Details
-
Bug
-
Status: Resolved
-
Major
-
Resolution: Fixed
-
1.4
-
None
Description
If no encryption is specified in the policy file and UsernameToken is used as supporting token, then this token is always encrypted. org.apache.rampart.builder.BindingBuilder.handleSupportingTokens(RampartMessageData, SupportingToken) does not check if UsernameToken is an encrypted token and unconditionally adds it to the encryptedTokensIdList.
This can be easily fixed by modifying line 383 (as per src release 1.4) from
encryptedTokensIdList.add(utBuilder.getId());
to
if (suppTokens.isEncryptedToken())
{ encryptedTokensIdList.add(utBuilder.getId()); }