Return-Path: Delivered-To: apmail-cxf-issues-archive@www.apache.org Received: (qmail 17457 invoked from network); 2 Feb 2010 16:42:44 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3) by minotaur.apache.org with SMTP; 2 Feb 2010 16:42:44 -0000 Received: (qmail 21782 invoked by uid 500); 2 Feb 2010 16:42:44 -0000 Delivered-To: apmail-cxf-issues-archive@cxf.apache.org Received: (qmail 21765 invoked by uid 500); 2 Feb 2010 16:42:44 -0000 Mailing-List: contact issues-help@cxf.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@cxf.apache.org Delivered-To: mailing list issues@cxf.apache.org Received: (qmail 21755 invoked by uid 99); 2 Feb 2010 16:42:44 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 02 Feb 2010 16:42:44 +0000 X-ASF-Spam-Status: No, hits=-2000.0 required=10.0 tests=ALL_TRUSTED X-Spam-Check-By: apache.org Received: from [140.211.11.140] (HELO brutus.apache.org) (140.211.11.140) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 02 Feb 2010 16:42:42 +0000 Received: from brutus.apache.org (localhost [127.0.0.1]) by brutus.apache.org (Postfix) with ESMTP id 91F67234C48C for ; Tue, 2 Feb 2010 08:42:20 -0800 (PST) Message-ID: <195269330.28831265128940596.JavaMail.jira@brutus.apache.org> Date: Tue, 2 Feb 2010 16:42:20 +0000 (UTC) From: "Daniel Kulp (JIRA)" To: issues@cxf.apache.org Subject: [jira] Commented: (CXF-2638) WS-SecurityPolicy SignedElements, SignedParts, EncryptedParts, EncryptedElements, and ContentEncryptedElements assertions incorrectly verified In-Reply-To: <988883972.130491264780835188.JavaMail.jira@brutus.apache.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 X-Virus-Checked: Checked by ClamAV on apache.org [ https://issues.apache.org/jira/browse/CXF-2638?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12828660#action_12828660 ] Daniel Kulp commented on CXF-2638: ---------------------------------- There are a bunch of missing files in this patch which is causing the new tests to fail. org/apache/cxf/ws/security/wss4j/PolicyBasedWss4JInOutTest_bus_context.xml signed_missing_signed_body.xml encrypted_missing_enc_header.xml encrypted_body_element.xml encrypted_missing_enc_body.xml encrypted_body_content.xml et.c..... Can you recreate the patch making sure all the files are "added" first? Thanks! > WS-SecurityPolicy SignedElements, SignedParts, EncryptedParts, EncryptedElements, and ContentEncryptedElements assertions incorrectly verified > ---------------------------------------------------------------------------------------------------------------------------------------------- > > Key: CXF-2638 > URL: https://issues.apache.org/jira/browse/CXF-2638 > Project: CXF > Issue Type: Bug > Components: WS-* Components > Affects Versions: 2.3 > Reporter: David Valeri > Assignee: Daniel Kulp > Attachments: cxf-2638.patch > > > When security configuration is provided via WS-SecurityPolicy, the PolicyBasedWSS4JInInterceptor enforces the SignedElements assertion incorrectly. If there is more than one match to the assertion XPath, the validation code does not correctly detect the unsigned matches so long as any one of the matches is signed. This logic does not accurately reflect the case in which multiple matches for the signature coverage XPath exist in the message and may provide a false sense of integrity in the message. > Per section 1.2 of the WS-Security spec: > The XPath expression "identifies the nodes to be integrity protected." > Based on this language, it seems as if all nodes matching the XPath expression must be integrity constrained. > Similar issues exist with the SignedParts, EncryptedParts, EncryptedElements, and ContentEncryptedElements assertions as well. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.