axis-c-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Garrett Holmstrom (JIRA)" <>
Subject [jira] [Created] (RAMPARTC-154) Body signature generation ignores data source request payloads
Date Sat, 09 Apr 2011 00:18:05 GMT
Body signature generation ignores data source request payloads

                 Key: RAMPARTC-154
             Project: Rampart/C
          Issue Type: Bug
          Components: OMXMLSecurity
    Affects Versions: 1.3.0
         Environment: Linux (all distributions)
            Reporter: Garrett Holmstrom
            Assignee: Malinda Kaushalye Kapuruge

In our web services implementation, we generate Axis/2c code with WSDL2C and use rampart/c
as a module. On the server and client side we require that all SOAP requests contain timestamps
and signed request bodies. However, we found that enabling signature checking of <Body>
elements in the policy:

<sp:SignedParts xmlns:sp="">
...results in all requests being rejected by the receiver due to signature verification failure.
After investigation, we found that requests generated by the auto-generated Axis/2C code contained
signatures over an empty <Body>, i.e. all its payload was ignored during element signing.
On the other hand, when the request was received, the entire <Body> was checked against
the signature. We determined that the problem is due to the fact that rampart/c code ignores
the payloads of requests with type AXIOM_DATA_SOURCE.

Attached is a patch that makes the checksum include the bodies of such requests when they
are generated.

This message is automatically generated by JIRA.
For more information on JIRA, see:

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message