Uploaded image for project: 'Rampart'
  1. Rampart
  2. RAMPART-189

WS-Security rampart uses wrong token in service response

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Critical
    • Resolution: Fixed
    • 1.4
    • 1.5
    • rampart-core, rampart-policy
    • None

    Description

      In rampart 1.4:

      AsymmetricBindingBuilder.doSignBeforeEncrypt line 457:
      Token encrToken = rpd.getRecipientToken();
      The problem is that if this is recipient mode (i.e. service side) then the encryption token should be the initiator's token.

      It looks like it's handled correctly in the signature portion. The same check should be made for encrypting.
      AsymmetricBindingBuilder.doSignature lines 566-570: This block of code checks for the direction and uses the policy token assertion correctly
      if(rmd.isInitiator()) {
      sigToken = rpd.getInitiatorToken();
      } else

      { sigToken = rpd.getRecipientToken(); }

      Attachments

        Activity

          People

            nandana.cse Nandana Mihindukulasooriya
            gsnider Gary Snider
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: