Details
-
Bug
-
Status: Resolved
-
Critical
-
Resolution: Fixed
-
1.4
-
None
Description
In rampart 1.4:
AsymmetricBindingBuilder.doSignBeforeEncrypt line 457:
Token encrToken = rpd.getRecipientToken();
The problem is that if this is recipient mode (i.e. service side) then the encryption token should be the initiator's token.
It looks like it's handled correctly in the signature portion. The same check should be made for encrypting.
AsymmetricBindingBuilder.doSignature lines 566-570: This block of code checks for the direction and uses the policy token assertion correctly
if(rmd.isInitiator()) {
sigToken = rpd.getInitiatorToken();
} else