Details
-
Bug
-
Status: Closed
-
Major
-
Resolution: Fixed
-
2.5
-
None
-
Moderate
Description
I found a bug in X509TokenValidator class.
There are two crypto handler which can be configured:
<entry key="ws-security.signature.crypto" value-ref="..."/>
<entry key="ws-security.encryption.crypto" value-ref="..."/>
ws-security.signature.crypto is for my own signature, when sending messages, and to decrypt messages, which have been send to me. (here is my private key)
ws-security.encryption.crypto is for encrypting messages before sending and validating of signatures in received messages. (here are all my trusted public keys/CAs)
In X509TokenValidator the signature crypto provider is used to validate a received message signature. But instead the encryption provider should be used! See line 101 in X509TokenValidator.java:
Crypto sigCrypto = stsProperties.getSignatureCrypto();
There might be other sections which needs to be updated as well...
Best regards
Jan
See post on the mailinglist regarding this topic also:
http://cxf.547215.n5.nabble.com/X509TokenValidator-td5139681.html