9:36 a.m.
X509IssuerSerial reference token creates invalid xml request
------------------------------------------------------------
Key: JBWS-2594
URL: https://jira.jboss.org/jira/browse/JBWS-2594
Project: JBoss Web Services
Issue Type: Bug
Security Level: Public (Everyone can see)
Components: ws-security
Affects Versions: jbossws-native-3.0.5
Environment: JBoss Portal 2.7.2
Reporter: Christoph Hennes
If we are using ws-security encryption with the token reference type
'x509IssuerSerial':
<wsse:SecurityTokenReference>
354 <ds:X509Data>
355 <ds:X509IssuerSerial>
356 <ds:X509IssuerName>
357 DC=ACMECorp, DC=com
358 </ds:X509IssuerName>
359 <ds:X509SerialNumber>12345678</X509SerialNumber>
360 </ds:X509IssuerSerial>
361 </ds:X509Data>
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
9:53 a.m.
New subject: [JBoss JIRA] Updated: (JBWS-2594) X509IssuerSerial reference token creates invalid xml request
[
https://jira.jboss.org/jira/browse/JBWS-2594?page=com.atlassian.jira.plug...
]
Christoph Hennes updated JBWS-2594:
-----------------------------------
Description:
If we are using WS-Security encryption with the token reference type
'x509IssuerSerial':
<encrypt type="x509v3" alias="alias1"
tokenReference="x509IssuerSerial" />
the generated XML fragment is missing the enclosing X509Data element.
Example in WS-Security 1.0 Spec:
<wsse:SecurityTokenReference>
<ds:X509Data>
<ds:X509IssuerSerial>
<ds:X509IssuerName>DC=ACMECorp, DC=com</ds:X509IssuerName>
<ds:X509SerialNumber>12345678</X509SerialNumber>
</ds:X509IssuerSerial>
</ds:X509Data>
</wsse:SecurityTokenReference>
Generated XML fragment:
<wsse:SecurityTokenReference wsu:Id='reference-x'>
<ds:X509SerialNumber>y</ds:X509SerialNumber>
</wsse:SecurityTokenReference>
I have investigated the class org.jboss.ws.extensions.security.element.X509IssuerSerial
and think that its method public Element getElement() is the possible source of this bug.
The local variable element is always overriden and any previously generated XML is lost.
The code of this method is unchanged in jbossws-3.1.0.
public Element getElement()
{
if (cachedElement != null)
return cachedElement;
Element element = doc.createElementNS(Constants.XML_SIGNATURE_NS,
"ds:X509Data");
Element issuerSerial = doc.createElementNS(Constants.XML_SIGNATURE_NS,
"ds:X509IssuerSerial");
element.appendChild(issuerSerial);
element = doc.createElementNS(Constants.XML_SIGNATURE_NS,
"ds:X509IssuerName");
element.appendChild(doc.createTextNode(issuer));
issuerSerial.appendChild(element);
element = doc.createElementNS(Constants.XML_SIGNATURE_NS,
"ds:X509SerialNumber");
element.appendChild(doc.createTextNode(serial));
issuerSerial.appendChild(element);
cachedElement = element;
return cachedElement;
}
was:
If we are using ws-security encryption with the token reference type
'x509IssuerSerial':
<wsse:SecurityTokenReference>
354 <ds:X509Data>
355 <ds:X509IssuerSerial>
356 <ds:X509IssuerName>
357 DC=ACMECorp, DC=com
358 </ds:X509IssuerName>
359 <ds:X509SerialNumber>12345678</X509SerialNumber>
360 </ds:X509IssuerSerial>
361 </ds:X509Data>
X509IssuerSerial reference token creates invalid xml request
------------------------------------------------------------
Key: JBWS-2594
URL: https://jira.jboss.org/jira/browse/JBWS-2594
Project: JBoss Web Services
Issue Type: Bug
Security Level: Public(Everyone can see)
Components: ws-security
Affects Versions: jbossws-native-3.0.5
Environment: JBoss Portal 2.7.2
Reporter: Christoph Hennes
If we are using WS-Security encryption with the token reference type
'x509IssuerSerial':
<encrypt type="x509v3" alias="alias1"
tokenReference="x509IssuerSerial" />
the generated XML fragment is missing the enclosing X509Data element.
Example in WS-Security 1.0 Spec:
<wsse:SecurityTokenReference>
<ds:X509Data>
<ds:X509IssuerSerial>
<ds:X509IssuerName>DC=ACMECorp, DC=com</ds:X509IssuerName>
<ds:X509SerialNumber>12345678</X509SerialNumber>
</ds:X509IssuerSerial>
</ds:X509Data>
</wsse:SecurityTokenReference>
Generated XML fragment:
<wsse:SecurityTokenReference wsu:Id='reference-x'>
<ds:X509SerialNumber>y</ds:X509SerialNumber>
</wsse:SecurityTokenReference>
I have investigated the class org.jboss.ws.extensions.security.element.X509IssuerSerial
and think that its method public Element getElement() is the possible source of this bug.
The local variable element is always overriden and any previously generated XML is lost.
The code of this method is unchanged in jbossws-3.1.0.
public Element getElement()
{
if (cachedElement != null)
return cachedElement;
Element element = doc.createElementNS(Constants.XML_SIGNATURE_NS,
"ds:X509Data");
Element issuerSerial = doc.createElementNS(Constants.XML_SIGNATURE_NS,
"ds:X509IssuerSerial");
element.appendChild(issuerSerial);
element = doc.createElementNS(Constants.XML_SIGNATURE_NS,
"ds:X509IssuerName");
element.appendChild(doc.createTextNode(issuer));
issuerSerial.appendChild(element);
element = doc.createElementNS(Constants.XML_SIGNATURE_NS,
"ds:X509SerialNumber");
element.appendChild(doc.createTextNode(serial));
issuerSerial.appendChild(element);
cachedElement = element;
return cachedElement;
}
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
9:55 a.m.
New subject: [JBoss JIRA] Updated: (JBWS-2594) X509IssuerSerial reference token creates invalid xml request
[
https://jira.jboss.org/jira/browse/JBWS-2594?page=com.atlassian.jira.plug...
]
Christoph Hennes updated JBWS-2594:
-----------------------------------
Description:
If we are using WS-Security encryption with token reference type
'x509IssuerSerial':
<encrypt type="x509v3" alias="alias1"
tokenReference="x509IssuerSerial" />
the generated XML fragment is missing the enclosing X509Data element.
Example in WS-Security 1.0 Spec:
<wsse:SecurityTokenReference>
<ds:X509Data>
<ds:X509IssuerSerial>
<ds:X509IssuerName>DC=ACMECorp, DC=com</ds:X509IssuerName>
<ds:X509SerialNumber>12345678</X509SerialNumber>
</ds:X509IssuerSerial>
</ds:X509Data>
</wsse:SecurityTokenReference>
Generated XML fragment:
<wsse:SecurityTokenReference wsu:Id='reference-x'>
<ds:X509SerialNumber>y</ds:X509SerialNumber>
</wsse:SecurityTokenReference>
I have investigated the class
org.jboss.ws.extensions.security.element.X509IssuerSerial
and think that its method "public Element getElement()" is the possible source
of this bug. The local variable "element" is always overriden and any previously
generated XML is lost. The code of this method is unchanged in jbossws-3.1.0.
