Uploaded image for project: 'CXF'
  1. CXF
  2. CXF-2638

WS-SecurityPolicy SignedElements, SignedParts, EncryptedParts, EncryptedElements, and ContentEncryptedElements assertions incorrectly verified

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Major
    • Resolution: Fixed
    • 2.3
    • 2.2.7
    • WS-* Components
    • None
    • Unknown

    Description

      When security configuration is provided via WS-SecurityPolicy, the PolicyBasedWSS4JInInterceptor enforces the SignedElements assertion incorrectly. If there is more than one match to the assertion XPath, the validation code does not correctly detect the unsigned matches so long as any one of the matches is signed. This logic does not accurately reflect the case in which multiple matches for the signature coverage XPath exist in the message and may provide a false sense of integrity in the message.

      Per section 1.2 of the WS-Security spec:
      The XPath expression "identifies the nodes to be integrity protected."

      Based on this language, it seems as if all nodes matching the XPath expression must be integrity constrained.

      Similar issues exist with the SignedParts, EncryptedParts, EncryptedElements, and ContentEncryptedElements assertions as well.

      Attachments

        1. cxf-2638-fixed.patch
          85 kB
          David Valeri
        2. cxf-2638.patch
          71 kB
          David Valeri

        Issue Links

          Activity

            People

              dkulp Daniel Kulp
              davaleri David Valeri
              Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: