FUSE Services Framework
  1. FUSE Services Framework
  2. SF-247

WS-SecurityPolicy SignedElements, SignedParts, EncryptedParts, EncryptedElements, and ContentEncryptedElements assertions incorrectly verified

    Details

    • Type: Bug Bug
    • Status: Closed Closed
    • Priority: Major Major
    • Resolution: Done
    • Affects Version/s: 2.2.2.2-fuse, 2.3.0.0-fuse
    • Fix Version/s: 2.2.6-fuse-01-00
    • Component/s: None
    • Labels:
      None
    • Similar Issues:
      Show 10 results 

      Description

      When security configuration is provided via WS-SecurityPolicy, the PolicyBasedWSS4JInInterceptor enforces the SignedElements assertion incorrectly. If there is more than one match to the assertion XPath, the validation code does not correctly detect the unsigned matches so long as any one of the matches is signed. This logic does not accurately reflect the case in which multiple matches for the signature coverage XPath exist in the message and may provide a false sense of integrity in the message.

      Per section 1.2 of the WS-Security spec:
      The XPath expression "identifies the nodes to be integrity protected."

      Based on this language, it seems as if all nodes matching the XPath expression must be integrity constrained.

      Similar issues exist with the SignedParts, EncryptedParts, EncryptedElements, and ContentEncryptedElements assertions as well.

        Activity

        Hide
        David Valeri
        added a comment -

        Attached test case. I have some code that resolves the issue, but it is outside of the PolicyBasedWSS4JInInerceptor at this time. I should be able to provide the code as well as the refactored PolicyBasedWSS4JInInerceptor that leverages this code by the end of the week.

        Show
        David Valeri
        added a comment - Attached test case. I have some code that resolves the issue, but it is outside of the PolicyBasedWSS4JInInerceptor at this time. I should be able to provide the code as well as the refactored PolicyBasedWSS4JInInerceptor that leverages this code by the end of the week.
        Hide
        David Valeri
        added a comment -

        Additional assertions were discovered to be defective during test case creation and validation. The updated patch and test case is available at Apache: https://issues.apache.org/jira/browse/CXF-2638

        Show
        David Valeri
        added a comment - Additional assertions were discovered to be defective during test case creation and validation. The updated patch and test case is available at Apache: https://issues.apache.org/jira/browse/CXF-2638
        Hide
        Ulhas Bhole
        added a comment -

        Fixed

        Show
        Ulhas Bhole
        added a comment - Fixed

          People

          • Assignee:
            Unassigned
            Reporter:
            David Valeri
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: