Uploaded image for project: 'Rampart'
  1. Rampart
  2. RAMPART-384

Invalid serialization for UsernameToken with WS-SecurityPolicy 1.2

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Critical
    • Resolution: Fixed
    • Affects Version/s: 1.6.2
    • Fix Version/s: None
    • Component/s: rampart-policy
    • Labels:
    • Environment:
      Java SDK 1.6.0_27
      Windows XP Pro SP3
      Axis2 1.6.2
      Neethi 3.0.2
      Rampart 1.6.2

      Description

      The following policy is not correctly handled by Rampart policy:

      Input policy
      <sp:UsernameToken sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
      <wsp:Policy>
      <sp:HashPassword/>
      <sp:WssUsernameToken11/>
      </wsp:Policy>
      </sp:UsernameToken>

      After serialization:
      <sp:UsernameToken sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
      <wsp:Policy>
      <sp:WssUsernameToken11>
      <sp:HashPassword/>
      </sp:WssUsernameToken11>
      </wsp:Policy>
      </sp:UsernameToken>

      This is due to the following code in the serialize method of the UsernameToken class in package org.apache.ws.secpolicy.model

      if (isUseUTProfile10())

      { // <sp:WssUsernameToken10 /> writeStartElement(writer, prefix, SPConstants.USERNAME_TOKEN10 , namespaceURI); }

      else

      { // <sp:WssUsernameToken11 /> writeStartElement(writer, prefix, SPConstants.USERNAME_TOKEN11 , namespaceURI); }

      if (version == SPConstants.SP_V12) {

      if (isNoPassword())

      { writeEmptyElement(writer, prefix, SPConstants.NO_PASSWORD, namespaceURI); }

      else if (isHashPassword())

      { writeEmptyElement(writer, prefix, SPConstants.HASH_PASSWORD, namespaceURI); }

      if (isDerivedKeys())

      { writeEmptyElement(writer, prefix, SPConstants.REQUIRE_DERIVED_KEYS, namespaceURI); }

      else if (isExplicitDerivedKeys())

      { writeEmptyElement(writer, prefix, SPConstants.REQUIRE_EXPLICIT_DERIVED_KEYS, namespaceURI); }

      else if (isImpliedDerivedKeys())

      { writeEmptyElement(writer, prefix, SPConstants.REQUIRE_IMPLIED_DERIVED_KEYS, namespaceURI); }

      }
      writer.writeEndElement();

      There are several issues:

      • Ordering of elements doesn't respect the WS-SecurityPolicy 1.2 specs [1]
      • WssUsernameToken10 and WssUsernameToken11 aren't parents of other assertions
      • Use of assertions WssUsernameToken10 or WssUsernameToken11 is not mandatory

      The code should be corrected in:

      if (version == SPConstants.SP_V12) {

      if (isNoPassword())

      { writeEmptyElement(writer, prefix, SPConstants.NO_PASSWORD, namespaceURI); }

      else if (isHashPassword())

      { writeEmptyElement(writer, prefix, SPConstants.HASH_PASSWORD, namespaceURI); }

      if (isDerivedKeys())

      { writeEmptyElement(writer, prefix, SPConstants.REQUIRE_DERIVED_KEYS, namespaceURI); }

      else if (isExplicitDerivedKeys())

      { writeEmptyElement(writer, prefix, SPConstants.REQUIRE_EXPLICIT_DERIVED_KEYS, namespaceURI); }

      else if (isImpliedDerivedKeys())

      { writeEmptyElement(writer, prefix, SPConstants.REQUIRE_IMPLIED_DERIVED_KEYS, namespaceURI); }

      }

      if (isUseUTProfile10())

      { // <sp:WssUsernameToken10 /> writeEmptyElement(writer, prefix, SPConstants.USERNAME_TOKEN10 , namespaceURI); }

      else if (isUseUTProfile11())

      { // <sp:WssUsernameToken11 /> writeEmptyElement(writer, prefix, SPConstants.USERNAME_TOKEN11 , namespaceURI); }

      [1] http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/ws-securitypolicy-1.2-spec-os.html#_Toc161826535 (Section 5.4.1)

        Attachments

          Activity

            People

            • Assignee:
              ruchith Ruchith Udayanga Fernando
              Reporter:
              yguerro Yoann Guerro
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Time Tracking

                Estimated:
                Original Estimate - 1h
                1h
                Remaining:
                Remaining Estimate - 1h
                1h
                Logged:
                Time Spent - Not Specified
                Not Specified