public Element getElement()
{
if (cachedElement != null)
return cachedElement;
Element element = doc.createElementNS(Constants.XML_SIGNATURE_NS,
"ds:X509Data");
Element issuerSerial = doc.createElementNS(Constants.XML_SIGNATURE_NS,
"ds:X509IssuerSerial");
element.appendChild(issuerSerial);
element = doc.createElementNS(Constants.XML_SIGNATURE_NS,
"ds:X509IssuerName");
element.appendChild(doc.createTextNode(issuer));
issuerSerial.appendChild(element);
element = doc.createElementNS(Constants.XML_SIGNATURE_NS,
"ds:X509SerialNumber");
element.appendChild(doc.createTextNode(serial));
issuerSerial.appendChild(element);
cachedElement = element;
return cachedElement;
}
was:
If we are using WS-Security encryption with the token reference type
'x509IssuerSerial':
<encrypt type="x509v3" alias="alias1"
tokenReference="x509IssuerSerial" />
the generated XML fragment is missing the enclosing X509Data element.
Example in WS-Security 1.0 Spec:
<wsse:SecurityTokenReference>
<ds:X509Data>
<ds:X509IssuerSerial>
<ds:X509IssuerName>DC=ACMECorp, DC=com</ds:X509IssuerName>
<ds:X509SerialNumber>12345678</X509SerialNumber>
</ds:X509IssuerSerial>
</ds:X509Data>
</wsse:SecurityTokenReference>
Generated XML fragment:
<wsse:SecurityTokenReference wsu:Id='reference-x'>
<ds:X509SerialNumber>y</ds:X509SerialNumber>
</wsse:SecurityTokenReference>
I have investigated the class org.jboss.ws.extensions.security.element.X509IssuerSerial
and think that its method public Element getElement() is the possible source of this bug.
The local variable element is always overriden and any previously generated XML is lost.
The code of this method is unchanged in jbossws-3.1.0.
public Element getElement()
{
if (cachedElement != null)
return cachedElement;
Element element = doc.createElementNS(Constants.XML_SIGNATURE_NS,
"ds:X509Data");
Element issuerSerial = doc.createElementNS(Constants.XML_SIGNATURE_NS,
"ds:X509IssuerSerial");
element.appendChild(issuerSerial);
element = doc.createElementNS(Constants.XML_SIGNATURE_NS,
"ds:X509IssuerName");
element.appendChild(doc.createTextNode(issuer));
issuerSerial.appendChild(element);
element = doc.createElementNS(Constants.XML_SIGNATURE_NS,
"ds:X509SerialNumber");
element.appendChild(doc.createTextNode(serial));
issuerSerial.appendChild(element);
cachedElement = element;
return cachedElement;
}
X509IssuerSerial reference token creates invalid xml request
------------------------------------------------------------
Key: JBWS-2594
URL: https://jira.jboss.org/jira/browse/JBWS-2594
Project: JBoss Web Services
Issue Type: Bug
Security Level: Public(Everyone can see)
Components: ws-security
Affects Versions: jbossws-native-3.0.5
Environment: JBoss Portal 2.7.2
Reporter: Christoph Hennes
If we are using WS-Security encryption with token reference type
'x509IssuerSerial':
<encrypt type="x509v3" alias="alias1"
tokenReference="x509IssuerSerial" />
the generated XML fragment is missing the enclosing X509Data element.
Example in WS-Security 1.0 Spec:
<wsse:SecurityTokenReference>
<ds:X509Data>
<ds:X509IssuerSerial>
<ds:X509IssuerName>DC=ACMECorp, DC=com</ds:X509IssuerName>
<ds:X509SerialNumber>12345678</X509SerialNumber>
</ds:X509IssuerSerial>
</ds:X509Data>
</wsse:SecurityTokenReference>
Generated XML fragment:
<wsse:SecurityTokenReference wsu:Id='reference-x'>
<ds:X509SerialNumber>y</ds:X509SerialNumber>
</wsse:SecurityTokenReference>
I have investigated the class
org.jboss.ws.extensions.security.element.X509IssuerSerial
and think that its method "public Element getElement()" is the possible source
of this bug. The local variable "element" is always overriden and any previously
generated XML is lost. The code of this method is unchanged in jbossws-3.1.0.
