]
Romano Silva commented on JBWS-2640:
------------------------------------
Can't a patched version be release with this fix before 4.0? It is a total break to
PasswordDigest.
UsernameToken does not correctly handle "Created" element
from wsse:Security soap header
----------------------------------------------------------------------------------------
Key: JBWS-2640
URL:
https://jira.jboss.org/jira/browse/JBWS-2640
Project: JBoss Web Services
Issue Type: Bug
Security Level: Public(Everyone can see)
Components: ws-security
Affects Versions: jbossws-native-3.1.1
Environment: AS: jboss-4.2.3.GA on Windows XP
jbossws-native-3.1.1.GA
Reporter: MrTed MrTed
Assignee: Alessio Soldano
Fix For: jbossws-native-4.0
Attachments: UsernameToken.java
UsernameToken does not correctly handle "Created" element from wsse:Security
soap header.
Oasis standard describes "Created" element in the following way:
/wsse:UsernameToken/wsu:Created
The optional <wsu:Created> element specifies a timestamp used to indicate the
creation time. It is defined as part of the <wsu:Timestamp> definition.
The solution - Constants.WSU_NS should be used instead of Constants.WSSE_NS.
"Created" element is described in
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utilit...
In the code org.jboss.ws.extensions.security.element.UsernameToken
"Created" element is recived via:
Iterator<Element> itCreated = DOMUtils.getChildElements(element, new
QName(Constants.WSSE_NS, "Created"));
instead it should be:
Iterator<Element> itCreated = DOMUtils.getChildElements(element, new
QName(Constants.WSU_NS, "Created"));
The same goes for line:
child = doc.createElementNS(Constants.WSSE_NS, Constants.WSSE_PREFIX + ":"
+ "Created");
should be:
child = doc.createElementNS(Constants.WSU_NS, Constants.WSU_PREFIX + ":" +
"Created");
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: