Details
-
Bug
-
Status: Resolved
-
Major
-
Resolution: Fixed
-
1.4
-
None
-
tomcat6
axis2 1.4
Description
The validation of ContentEncryptedElements or EncryptedElements fails:
Caused by: org.apache.rampart.RampartException: Missing encryption result for id : http://test.at/:name
at org.apache.rampart.PolicyBasedResultsValidator.validateEncryptedParts(PolicyBasedResultsValidator.java:448)
at org.apache.rampart.PolicyBasedResultsValidator.validate(PolicyBasedResultsValidator.java:144)
at org.apache.rampart.RampartEngine.process(RampartEngine.java:204)
at org.apache.rampart.handler.RampartReceiver.invoke(RampartReceiver.java:92)
... 21 more
This error is caused by line number 447 - 448 of the PolicyBasedResultsValidator class.
The problem is, that decrypted elements have no encryption id attribute and thus the check if(encPart.getEncId() == null) evaluates to true resulting in the given RampartException.
From my point of view the error lies within the Validation process. The behavior that no id attributes are present in decrypted elment is intended by the WS-SecurityPolicy specification.
I would suggest two fixes:
1.) (Quick and Dirty) :
Extend the PolicyBasedResultsValidator and override the validateEncryptedParts (almost the same as in base class):
protected void validateEncryptedParts(ValidatorData data,
Vector encryptedParts, Vector results) throws RampartException {
RampartMessageData rmd = data.getRampartMessageData();
ArrayList encrRefs = getEncryptedReferences(results);
RampartPolicyData rpd = rmd.getPolicyData();
//Check for encrypted body
if(rpd.isEncryptBody()) {
if( !isRefIdPresent(encrRefs, data.getBodyEncrDataId())){
throw new RampartException("encryptedPartMissing",
new String[]
);
}
}
for (int i = 0 ; i < encryptedParts.size() ; i++) {
WSEncryptionPart encPart = (WSEncryptionPart)encryptedParts.get
;
//This is the encrypted Body and we already checked encrypted body
if (encPart.getType() == WSConstants.PART_TYPE_BODY)
if ((WSConstants.SIG_LN.equals(encPart.getName()) &&
WSConstants.SIG_NS.equals(encPart.getNamespace()))
| encPart.getType() == WSConstants.PART_TYPE_HEADER ) { if (!isRefIdPresent(encrRefs, new QName(encPart.getNamespace(),encPart.getName()))) Unknown macro: { throw new RampartException("encryptedPartMissing", new String[]{encPart.getNamespace()+":"+encPart.getName()}); }
continue; |
|---|
if (encPart.getEncId() == null) {
// !!! this line is added !!!
if(!isRefIdPresent(encrRefs, new QName(encPart.getNamespace(),encPart.getName())))
throw new RampartException("encryptedPartMissing",
new String[]
);
} else if (!isRefIdPresent(encrRefs, encPart.getEncId())) {
throw new RampartException("encryptedPartMissing",
new String[]
);
}
}
}
one also needs to copy the private methods isRefIdPresent(ArrayList refList , QName qname) and isRefIdPresent(ArrayList refList , String id) from the PolicyBasedResultsValdator class.
Then the Rampart Config can be adapted to use the new PolicyValidatorCallbackHandler (ramp:policyValidatorCbClass).
2.) (Clean but more work)
From my point of view the WSEncryptionPart should be of type WSConstant.PART_TYPE_ELEMENT. This must be set within the methods getContentEncryptedElements and getPartsAndElements. Those methods iterate over the XPaths of the corresponding ContentEncryptedElements or EncryptedElements. They create new WSEncryptionParts but don't set any type. If the type would be set correctly, then one could check fo this type within the PolicyBasedResultsValdator (Line 437) as followed:
if ((WSConstants.SIG_LN.equals(encPart.getName()) &&
WSConstants.SIG_NS.equals(encPart.getNamespace()))
| encPart.getType() == WSConstants.PART_TYPE_HEADER |
|---|
| encPart.getType() == WSConstants.PART_TYPE_ELEMENT ) { if (!isRefIdPresent(encrRefs, new QName(encPart.getNamespace(),encPart.getName()))) { |
Hopefully this helps to locate and fix the bug.
Note:
As in (http://issues.apache.org/jira/browse/RAMPART-218) the policy isn't processed, if ContentEncryptedElements or EncryptedElements are the only assertions.