cxf-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "David Valeri (JIRA)" <j...@apache.org>
Subject [jira] Updated: (CXF-2638) WS-SecurityPolicy SignedElements, SignedParts, EncryptedParts, EncryptedElements, and ContentEncryptedElements assertions incorrectly verified
Date Tue, 02 Feb 2010 16:52:19 GMT

     [ https://issues.apache.org/jira/browse/CXF-2638?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

David Valeri updated CXF-2638:
------------------------------

    Attachment: cxf-2638-fixed.patch

Attached patch with missing test files.

> WS-SecurityPolicy SignedElements, SignedParts, EncryptedParts, EncryptedElements, and
ContentEncryptedElements assertions incorrectly verified
> ----------------------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: CXF-2638
>                 URL: https://issues.apache.org/jira/browse/CXF-2638
>             Project: CXF
>          Issue Type: Bug
>          Components: WS-* Components
>    Affects Versions: 2.3
>            Reporter: David Valeri
>            Assignee: Daniel Kulp
>         Attachments: cxf-2638-fixed.patch, cxf-2638.patch
>
>
> When security configuration is provided via WS-SecurityPolicy, the PolicyBasedWSS4JInInterceptor
enforces the SignedElements assertion incorrectly. If there is more than one match to the
assertion XPath, the validation code does not correctly detect the unsigned matches so long
as any one of the matches is signed. This logic does not accurately reflect the case in which
multiple matches for the signature coverage XPath exist in the message and may provide a false
sense of integrity in the message.
> Per section 1.2 of the WS-Security spec:
> The XPath expression "identifies the nodes to be integrity protected."
> Based on this language, it seems as if all nodes matching the XPath expression must be
integrity constrained.
> Similar issues exist with the SignedParts, EncryptedParts, EncryptedElements, and ContentEncryptedElements
assertions as well.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message