public Element getElement()
{
if (cachedElement != null)
return cachedElement;
Element element = doc.createElementNS(Constants.XML_SIGNATURE_NS,
"ds:X509Data");
Element issuerSerial = doc.createElementNS(Constants.XML_SIGNATURE_NS,
"ds:X509IssuerSerial");
element.appendChild(issuerSerial);
element = doc.createElementNS(Constants.XML_SIGNATURE_NS,
"ds:X509IssuerName");
element.appendChild(doc.createTextNode(issuer));
issuerSerial.appendChild(element);
element = doc.createElementNS(Constants.XML_SIGNATURE_NS,
"ds:X509SerialNumber");
element.appendChild(doc.createTextNode(serial));
issuerSerial.appendChild(element);
cachedElement = element;
return cachedElement;
}
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
10:12 a.m.
New subject: [JBoss JIRA] Updated: (JBWS-2594) X509IssuerSerial reference token creates invalid xml request
[
https://jira.jboss.org/jira/browse/JBWS-2594?page=com.atlassian.jira.plug...
]
Christoph Hennes updated JBWS-2594:
-----------------------------------
Description:
If we are using WS-Security encryption with token reference type
'x509IssuerSerial':
<encrypt type="x509v3" alias="alias1"
tokenReference="x509IssuerSerial" />
the generated XML fragment is missing the enclosing X509Data element.
Example in WS-Security 1.0 Spec:
<wsse:SecurityTokenReference>
<ds:X509Data>
<ds:X509IssuerSerial>
<ds:X509IssuerName>DC=ACMECorp, DC=com</ds:X509IssuerName>
<ds:X509SerialNumber>12345678</X509SerialNumber>
</ds:X509IssuerSerial>
</ds:X509Data>
</wsse:SecurityTokenReference>
Generated XML fragment:
<wsse:SecurityTokenReference wsu:Id='reference-x'>
<ds:X509SerialNumber>y</ds:X509SerialNumber>
</wsse:SecurityTokenReference>
I have investigated the class
org.jboss.ws.extensions.security.element.X509IssuerSerial
and think that its method "public Element getElement()" is the possible source
of this bug. The local variable "element" is overriden and previously generated
XML is lost. The code of this method is unchanged in jbossws-3.1.0.
public Element getElement()
{
if (cachedElement != null)
return cachedElement;
Element element = doc.createElementNS(Constants.XML_SIGNATURE_NS,
"ds:X509Data");
Element issuerSerial = doc.createElementNS(Constants.XML_SIGNATURE_NS,
"ds:X509IssuerSerial");
element.appendChild(issuerSerial);
element = doc.createElementNS(Constants.XML_SIGNATURE_NS,
"ds:X509IssuerName");
element.appendChild(doc.createTextNode(issuer));
issuerSerial.appendChild(element);
element = doc.createElementNS(Constants.XML_SIGNATURE_NS,
"ds:X509SerialNumber");
element.appendChild(doc.createTextNode(serial));
issuerSerial.appendChild(element);
cachedElement = element;
return cachedElement;
}
was:
If we are using WS-Security encryption with token reference type
'x509IssuerSerial':
<encrypt type="x509v3" alias="alias1"
tokenReference="x509IssuerSerial" />
the generated XML fragment is missing the enclosing X509Data element.
Example in WS-Security 1.0 Spec:
<wsse:SecurityTokenReference>
<ds:X509Data>
<ds:X509IssuerSerial>
<ds:X509IssuerName>DC=ACMECorp, DC=com</ds:X509IssuerName>
<ds:X509SerialNumber>12345678</X509SerialNumber>
</ds:X509IssuerSerial>
</ds:X509Data>
</wsse:SecurityTokenReference>
Generated XML fragment:
<wsse:SecurityTokenReference wsu:Id='reference-x'>
<ds:X509SerialNumber>y</ds:X509SerialNumber>
</wsse:SecurityTokenReference>
I have investigated the class
org.jboss.ws.extensions.security.element.X509IssuerSerial
and think that its method "public Element getElement()" is the possible source
of this bug. The local variable "element" is always overriden and any previously
generated XML is lost. The code of this method is unchanged in jbossws-3.1.0.
