[jbossws-issues] [JBoss JIRA] Commented: (JBWS-2594) X509IssuerSerial reference token creates invalid xml request
Alessio Soldano (JIRA)
jira-events at lists.jboss.org
Mon Jun 15 13:10:57 EDT 2009
[ https://jira.jboss.org/jira/browse/JBWS-2594?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12472142#action_12472142 ]
Alessio Soldano commented on JBWS-2594:
---------------------------------------
Thank you for the patch, we appreciate this kind of contribution.
Unfortunately even if this will go to the next release (it is already scheduled for 3.2.0), this will not be available for JBoss AS 4.2.3.GA as that's not a supported target container since jbossws-native 3.1.2, hence you'll either need to move to AS 5 or patch the sources and rebuild jbossws.
> X509IssuerSerial reference token creates invalid xml request
> ------------------------------------------------------------
>
> Key: JBWS-2594
> URL: https://jira.jboss.org/jira/browse/JBWS-2594
> Project: JBoss Web Services
> Issue Type: Bug
> Security Level: Public(Everyone can see)
> Components: jbossws-native, ws-security
> Affects Versions: jbossws-native-3.0.5
> Environment: JBoss Portal 2.7.2
> Reporter: Christoph Hennes
> Assignee: Alessio Soldano
> Fix For: jbossws-native-3.2.0
>
> Attachments: jbws-2594.patch
>
>
> If we are using WS-Security encryption with token reference type 'x509IssuerSerial':
> <encrypt type="x509v3" alias="alias1" tokenReference="x509IssuerSerial" />
> the generated XML fragment is missing the enclosing X509Data element.
> Example in WS-Security 1.0 Spec:
> <wsse:SecurityTokenReference>
> <ds:X509Data>
> <ds:X509IssuerSerial>
> <ds:X509IssuerName>DC=ACMECorp, DC=com</ds:X509IssuerName>
> <ds:X509SerialNumber>12345678</X509SerialNumber>
> </ds:X509IssuerSerial>
> </ds:X509Data>
> </wsse:SecurityTokenReference>
> Generated XML fragment:
> <wsse:SecurityTokenReference wsu:Id='reference-x'>
> <ds:X509SerialNumber>y</ds:X509SerialNumber>
> </wsse:SecurityTokenReference>
> I have investigated the class
> org.jboss.ws.extensions.security.element.X509IssuerSerial
> and think that its method "public Element getElement()" is the possible source of this bug. The local variable "element" is overriden and previously generated XML is lost. The code of this method is unchanged in jbossws-3.1.0.
> public Element getElement()
> {
> if (cachedElement != null)
> return cachedElement;
> Element element = doc.createElementNS(Constants.XML_SIGNATURE_NS, "ds:X509Data");
> Element issuerSerial = doc.createElementNS(Constants.XML_SIGNATURE_NS, "ds:X509IssuerSerial");
> element.appendChild(issuerSerial);
> element = doc.createElementNS(Constants.XML_SIGNATURE_NS, "ds:X509IssuerName");
> element.appendChild(doc.createTextNode(issuer));
> issuerSerial.appendChild(element);
> element = doc.createElementNS(Constants.XML_SIGNATURE_NS, "ds:X509SerialNumber");
> element.appendChild(doc.createTextNode(serial));
> issuerSerial.appendChild(element);
> cachedElement = element;
> return cachedElement;
> }
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the jbossws-issues
mailing list