Mailing-List: contact wss4j-dev-help@ws.apache.org; run by ezmlm
Precedence: bulk
Message-ID: <64619633.1244563147816.JavaMail.jira@brutus>
Date: Tue, 9 Jun 2009 08:59:07 -0700 (PDT)
From: "Dave Ortman (JIRA)" <jira@apache.org>
To: wss4j-dev@ws.apache.org
Subject: [jira] Commented: (WSS-197) Order of security actions may result in
 validation failing
In-Reply-To: <1913000088.1244486767378.JavaMail.jira@brutus>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit


    [ https://issues.apache.org/jira/browse/WSS-197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12717721#action_12717721 ] 

Dave Ortman commented on WSS-197:
---------------------------------

Ah, thanks Colm.  My apologies - I looked, and for some reason I completely overlooked the fact that it had already been addressed.

> Order of security actions may result in validation failing
> ----------------------------------------------------------
>
>                 Key: WSS-197
>                 URL: https://issues.apache.org/jira/browse/WSS-197
>             Project: WSS4J
>          Issue Type: Bug
>          Components: WSS4J Handlers
>    Affects Versions: 1.5.7
>         Environment: Tomcat (5.5, 6.0), Spring WS Security 1.5.7
>            Reporter: Dave Ortman
>            Assignee: Colm O hEigeartaigh
>         Attachments: book-wss.zip
>
>
> I have found that the order of security actions is particularly relevant when they are processed.  That is, the XSD which defines the security header seems to imply no necessary order.  However, swapping the order of two elements (in this case, UsernameToken and Signature) will result in the a failure.
> I have attached a sample application with a working service and a client that calls that service.  It works as expected.  It is using Spring Web Security 1.5.7.  It is setup to use both a Signature and a UsernameToken.
> The problem occurred when a client was calling a service and sending a message in which the UsernameToken element was put *after* the BinarySecurityToken element.  I tracked the problem down to the org.apache.ws.security.handler.WSHandler.checkReceiverResults(Vector wsResult, Vector actions) method.  This class is being extended by Spring in the Wss4jHandler class - but the checkReceiverResults simply calls super.checkReceiverResults().
> This method assumes that the actions and the results are in the same order.  However, by altering the order of these elements (either on the client or on the server), this assumption becomes incorrect.  What I am not clear on is whether the issue is with the underlying Apache class, or with the Spring class.  When checkReceiverResults() is called, should the results and the actions be in the same order?
>     protected boolean checkReceiverResults(Vector wsResult, Vector actions) {
>         int resultActions = wsResult.size();
>         int size = actions.size();
>         int ai = 0;
>         for (int i = 0; i < resultActions; i++) {
>             final Integer actInt = (Integer) ((WSSecurityEngineResult) wsResult
>                     .get(i)).get(WSSecurityEngineResult.TAG_ACTION);
>             int act = actInt.intValue();
>             if (act == WSConstants.SC || act == WSConstants.BST) {
>                 continue;
>             }
>             if (ai >= size || ((Integer) actions.get(ai++)).intValue() != act) {
>                 return false;
>             }
>         }

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org