public Element getElement()
{
if (cachedElement != null)
return cachedElement;
Element element = doc.createElementNS(Constants.XML_SIGNATURE_NS,
"ds:X509Data");
Element issuerSerial = doc.createElementNS(Constants.XML_SIGNATURE_NS,
"ds:X509IssuerSerial");
element.appendChild(issuerSerial);
element = doc.createElementNS(Constants.XML_SIGNATURE_NS,
"ds:X509IssuerName");
element.appendChild(doc.createTextNode(issuer));
issuerSerial.appendChild(element);
element = doc.createElementNS(Constants.XML_SIGNATURE_NS,
"ds:X509SerialNumber");
element.appendChild(doc.createTextNode(serial));
issuerSerial.appendChild(element);
cachedElement = element;
return cachedElement;
}
X509IssuerSerial reference token creates invalid xml request
------------------------------------------------------------
Key: JBWS-2594
URL: https://jira.jboss.org/jira/browse/JBWS-2594
Project: JBoss Web Services
Issue Type: Bug
Security Level: Public(Everyone can see)
Components: ws-security
Affects Versions: jbossws-native-3.0.5
Environment: JBoss Portal 2.7.2
Reporter: Christoph Hennes
If we are using WS-Security encryption with token reference type
'x509IssuerSerial':
<encrypt type="x509v3" alias="alias1"
tokenReference="x509IssuerSerial" />
the generated XML fragment is missing the enclosing X509Data element.
Example in WS-Security 1.0 Spec:
<wsse:SecurityTokenReference>
<ds:X509Data>
<ds:X509IssuerSerial>
<ds:X509IssuerName>DC=ACMECorp, DC=com</ds:X509IssuerName>
<ds:X509SerialNumber>12345678</X509SerialNumber>
</ds:X509IssuerSerial>
</ds:X509Data>
</wsse:SecurityTokenReference>
Generated XML fragment:
<wsse:SecurityTokenReference wsu:Id='reference-x'>
<ds:X509SerialNumber>y</ds:X509SerialNumber>
</wsse:SecurityTokenReference>
I have investigated the class
org.jboss.ws.extensions.security.element.X509IssuerSerial
and think that its method "public Element getElement()" is the possible source
of this bug. The local variable "element" is overriden and previously generated
XML is lost. The code of this method is unchanged in jbossws-3.1.0.
public Element getElement()
{
if (cachedElement != null)
return cachedElement;
Element element = doc.createElementNS(Constants.XML_SIGNATURE_NS,
"ds:X509Data");
Element issuerSerial = doc.createElementNS(Constants.XML_SIGNATURE_NS,
"ds:X509IssuerSerial");
element.appendChild(issuerSerial);
element = doc.createElementNS(Constants.XML_SIGNATURE_NS,
"ds:X509IssuerName");
element.appendChild(doc.createTextNode(issuer));
issuerSerial.appendChild(element);
element = doc.createElementNS(Constants.XML_SIGNATURE_NS,
"ds:X509SerialNumber");
element.appendChild(doc.createTextNode(serial));
issuerSerial.appendChild(element);
cachedElement = element;
return cachedElement;
}
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
11:47 a.m.
New subject: [JBoss JIRA] Updated: (JBWS-2594) X509IssuerSerial reference token creates invalid xml request
[
https://jira.jboss.org/jira/browse/JBWS-2594?page=com.atlassian.jira.plug...
