Uploaded image for project: 'Rampart'
  1. Rampart
  2. RAMPART-384

Invalid serialization for UsernameToken with WS-SecurityPolicy 1.2

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Critical
    • Resolution: Fixed
    • 1.6.2
    • None
    • rampart-policy
    • Java SDK 1.6.0_27
      Windows XP Pro SP3
      Axis2 1.6.2
      Neethi 3.0.2
      Rampart 1.6.2

    Description

      The following policy is not correctly handled by Rampart policy:

      Input policy
      <sp:UsernameToken sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
      <wsp:Policy>
      <sp:HashPassword/>
      <sp:WssUsernameToken11/>
      </wsp:Policy>
      </sp:UsernameToken>

      After serialization:
      <sp:UsernameToken sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
      <wsp:Policy>
      <sp:WssUsernameToken11>
      <sp:HashPassword/>
      </sp:WssUsernameToken11>
      </wsp:Policy>
      </sp:UsernameToken>

      This is due to the following code in the serialize method of the UsernameToken class in package org.apache.ws.secpolicy.model

      if (isUseUTProfile10())

      { // <sp:WssUsernameToken10 /> writeStartElement(writer, prefix, SPConstants.USERNAME_TOKEN10 , namespaceURI); }

      else

      { // <sp:WssUsernameToken11 /> writeStartElement(writer, prefix, SPConstants.USERNAME_TOKEN11 , namespaceURI); }

      if (version == SPConstants.SP_V12) {

      if (isNoPassword())

      { writeEmptyElement(writer, prefix, SPConstants.NO_PASSWORD, namespaceURI); }

      else if (isHashPassword())

      { writeEmptyElement(writer, prefix, SPConstants.HASH_PASSWORD, namespaceURI); }

      if (isDerivedKeys())

      { writeEmptyElement(writer, prefix, SPConstants.REQUIRE_DERIVED_KEYS, namespaceURI); }

      else if (isExplicitDerivedKeys())

      { writeEmptyElement(writer, prefix, SPConstants.REQUIRE_EXPLICIT_DERIVED_KEYS, namespaceURI); }

      else if (isImpliedDerivedKeys())

      { writeEmptyElement(writer, prefix, SPConstants.REQUIRE_IMPLIED_DERIVED_KEYS, namespaceURI); }

      }
      writer.writeEndElement();

      There are several issues:

      • Ordering of elements doesn't respect the WS-SecurityPolicy 1.2 specs [1]
      • WssUsernameToken10 and WssUsernameToken11 aren't parents of other assertions
      • Use of assertions WssUsernameToken10 or WssUsernameToken11 is not mandatory

      The code should be corrected in:

      if (version == SPConstants.SP_V12) {

      if (isNoPassword())

      { writeEmptyElement(writer, prefix, SPConstants.NO_PASSWORD, namespaceURI); }

      else if (isHashPassword())

      { writeEmptyElement(writer, prefix, SPConstants.HASH_PASSWORD, namespaceURI); }

      if (isDerivedKeys())

      { writeEmptyElement(writer, prefix, SPConstants.REQUIRE_DERIVED_KEYS, namespaceURI); }

      else if (isExplicitDerivedKeys())

      { writeEmptyElement(writer, prefix, SPConstants.REQUIRE_EXPLICIT_DERIVED_KEYS, namespaceURI); }

      else if (isImpliedDerivedKeys())

      { writeEmptyElement(writer, prefix, SPConstants.REQUIRE_IMPLIED_DERIVED_KEYS, namespaceURI); }

      }

      if (isUseUTProfile10())

      { // <sp:WssUsernameToken10 /> writeEmptyElement(writer, prefix, SPConstants.USERNAME_TOKEN10 , namespaceURI); }

      else if (isUseUTProfile11())

      { // <sp:WssUsernameToken11 /> writeEmptyElement(writer, prefix, SPConstants.USERNAME_TOKEN11 , namespaceURI); }

      [1] http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/ws-securitypolicy-1.2-spec-os.html#_Toc161826535 (Section 5.4.1)

      Attachments

        Activity

          People

            ruchith Ruchith B. Gunaratne
            yguerro Yoann Guerro
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Time Tracking

                Estimated:
                Original Estimate - 1h
                1h
                Remaining:
                Remaining Estimate - 1h
                1h
                Logged:
                Time Spent - Not Specified
                Not Specified