cxf-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Daniel Kulp (JIRA)" <j...@apache.org>
Subject [jira] Resolved: (CXF-2714) SupportingToken UsernameToken is always encrypted
Date Thu, 08 Apr 2010 02:52:39 GMT

     [ https://issues.apache.org/jira/browse/CXF-2714?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Daniel Kulp resolved CXF-2714.
------------------------------

       Resolution: Fixed
    Fix Version/s: 2.2.8

> SupportingToken UsernameToken is always encrypted
> -------------------------------------------------
>
>                 Key: CXF-2714
>                 URL: https://issues.apache.org/jira/browse/CXF-2714
>             Project: CXF
>          Issue Type: Bug
>          Components: WS-* Components
>    Affects Versions: 2.2.6
>            Reporter: Alexey Ilyin
>            Assignee: Daniel Kulp
>             Fix For: 2.2.8
>
>
> If no encryption is specified in the policy file and UsernameToken is used as supporting
token, then this token is always encrypted. 
> org.apache.cxf.ws.security.wss4j.policyhandlers.AbstractBindingBuilder.handleSupportingTokens(SupportingToken,
boolean , Map<Token, WSSecBase>) does not check if UsernameToken is an encrypted token
and unconditionally adds it to the encryptedTokensIdList. 
> This can be easily fixed by modifying line 428 (as per src release 1.4) from 
>                     encryptedTokensIdList.add(utBuilder.getId()); 
> to 
>   
>                    if (suppTokens.isEncryptedToken()) { 
>                         encryptedTokensIdList.add(utBuilder.getId()); 
>                     } 
> One more concern about comment that commented in file:
>                     //WebLogic and WCF always encrypt these
>                     //See:  http://e-docs.bea.com/wls/docs103/webserv_intro/interop.html
> Currently WebLogic doesn't encrypt UsernameToken and we got interoperability issue between
CXF and WebLogic
> Same bug already registered per RAMPART (RAMPART-225)

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message