]
Alessio Soldano updated JBWS-2594:
----------------------------------
Component/s: jbossws-native
X509IssuerSerial reference token creates invalid xml request
------------------------------------------------------------
Key: JBWS-2594
URL: https://jira.jboss.org/jira/browse/JBWS-2594
Project: JBoss Web Services
Issue Type: Bug
Security Level: Public(Everyone can see)
Components: jbossws-native, ws-security
Affects Versions: jbossws-native-3.0.5
Environment: JBoss Portal 2.7.2
Reporter: Christoph Hennes
If we are using WS-Security encryption with token reference type
'x509IssuerSerial':
<encrypt type="x509v3" alias="alias1"
tokenReference="x509IssuerSerial" />
the generated XML fragment is missing the enclosing X509Data element.
Example in WS-Security 1.0 Spec:
<wsse:SecurityTokenReference>
<ds:X509Data>
<ds:X509IssuerSerial>
<ds:X509IssuerName>DC=ACMECorp, DC=com</ds:X509IssuerName>
<ds:X509SerialNumber>12345678</X509SerialNumber>
</ds:X509IssuerSerial>
</ds:X509Data>
</wsse:SecurityTokenReference>
Generated XML fragment:
<wsse:SecurityTokenReference wsu:Id='reference-x'>
<ds:X509SerialNumber>y</ds:X509SerialNumber>
</wsse:SecurityTokenReference>
I have investigated the class
org.jboss.ws.extensions.security.element.X509IssuerSerial
and think that its method "public Element getElement()" is the possible source
of this bug. The local variable "element" is overriden and previously generated
XML is lost. The code of this method is unchanged in jbossws-3.1.0.
public Element getElement()
{
if (cachedElement != null)
return cachedElement;
Element element = doc.createElementNS(Constants.XML_SIGNATURE_NS,
"ds:X509Data");
Element issuerSerial = doc.createElementNS(Constants.XML_SIGNATURE_NS,
"ds:X509IssuerSerial");
element.appendChild(issuerSerial);
element = doc.createElementNS(Constants.XML_SIGNATURE_NS,
"ds:X509IssuerName");
element.appendChild(doc.createTextNode(issuer));
issuerSerial.appendChild(element);
element = doc.createElementNS(Constants.XML_SIGNATURE_NS,
"ds:X509SerialNumber");
element.appendChild(doc.createTextNode(serial));
issuerSerial.appendChild(element);
cachedElement = element;
return cachedElement;
}
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
11:26 a.m.
New subject: [JBoss JIRA] Updated: (JBWS-2594) X509IssuerSerial reference token creates invalid xml request
[
https://jira.jboss.org/jira/browse/JBWS-2594?page=com.atlassian.jira.plug...
]
Alessio Soldano updated JBWS-2594:
----------------------------------
Fix Version/s: jbossws-native-3.2.0
Assignee: Alessio Soldano
X509IssuerSerial reference token creates invalid xml request
------------------------------------------------------------
Key: JBWS-2594
URL: https://jira.jboss.org/jira/browse/JBWS-2594
Project: JBoss Web Services
Issue Type: Bug
Security Level: Public(Everyone can see)
Components: jbossws-native, ws-security
Affects Versions: jbossws-native-3.0.5
Environment: JBoss Portal 2.7.2
Reporter: Christoph Hennes
Assignee: Alessio Soldano
Fix For: jbossws-native-3.2.0
If we are using WS-Security encryption with token reference type
'x509IssuerSerial':
<encrypt type="x509v3" alias="alias1"
tokenReference="x509IssuerSerial" />
the generated XML fragment is missing the enclosing X509Data element.
