Uploaded image for project: 'CXF'
  1. CXF
  2. CXF-4789

EndorsingSupportingTokens do not respect ProtectTokens assertion from paired binding policy

    Details

    • Estimated Complexity:
      Unknown

      Description

      I've a wsdl containing both a SymmetricBinding and an EndorsingSupportingTokens policies. The binding one specifies ProtectTokens assertion. As a consequence as per WS-SecurityPolicy 1.2 Section 8.9, the signature for the endorsing supporting token should sign both the first signature and the endorsing token, while it seems the latter is currently not covered.

        Issue Links

          Activity

          Hide
          asoldano Alessio Soldano added a comment -

          In order for fixing this issue, the WSS-421 fix needs to be included. Moreover the following patch is also required to allow validating the incoming message on server side:

          Index: src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSupportingTokenPolicyValidator.java
          ===================================================================
          --- src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSupportingTokenPolicyValidator.java	(revision 1442960)
          +++ src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSupportingTokenPolicyValidator.java	(working copy)
          @@ -539,7 +539,7 @@
                           CastUtils.cast((List<?>)signedResult.get(
                               WSSecurityEngineResult.TAG_DATA_REF_URIS
                           ));
          -            if (sl != null && sl.size() == 1) {
          +            if (sl != null && sl.size() >= 1) {
                           for (WSDataRef dataRef : sl) {
                               QName signedQName = dataRef.getName();
                               if (WSSecurityEngine.SIGNATURE.equals(signedQName)
          
          Show
          asoldano Alessio Soldano added a comment - In order for fixing this issue, the WSS-421 fix needs to be included. Moreover the following patch is also required to allow validating the incoming message on server side: Index: src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSupportingTokenPolicyValidator.java =================================================================== --- src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSupportingTokenPolicyValidator.java (revision 1442960) +++ src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSupportingTokenPolicyValidator.java (working copy) @@ -539,7 +539,7 @@ CastUtils. cast ((List<?>)signedResult.get( WSSecurityEngineResult.TAG_DATA_REF_URIS )); - if (sl != null && sl.size() == 1) { + if (sl != null && sl.size() >= 1) { for (WSDataRef dataRef : sl) { QName signedQName = dataRef.getName(); if (WSSecurityEngine.SIGNATURE.equals(signedQName)
          Hide
          asoldano Alessio Soldano added a comment -

          Assigning to Colm for later moving WSS4J dependency to 1.6.10.

          Show
          asoldano Alessio Soldano added a comment - Assigning to Colm for later moving WSS4J dependency to 1.6.10.

            People

            • Assignee:
              coheigea Colm O hEigeartaigh
              Reporter:
              asoldano Alessio Soldano
            • Votes:
              1 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Development