Details
-
Bug
-
Status: Closed
-
Major
-
Resolution: Fixed
-
Java 2.1.5
-
None
Description
SignatureCreationReferenceURIResolverTest.testSignatureCreationWithExternal* gives false positives.
The essence of these tests seems to be a SecurePart that has an external reference.
These secure parts never match anything, in spite of the fact that they are required (by default).
The reason they don't fail is because OutboundXMLSec.processOutMessage ignores them: because they have no getIdToSign(), no getName() and no isSecureEntireRequest(), they are never put (putAsMap) in the security context.
You can just as well remove them from the tests, and the tests are still green.
An example of a code snippet from SignatureCreationReferenceURIResolverTest:
File file = new File(BASEDIR + "/src/test/resources/ie/baltimore/merlin-examples/merlin-xmlenc-five/plaintext.xml").getCanonicalFile(); // Below securePart is ignored, nothing is verified, test is falsely green. securePart = new SecurePart(file.toURI().toString(), new String[]{"http://www.w3.org/TR/2001/REC-xml-c14n-20010315"}, XMLSecurityConstants.NS_XMLDSIG_SHA1); properties.addSignaturePart(securePart);
If someone could explain to me what the intent of this feature is, I would be happy to fix them.
I have the vague impression that they're tests for a feature that has not been implemented.
I bumped into this in the context of SANTUARIO-532, where SignatureCreationReferenceURIResolverTest started failing on the requiredness once I no longer ignore the secure parts in OutboundXMLSec.processOutMessage.
Attachments
Issue Links
- is related to
-
SANTUARIO-532 User-defined and delayed evaluation of which XML elements need to be secured
-
- Open
-