Effective October 27, 2012, online and email support for FuseSource products will move to Red Hat support channels. For more information, please see the JIRA Migration to Red Hat FAQ.
As of October 27th, please open all new issues in the Red Hat Customer Portal .
Issue Details (XML | Word | Printable)

Key: SF-247
Type: Bug Bug
Status: Closed Closed
Resolution: Fixed
Priority: Major Major
Assignee: Unassigned
Reporter: David Valeri
Votes: 0
Watchers: 0
Operations

If you were logged in you would be able to see more operations.
FUSE Services Framework

WS-SecurityPolicy SignedElements, SignedParts, EncryptedParts, EncryptedElements, and ContentEncryptedElements assertions incorrectly verified

Created: 27/Jan/10 06:35 PM   Updated: 08/Apr/10 03:14 PM
Component/s: None
Affects Version/s: 2.2.2.2-fuse, 2.3.0.0-fuse
Fix Version/s: 2.2.6-fuse-01-00

File Attachments: 1. Text File SF-247-test.patch (9 kB)

External Issue URL: https://issues.apache.org/jira/browse/CXF-2638


 Description  « Hide
When security configuration is provided via WS-SecurityPolicy, the PolicyBasedWSS4JInInterceptor enforces the SignedElements assertion incorrectly. If there is more than one match to the assertion XPath, the validation code does not correctly detect the unsigned matches so long as any one of the matches is signed. This logic does not accurately reflect the case in which multiple matches for the signature coverage XPath exist in the message and may provide a false sense of integrity in the message.

Per section 1.2 of the WS-Security spec:
The XPath expression "identifies the nodes to be integrity protected."

Based on this language, it seems as if all nodes matching the XPath expression must be integrity constrained.

Similar issues exist with the SignedParts, EncryptedParts, EncryptedElements, and ContentEncryptedElements assertions as well.

 All   Comments   Change History      Sort Order: Ascending order - Click to sort in descending order
[ Permlink | « Hide ]
David Valeri added a comment - 27/Jan/10 06:41 PM
Attached test case. I have some code that resolves the issue, but it is outside of the PolicyBasedWSS4JInInerceptor at this time. I should be able to provide the code as well as the refactored PolicyBasedWSS4JInInerceptor that leverages this code by the end of the week.

[ Permlink | « Hide ]
David Valeri added a comment - 29/Jan/10 04:04 PM
Additional assertions were discovered to be defective during test case creation and validation. The updated patch and test case is available at Apache: https://issues.apache.org/jira/browse/CXF-2638

[ Permlink | « Hide ]
Ulhas Bhole added a comment - 08/Apr/10 03:13 PM
Fixed


Powered by Atlassian JIRA the Professional Issue Tracker. (Enterprise Edition, Version: 3.13.2-#335) - Bug/feature request - Atlassian news - Contact Administrators