Details
-
Bug
-
Status: Closed
-
Critical
-
Resolution: Fixed
-
2.0.6, 2.1.4
-
None
-
Patch
Description
If any header to be encrypted has an attribute that doesn't have an explicit namespace (which would include any unqualified attributes, which for me is almost all of them), WSSecEncrypt throws an NPE:
Exception
org.apache.wss4j.common.ext.WSSecurityException: null
at org.apache.wss4j.dom.message.WSSecEncrypt.createEncryptedHeaderElement(WSSecEncrypt.java:711)
at org.apache.wss4j.dom.message.WSSecEncrypt.encryptElement(WSSecEncrypt.java:667)
at org.apache.wss4j.dom.message.WSSecEncrypt.doEncryption(WSSecEncrypt.java:417)
at org.apache.wss4j.dom.message.WSSecEncrypt.encryptForRef(WSSecEncrypt.java:255)
at org.apache.wss4j.dom.message.WSSecEncrypt.encrypt(WSSecEncrypt.java:221)
at org.apache.wss4j.dom.message.WSSecEncrypt.build(WSSecEncrypt.java:199)
at org.apache.wss4j.dom.message.EncryptionPartsTest.testSOAPEncryptedHeaderWithAttributes(EncryptionPartsTest.java:321)
This is because Node.getNamespaceURI() returns null, and the code checks with:
WSSecEncrypt.java Excerpt
if (attr.getNamespaceURI().equals(WSConstants.URI_SOAP11_ENV)
|| attr.getNamespaceURI().equals(WSConstants.URI_SOAP12_ENV)) {
Solution is to switch the equals condition:
WSSecEncrypt.java Fix
if (WSConstants.URI_SOAP11_ENV.equals(attr.getNamespaceURI())
|| WSConstants.URI_SOAP12_ENV.equals(attr.getNamespaceURI())) {
I'm adding four patches:
- a test for code vs. version 2.0.6
- code fix vs. version 2.0.6
- a test for code vs. version 2.1.4
- a code fix vs. version 2.1.4