[CXF-2638] WS-SecurityPolicy SignedElements, SignedParts, EncryptedParts, EncryptedElements, and ContentEncryptedElements assertions incorrectly verified - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: 2.3
Fix Version/s: 2.2.7
Component/s: WS-* Components
Labels:
None

Estimated Complexity:
Unknown

Description

When security configuration is provided via WS-SecurityPolicy, the PolicyBasedWSS4JInInterceptor enforces the SignedElements assertion incorrectly. If there is more than one match to the assertion XPath, the validation code does not correctly detect the unsigned matches so long as any one of the matches is signed. This logic does not accurately reflect the case in which multiple matches for the signature coverage XPath exist in the message and may provide a false sense of integrity in the message.

Per section 1.2 of the WS-Security spec:
The XPath expression "identifies the nodes to be integrity protected."

Based on this language, it seems as if all nodes matching the XPath expression must be integrity constrained.

Similar issues exist with the SignedParts, EncryptedParts, EncryptedElements, and ContentEncryptedElements assertions as well.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

cxf-2638-fixed.patch
02/Feb/10 16:50
85 kB
David Valeri
cxf-2638.patch
29/Jan/10 16:02
71 kB
David Valeri

Issue Links

blocks

CXF-2639 Expose Cryptographic coverage checking code from PolicyBasedWSS4JInInterceptor in a non-WS-Policy based interceptor

Closed

Activity

People

Assignee:: Daniel Kulp

Reporter:: David Valeri

Votes:: 0 Vote for this issue

Watchers:: 0 Start watching this issue

Dates

Created:: 29/Jan/10 16:00

Updated:: 23/Mar/10 02:59

Resolved:: 02/Feb/10 17:50