/viewvc?view=revision&revision=1299913].



--
This message was sent by Atlassian JIRA
(v6.2#6252)

---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscribe@axis.apache.org
For additional commands, e-mail: java-dev-help@axis.apache.org


Mime
View raw message