ws-wss4j-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Dave Ortman (JIRA)" <>
Subject [jira] Created: (WSS-197) Order of security actions may result in validation failing
Date Mon, 08 Jun 2009 18:46:07 GMT
Order of security actions may result in validation failing

                 Key: WSS-197
             Project: WSS4J
          Issue Type: Bug
          Components: WSS4J Handlers
    Affects Versions: 1.5.7
         Environment: Tomcat (5.5, 6.0), Spring WS Security 1.5.7
            Reporter: Dave Ortman
            Assignee: Ruchith Udayanga Fernando

I have found that the order of security actions is particularly relevant when they are processed.
 That is, the XSD which defines the security header seems to imply no necessary order.  However,
swapping the order of two elements (in this case, UsernameToken and Signature) will result
in the a failure.

I have attached a sample application with a working service and a client that calls that service.
 It works as expected.  It is using Spring Web Security 1.5.7.  It is setup to use both a
Signature and a UsernameToken.

The problem occurred when a client was calling a service and sending a message in which the
UsernameToken element was put *after* the BinarySecurityToken element.  I tracked the problem
down to the wsResult,
Vector actions) method.  This class is being extended by Spring in the Wss4jHandler class
- but the checkReceiverResults simply calls super.checkReceiverResults().

This method assumes that the actions and the results are in the same order.  However, by altering
the order of these elements (either on the client or on the server), this assumption becomes
incorrect.  What I am not clear on is whether the issue is with the underlying Apache class,
or with the Spring class.  When checkReceiverResults() is called, should the results and the
actions be in the same order?

    protected boolean checkReceiverResults(Vector wsResult, Vector actions) {
        int resultActions = wsResult.size();
        int size = actions.size();

        int ai = 0;
        for (int i = 0; i < resultActions; i++) {
            final Integer actInt = (Integer) ((WSSecurityEngineResult) wsResult
            int act = actInt.intValue();
            if (act == WSConstants.SC || act == WSConstants.BST) {
            if (ai >= size || ((Integer) actions.get(ai++)).intValue() != act) {
                return false;

This message is automatically generated by JIRA.
You can reply to this email to add a comment to the issue online.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message