Details
-
Bug
-
Status: Resolved
-
Critical
-
Resolution: Fixed
-
1.6.2
-
None
-
Java SDK 1.6.0_27
Windows XP Pro SP3
Axis2 1.6.2
Neethi 3.0.2
Rampart 1.6.2
Description
The following policy is not correctly handled by Rampart policy:
Input policy
<sp:UsernameToken sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:HashPassword/>
<sp:WssUsernameToken11/>
</wsp:Policy>
</sp:UsernameToken>
After serialization:
<sp:UsernameToken sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:WssUsernameToken11>
<sp:HashPassword/>
</sp:WssUsernameToken11>
</wsp:Policy>
</sp:UsernameToken>
This is due to the following code in the serialize method of the UsernameToken class in package org.apache.ws.secpolicy.model
if (isUseUTProfile10())
{ // <sp:WssUsernameToken10 /> writeStartElement(writer, prefix, SPConstants.USERNAME_TOKEN10 , namespaceURI); }else
{ // <sp:WssUsernameToken11 /> writeStartElement(writer, prefix, SPConstants.USERNAME_TOKEN11 , namespaceURI); }if (version == SPConstants.SP_V12) {
if (isNoPassword())
{ writeEmptyElement(writer, prefix, SPConstants.NO_PASSWORD, namespaceURI); }else if (isHashPassword())
{ writeEmptyElement(writer, prefix, SPConstants.HASH_PASSWORD, namespaceURI); }if (isDerivedKeys())
{ writeEmptyElement(writer, prefix, SPConstants.REQUIRE_DERIVED_KEYS, namespaceURI); }else if (isExplicitDerivedKeys())
{ writeEmptyElement(writer, prefix, SPConstants.REQUIRE_EXPLICIT_DERIVED_KEYS, namespaceURI); }else if (isImpliedDerivedKeys())
{ writeEmptyElement(writer, prefix, SPConstants.REQUIRE_IMPLIED_DERIVED_KEYS, namespaceURI); } }
writer.writeEndElement();
There are several issues:
- Ordering of elements doesn't respect the WS-SecurityPolicy 1.2 specs [1]
- WssUsernameToken10 and WssUsernameToken11 aren't parents of other assertions
- Use of assertions WssUsernameToken10 or WssUsernameToken11 is not mandatory
The code should be corrected in:
if (version == SPConstants.SP_V12) {
if (isNoPassword())
{ writeEmptyElement(writer, prefix, SPConstants.NO_PASSWORD, namespaceURI); }else if (isHashPassword())
{ writeEmptyElement(writer, prefix, SPConstants.HASH_PASSWORD, namespaceURI); }if (isDerivedKeys())
{ writeEmptyElement(writer, prefix, SPConstants.REQUIRE_DERIVED_KEYS, namespaceURI); }else if (isExplicitDerivedKeys())
{ writeEmptyElement(writer, prefix, SPConstants.REQUIRE_EXPLICIT_DERIVED_KEYS, namespaceURI); }else if (isImpliedDerivedKeys())
{ writeEmptyElement(writer, prefix, SPConstants.REQUIRE_IMPLIED_DERIVED_KEYS, namespaceURI); }}
if (isUseUTProfile10())
{ // <sp:WssUsernameToken10 /> writeEmptyElement(writer, prefix, SPConstants.USERNAME_TOKEN10 , namespaceURI); }else if (isUseUTProfile11())
{ // <sp:WssUsernameToken11 /> writeEmptyElement(writer, prefix, SPConstants.USERNAME_TOKEN11 , namespaceURI); }
[1] http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/ws-securitypolicy-1.2-spec-os.html#_Toc161826535 (Section 5.4.1)