ws-wss4j-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Dave Ortman (JIRA)" <>
Subject [jira] Updated: (WSS-197) Order of security actions may result in validation failing
Date Mon, 08 Jun 2009 18:54:07 GMT


Dave Ortman updated WSS-197:


Within this sample, there is a client process which is performing two actions on outgoing
messages : an x509 signature and a UsernameToken.  This is being driven by the following Spring

	<bean id="securityInterceptor"
		<property name="securementActions" value="Signature" />
		<property name="securementUsername" value="dortman" />
		<property name="securementPassword" value="password" />
		<property name="securementSignatureCrypto">
				<property name="keyStorePassword" value="password" />
				<property name="keyStoreLocation" value="classpath:dortman.jks" />
		<property name="securementSignatureKeyIdentifier" value="DirectReference" />

	<bean id="wss4jWithCorrectUsernameAndPassword"
		<property name="securementActions" value="UsernameToken" />
		<property name="securementUsername" value="Ernie" />
		<property name="securementPassword" value="Bert" />

On the server, the following configuration is verifying these same actions:

	<bean id="wsDigCerSecurityInterceptor"
		<property name="validationActions" value="Signature UsernameToken" />
		<property name="validationSignatureCrypto">
				<property name="keyStorePassword" value="password" />
				<property name="keyStoreLocation" value="classpath:dortman.jks" />
		<property name="validationCallbackHandler">
				<property name="users">
						<prop key="Ernie">Bert</prop>

This works fine.  The problem comes when I alter the order of the actions to:
<property name="validationActions" value="UsernameToken Signature" />

This leads to the following error, issued from Spring:

Exception in thread "main" Security
processing failed (actions mismatch)

Spring is relying on the WSHandler class; here is the order of operations (Spring WS 1.5.7
and WSS4J 1.5.7):
	Wss4jHandler(WSHandler).checkReceiverResults(Vector, Vector) line: 280	
	Wss4jHandler.checkReceiverResults(Vector, Vector) line: 64	
	Wss4jSecurityInterceptor.validateMessage(SoapMessage, MessageContext) line: 508	
	Wss4jSecurityInterceptor(AbstractWsSecurityInterceptor).handleRequest(MessageContext, Object)
line: 101	
	SoapMessageDispatcher(MessageDispatcher).dispatch(MessageContext) line: 213	
	SoapMessageDispatcher(MessageDispatcher).receive(MessageContext) line: 168

Spring is passing in two vectors (results and actions), but the order of them do not match.
 If I manually reorder them, the validation succeeds.

This problem was noticed when an external process was calling a service, and was appending
a UsernameToken element at the end of the security header.

I see that the latest version of the method takes two lists instead of two vectors; but the
logic appears the same.  Again, I am under the assumption that order should not be relevant
in this method, but I am not entirely sure that is the case.


> Order of security actions may result in validation failing
> ----------------------------------------------------------
>                 Key: WSS-197
>                 URL:
>             Project: WSS4J
>          Issue Type: Bug
>          Components: WSS4J Handlers
>    Affects Versions: 1.5.7
>         Environment: Tomcat (5.5, 6.0), Spring WS Security 1.5.7
>            Reporter: Dave Ortman
>            Assignee: Ruchith Udayanga Fernando
>         Attachments:
> I have found that the order of security actions is particularly relevant when they are
processed.  That is, the XSD which defines the security header seems to imply no necessary
order.  However, swapping the order of two elements (in this case, UsernameToken and Signature)
will result in the a failure.
> I have attached a sample application with a working service and a client that calls that
service.  It works as expected.  It is using Spring Web Security 1.5.7.  It is setup to use
both a Signature and a UsernameToken.
> The problem occurred when a client was calling a service and sending a message in which
the UsernameToken element was put *after* the BinarySecurityToken element.  I tracked the
problem down to the wsResult,
Vector actions) method.  This class is being extended by Spring in the Wss4jHandler class
- but the checkReceiverResults simply calls super.checkReceiverResults().
> This method assumes that the actions and the results are in the same order.  However,
by altering the order of these elements (either on the client or on the server), this assumption
becomes incorrect.  What I am not clear on is whether the issue is with the underlying Apache
class, or with the Spring class.  When checkReceiverResults() is called, should the results
and the actions be in the same order?
>     protected boolean checkReceiverResults(Vector wsResult, Vector actions) {
>         int resultActions = wsResult.size();
>         int size = actions.size();
>         int ai = 0;
>         for (int i = 0; i < resultActions; i++) {
>             final Integer actInt = (Integer) ((WSSecurityEngineResult) wsResult
>                     .get(i)).get(WSSecurityEngineResult.TAG_ACTION);
>             int act = actInt.intValue();
>             if (act == WSConstants.SC || act == WSConstants.BST) {
>                 continue;
>             }
>             if (ai >= size || ((Integer) actions.get(ai++)).intValue() != act) {
>                 return false;
>             }
>         }

This message is automatically generated by JIRA.
You can reply to this email to add a comment to the issue online.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message