cxf-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "David Valeri (JIRA)" <j...@apache.org>
Subject [jira] Updated: (CXF-2655) WS-SP token protection security binding property not correctly applied to X509 token in outbound interceptors
Date Mon, 08 Feb 2010 19:05:28 GMT

     [ https://issues.apache.org/jira/browse/CXF-2655?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

David Valeri updated CXF-2655:
------------------------------

    Attachment: cxf-2655-test.patch

Attaching test case.  As this test case update depends on changes to the test case that were
also made to support CXF-2654, only tests in "testProtectTokenAssertion" should be considered
relevant for this issue.

> WS-SP token protection security binding property not correctly applied to X509 token
in outbound interceptors
> -------------------------------------------------------------------------------------------------------------
>
>                 Key: CXF-2655
>                 URL: https://issues.apache.org/jira/browse/CXF-2655
>             Project: CXF
>          Issue Type: Bug
>          Components: WS-* Components
>    Affects Versions: 2.3
>            Reporter: David Valeri
>         Attachments: cxf-2655-test.patch
>
>
> When a ProtectTokens assertion is used in an asymetric binding with X509 token, CXF does
not sign the BST included in the message.  It is likely that CXF also does not sign the proper
parts if an issuer serial or key identifier is used instead.
> The direct reference case is triggered by an issue in AsymetricBindingHandler lines 386-392.
 One cannot prepend the BST and then get its ID because WSS4J removes this info after the
BST is prepended.
> Changing the order of operations is one approach while working with the WSS4J signature
builder's capabilities to sign the "Token" based on the mechanism by which the token is referenced
may be a better approach.
> Test case is pending.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message