Example in WS-Security 1.0 Spec:
<wsse:SecurityTokenReference>
<ds:X509Data>
<ds:X509IssuerSerial>
<ds:X509IssuerName>DC=ACMECorp, DC=com</ds:X509IssuerName>
<ds:X509SerialNumber>12345678</X509SerialNumber>
</ds:X509IssuerSerial>
</ds:X509Data>
</wsse:SecurityTokenReference>
Generated XML fragment:
<wsse:SecurityTokenReference wsu:Id='reference-x'>
<ds:X509SerialNumber>y</ds:X509SerialNumber>
</wsse:SecurityTokenReference>
I have investigated the class
org.jboss.ws.extensions.security.element.X509IssuerSerial
and think that its method "public Element getElement()" is the possible source
of this bug. The local variable "element" is overriden and previously generated
XML is lost. The code of this method is unchanged in jbossws-3.1.0.
public Element getElement()
{
if (cachedElement != null)
return cachedElement;
Element element = doc.createElementNS(Constants.XML_SIGNATURE_NS,
"ds:X509Data");
Element issuerSerial = doc.createElementNS(Constants.XML_SIGNATURE_NS,
"ds:X509IssuerSerial");
element.appendChild(issuerSerial);
element = doc.createElementNS(Constants.XML_SIGNATURE_NS,
"ds:X509IssuerName");
element.appendChild(doc.createTextNode(issuer));
issuerSerial.appendChild(element);
element = doc.createElementNS(Constants.XML_SIGNATURE_NS,
"ds:X509SerialNumber");
element.appendChild(doc.createTextNode(serial));
issuerSerial.appendChild(element);
cachedElement = element;
return cachedElement;
}
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
1:43 p.m.
New subject: [JBoss JIRA] Updated: (JBWS-2594) X509IssuerSerial reference token creates invalid xml request
[
https://jira.jboss.org/jira/browse/JBWS-2594?page=com.atlassian.jira.plug...
]
Roelof Naude updated JBWS-2594:
-------------------------------
Attachment: jbws-2594.patch
Patch to fix the issue against jbossws-native-3.1.1. we are running jboss 4.2.3 and are
not able to upgrade to a newer release in the immediate future.
the attached patch generates the following xml:
<ds:X509Data>
<ds:X509IssuerSerial>
<ds:X509IssuerName>.....</ds:X509IssuerName>
<ds:X509SerialNumber>129</ds:X509SerialNumber>
</ds:X509IssuerSerial>
</ds:X509Data>
X509IssuerSerial reference token creates invalid xml request
------------------------------------------------------------
Key: JBWS-2594
URL: https://jira.jboss.org/jira/browse/JBWS-2594
Project: JBoss Web Services
Issue Type: Bug
Security Level: Public(Everyone can see)
Components: jbossws-native, ws-security
Affects Versions: jbossws-native-3.0.5
Environment: JBoss Portal 2.7.2
Reporter: Christoph Hennes
Assignee: Alessio Soldano
Fix For: jbossws-native-3.2.0
Attachments: jbws-2594.patch
If we are using WS-Security encryption with token reference type
'x509IssuerSerial':
<encrypt type="x509v3" alias="alias1"
tokenReference="x509IssuerSerial" />
the generated XML fragment is missing the enclosing X509Data element.
Example in WS-Security 1.0 Spec:
<wsse:SecurityTokenReference>
<ds:X509Data>
<ds:X509IssuerSerial>
<ds:X509IssuerName>DC=ACMECorp, DC=com</ds:X509IssuerName>
<ds:X509SerialNumber>12345678</X509SerialNumber>
</ds:X509IssuerSerial>
</ds:X509Data>
</wsse:SecurityTokenReference>
Generated XML fragment:
<wsse:SecurityTokenReference wsu:Id='reference-x'>
<ds:X509SerialNumber>y</ds:X509SerialNumber>
</wsse:SecurityTokenReference>
I have investigated the class
org.jboss.ws.extensions.security.element.X509IssuerSerial
and think that its method "public Element getElement()" is the possible source
of this bug. The local variable "element" is overriden and previously generated
XML is lost. The code of this method is unchanged in jbossws-3.1.0.
public Element getElement()
{
if (cachedElement != null)
return cachedElement;
Element element = doc.createElementNS(Constants.XML_SIGNATURE_NS,
"ds:X509Data");
Element issuerSerial = doc.createElementNS(Constants.XML_SIGNATURE_NS,
"ds:X509IssuerSerial");
element.appendChild(issuerSerial);
element = doc.createElementNS(Constants.XML_SIGNATURE_NS,
"ds:X509IssuerName");
element.appendChild(doc.createTextNode(issuer));
issuerSerial.appendChild(element);
element = doc.createElementNS(Constants.XML_SIGNATURE_NS,
"ds:X509SerialNumber");
element.appendChild(doc.createTextNode(serial));
issuerSerial.appendChild(element);
cachedElement = element;
return cachedElement;
}
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
7:10 p.m.
