axis-c-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Garrett Holmstrom (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (RAMPARTC-154) Body signature generation ignores data source request payloads
Date Sat, 09 Apr 2011 00:22:05 GMT 

     [ https://issues.apache.org/jira/browse/RAMPARTC-154?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Garrett Holmstrom updated RAMPARTC-154:
---------------------------------------

    Attachment: rampart-trunk-c14n.patch

Patch that includes payloads of type AXIOM_DATA_SOURCE in body signature calculations

> Body signature generation ignores data source request payloads
> --------------------------------------------------------------
>
>                 Key: RAMPARTC-154
>                 URL: https://issues.apache.org/jira/browse/RAMPARTC-154
>             Project: Rampart/C
>          Issue Type: Bug
>          Components: OMXMLSecurity
>    Affects Versions: 1.3.0
>         Environment: Linux (all distributions)
>            Reporter: Garrett Holmstrom
>            Assignee: Malinda Kaushalye Kapuruge
>              Labels: patch
>         Attachments: rampart-trunk-c14n.patch
>
>
> In our web services implementation, we generate Axis/2c code with WSDL2C and use rampart/c
as a module. On the server and client side we require that all SOAP requests contain timestamps
and signed request bodies. However, we found that enabling signature checking of <Body>
elements in the policy:
> <sp:SignedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
>         <sp:Body/>
> </sp:SignedParts>
>  
> ...results in all requests being rejected by the receiver due to signature verification
failure. After investigation, we found that requests generated by the auto-generated Axis/2C
code contained signatures over an empty <Body>, i.e. all its payload was ignored during
element signing. On the other hand, when the request was received, the entire <Body>
was checked against the signature. We determined that the problem is due to the fact that
rampart/c code ignores the payloads of requests with type AXIOM_DATA_SOURCE.
> Attached is a patch that makes the checksum include the bodies of such requests when
they are generated.

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira

---------------------------------------------------------------------
To unsubscribe, e-mail: c-dev-unsubscribe@axis.apache.org
For additional commands, e-mail: c-dev-help@axis.apache.org
Mime
View raw message