Uploaded image for project: 'CXF'
  1. CXF
  2. CXF-2714

SupportingToken UsernameToken is always encrypted

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 2.2.6
    • Fix Version/s: 2.2.8
    • Component/s: WS-* Components
    • Labels:
      None

      Description

      If no encryption is specified in the policy file and UsernameToken is used as supporting token, then this token is always encrypted.
      org.apache.cxf.ws.security.wss4j.policyhandlers.AbstractBindingBuilder.handleSupportingTokens(SupportingToken, boolean , Map<Token, WSSecBase>) does not check if UsernameToken is an encrypted token and unconditionally adds it to the encryptedTokensIdList.

      This can be easily fixed by modifying line 428 (as per src release 1.4) from

      encryptedTokensIdList.add(utBuilder.getId());

      to

      if (suppTokens.isEncryptedToken())

      { encryptedTokensIdList.add(utBuilder.getId()); }

      One more concern about comment that commented in file:
      //WebLogic and WCF always encrypt these
      //See: http://e-docs.bea.com/wls/docs103/webserv_intro/interop.html
      Currently WebLogic doesn't encrypt UsernameToken and we got interoperability issue between CXF and WebLogic

      Same bug already registered per RAMPART (RAMPART-225)

        Attachments

          Activity

            People

            • Assignee:
              dkulp Daniel Kulp
              Reporter:
              ilavloki Alexey Ilyin
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: