WSS4J
  1. WSS4J
  2. WSS-334

SignatureProcessor does not fail when ids of referenced signed elements are duplicated

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Major Major
    • Resolution: Not a Problem
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: WSS4J Core
    • Labels:
      None

      Description

      The SignatureProcessor::verifyXMLSignature should throw an exception when the id of referenced elements is detected to be duplicated in the message being processed.

      1. diff-sign-dup-id.txt
        0.6 kB
        Alessio Soldano

        Activity

        Hide
        Alessio Soldano added a comment -

        Here is a patch for solving this. Please evaluate. Thanks

        Show
        Alessio Soldano added a comment - Here is a patch for solving this. Please evaluate. Thanks
        Hide
        Colm O hEigeartaigh added a comment -

        Hi Alessio,

        This patch is not necessary, as we are about to pick up Santuario 1.5.0, which takes care of this problem. In 1.5.0, any client code is responsible for providing all References, and so if WSS4J does not find the Element then signature validation will fail. See points 2 + 3 here for more info:

        http://coheigea.blogspot.com/2012/01/apache-santuario-xml-security-for-java.html

        It's possible that the Reference could be a http resource, which would not be resolved via the default CallbackLookup object in WSS4J, and so your patch would always cause that scenario to fail.

        Colm.

        Show
        Colm O hEigeartaigh added a comment - Hi Alessio, This patch is not necessary, as we are about to pick up Santuario 1.5.0, which takes care of this problem. In 1.5.0, any client code is responsible for providing all References, and so if WSS4J does not find the Element then signature validation will fail. See points 2 + 3 here for more info: http://coheigea.blogspot.com/2012/01/apache-santuario-xml-security-for-java.html It's possible that the Reference could be a http resource, which would not be resolved via the default CallbackLookup object in WSS4J, and so your patch would always cause that scenario to fail. Colm.
        Hide
        Alessio Soldano added a comment -

        Ah, cool. I didn't read that entry from your blog yet. Thanks.

        Show
        Alessio Soldano added a comment - Ah, cool. I didn't read that entry from your blog yet. Thanks.

          People

          • Assignee:
            Colm O hEigeartaigh
            Reporter:
            Alessio Soldano
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development