ws-wss4j-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Colm O hEigeartaigh (JIRA)" <j...@apache.org>
Subject [jira] Closed: (WSS-197) Order of security actions may result in validation failing
Date Tue, 09 Jun 2009 09:43:08 GMT

     [ https://issues.apache.org/jira/browse/WSS-197?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Colm O hEigeartaigh closed WSS-197.
-----------------------------------


> Order of security actions may result in validation failing
> ----------------------------------------------------------
>
>                 Key: WSS-197
>                 URL: https://issues.apache.org/jira/browse/WSS-197
>             Project: WSS4J
>          Issue Type: Bug
>          Components: WSS4J Handlers
>    Affects Versions: 1.5.7
>         Environment: Tomcat (5.5, 6.0), Spring WS Security 1.5.7
>            Reporter: Dave Ortman
>            Assignee: Colm O hEigeartaigh
>         Attachments: book-wss.zip
>
>
> I have found that the order of security actions is particularly relevant when they are
processed.  That is, the XSD which defines the security header seems to imply no necessary
order.  However, swapping the order of two elements (in this case, UsernameToken and Signature)
will result in the a failure.
> I have attached a sample application with a working service and a client that calls that
service.  It works as expected.  It is using Spring Web Security 1.5.7.  It is setup to use
both a Signature and a UsernameToken.
> The problem occurred when a client was calling a service and sending a message in which
the UsernameToken element was put *after* the BinarySecurityToken element.  I tracked the
problem down to the org.apache.ws.security.handler.WSHandler.checkReceiverResults(Vector wsResult,
Vector actions) method.  This class is being extended by Spring in the Wss4jHandler class
- but the checkReceiverResults simply calls super.checkReceiverResults().
> This method assumes that the actions and the results are in the same order.  However,
by altering the order of these elements (either on the client or on the server), this assumption
becomes incorrect.  What I am not clear on is whether the issue is with the underlying Apache
class, or with the Spring class.  When checkReceiverResults() is called, should the results
and the actions be in the same order?
>     protected boolean checkReceiverResults(Vector wsResult, Vector actions) {
>         int resultActions = wsResult.size();
>         int size = actions.size();
>         int ai = 0;
>         for (int i = 0; i < resultActions; i++) {
>             final Integer actInt = (Integer) ((WSSecurityEngineResult) wsResult
>                     .get(i)).get(WSSecurityEngineResult.TAG_ACTION);
>             int act = actInt.intValue();
>             if (act == WSConstants.SC || act == WSConstants.BST) {
>                 continue;
>             }
>             if (ai >= size || ((Integer) actions.get(ai++)).intValue() != act) {
>                 return false;
>             }
>         }

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org


Mime
View raw message