New subject: [JBoss JIRA] Commented: (JBWS-2594) X509IssuerSerial reference token creates invalid xml request
[
https://jira.jboss.org/jira/browse/JBWS-2594?page=com.atlassian.jira.plug...
]
Alessio Soldano commented on JBWS-2594:
---------------------------------------
Thank you for the patch, we appreciate this kind of contribution.
Unfortunately even if this will go to the next release (it is already scheduled for
3.2.0), this will not be available for JBoss AS 4.2.3.GA as that's not a supported
target container since jbossws-native 3.1.2, hence you'll either need to move to AS 5
or patch the sources and rebuild jbossws.
X509IssuerSerial reference token creates invalid xml request
------------------------------------------------------------
Key: JBWS-2594
URL: https://jira.jboss.org/jira/browse/JBWS-2594
Project: JBoss Web Services
Issue Type: Bug
Security Level: Public(Everyone can see)
Components: jbossws-native, ws-security
Affects Versions: jbossws-native-3.0.5
Environment: JBoss Portal 2.7.2
Reporter: Christoph Hennes
Assignee: Alessio Soldano
Fix For: jbossws-native-3.2.0
Attachments: jbws-2594.patch
If we are using WS-Security encryption with token reference type
'x509IssuerSerial':
<encrypt type="x509v3" alias="alias1"
tokenReference="x509IssuerSerial" />
the generated XML fragment is missing the enclosing X509Data element.
Example in WS-Security 1.0 Spec:
<wsse:SecurityTokenReference>
<ds:X509Data>
<ds:X509IssuerSerial>
<ds:X509IssuerName>DC=ACMECorp, DC=com</ds:X509IssuerName>
<ds:X509SerialNumber>12345678</X509SerialNumber>
</ds:X509IssuerSerial>
</ds:X509Data>
</wsse:SecurityTokenReference>
Generated XML fragment:
<wsse:SecurityTokenReference wsu:Id='reference-x'>
<ds:X509SerialNumber>y</ds:X509SerialNumber>
</wsse:SecurityTokenReference>
I have investigated the class
org.jboss.ws.extensions.security.element.X509IssuerSerial
and think that its method "public Element getElement()" is the possible source
of this bug. The local variable "element" is overriden and previously generated
XML is lost. The code of this method is unchanged in jbossws-3.1.0.
public Element getElement()
{
if (cachedElement != null)
return cachedElement;
Element element = doc.createElementNS(Constants.XML_SIGNATURE_NS,
"ds:X509Data");
Element issuerSerial = doc.createElementNS(Constants.XML_SIGNATURE_NS,
"ds:X509IssuerSerial");
element.appendChild(issuerSerial);
element = doc.createElementNS(Constants.XML_SIGNATURE_NS,
"ds:X509IssuerName");
element.appendChild(doc.createTextNode(issuer));
issuerSerial.appendChild(element);
element = doc.createElementNS(Constants.XML_SIGNATURE_NS,
"ds:X509SerialNumber");
element.appendChild(doc.createTextNode(serial));
issuerSerial.appendChild(element);
cachedElement = element;
return cachedElement;
}
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
5422
days inactive
5492
days old
jbossws-issues@lists.jboss.org
7 comments
3 participants
participants (3)
-
Alessio Soldano (JIRA) -
Christoph Hennes (JIRA)
-
Roelof Naude (JIRA)