[jbossws-issues] [JBoss JIRA] Updated: (JBWS-2594) X509IssuerSerial reference token creates invalid xml request
[
https://jira.jboss.org/jira/browse/JBWS-2594?page=com.atlassian.jira.plug...
]
Roelof Naude updated JBWS-2594:
-------------------------------
Attachment: jbws-2594.patch
Patch to fix the issue against jbossws-native-3.1.1. we are running jboss 4.2.3 and are
not able to upgrade to a newer release in the immediate future.
the attached patch generates the following xml:
<ds:X509Data>
<ds:X509IssuerSerial>
<ds:X509IssuerName>.....</ds:X509IssuerName>
<ds:X509SerialNumber>129</ds:X509SerialNumber>
</ds:X509IssuerSerial>
</ds:X509Data>
X509IssuerSerial reference token creates invalid xml request
------------------------------------------------------------
Key: JBWS-2594
URL: https://jira.jboss.org/jira/browse/JBWS-2594
Project: JBoss Web Services
Issue Type: Bug
Security Level: Public(Everyone can see)
Components: jbossws-native, ws-security
Affects Versions: jbossws-native-3.0.5
Environment: JBoss Portal 2.7.2
Reporter: Christoph Hennes
Assignee: Alessio Soldano
Fix For: jbossws-native-3.2.0
Attachments: jbws-2594.patch
If we are using WS-Security encryption with token reference type
'x509IssuerSerial':
<encrypt type="x509v3" alias="alias1"
tokenReference="x509IssuerSerial" />
the generated XML fragment is missing the enclosing X509Data element.
Example in WS-Security 1.0 Spec:
<wsse:SecurityTokenReference>
<ds:X509Data>
<ds:X509IssuerSerial>
<ds:X509IssuerName>DC=ACMECorp, DC=com</ds:X509IssuerName>
<ds:X509SerialNumber>12345678</X509SerialNumber>
</ds:X509IssuerSerial>
</ds:X509Data>
</wsse:SecurityTokenReference>
Generated XML fragment:
<wsse:SecurityTokenReference wsu:Id='reference-x'>
<ds:X509SerialNumber>y</ds:X509SerialNumber>
</wsse:SecurityTokenReference>
I have investigated the class
org.jboss.ws.extensions.security.element.X509IssuerSerial
and think that its method "public Element getElement()" is the possible source
of this bug. The local variable "element" is overriden and previously generated
XML is lost. The code of this method is unchanged in jbossws-3.1.0.
public Element getElement()
{
if (cachedElement != null)
return cachedElement;
Element element = doc.createElementNS(Constants.XML_SIGNATURE_NS,
"ds:X509Data");
Element issuerSerial = doc.createElementNS(Constants.XML_SIGNATURE_NS,
"ds:X509IssuerSerial");
element.appendChild(issuerSerial);
element = doc.createElementNS(Constants.XML_SIGNATURE_NS,
"ds:X509IssuerName");
element.appendChild(doc.createTextNode(issuer));
issuerSerial.appendChild(element);
element = doc.createElementNS(Constants.XML_SIGNATURE_NS,
"ds:X509SerialNumber");
element.appendChild(doc.createTextNode(serial));
issuerSerial.appendChild(element);
cachedElement = element;
return cachedElement;
}
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira