ws-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject svn commit: r1528933 - in /webservices/wss4j/trunk: ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/ ws-security-policy-stax/src/test/java/org/apache/wss4j/policy/stax/test/ ws-security-stax/src/main/java/org/apache/wss4j/stax/
Date Thu, 03 Oct 2013 16:56:56 GMT
Author: coheigea
Date: Thu Oct  3 16:56:55 2013
New Revision: 1528933

URL: http://svn.apache.org/r1528933
Log:
Relax signature username requirement for symmetric signature + leave SOAP Spoofing detection
to the SOAP Stack

Modified:
    webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/PolicyEnforcer.java
    webservices/wss4j/trunk/ws-security-policy-stax/src/test/java/org/apache/wss4j/policy/stax/test/VulnerabliltyVectorsTest.java
    webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/WSSec.java

Modified: webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/PolicyEnforcer.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/PolicyEnforcer.java?rev=1528933&r1=1528932&r2=1528933&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/PolicyEnforcer.java
(original)
+++ webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/PolicyEnforcer.java
Thu Oct  3 16:56:55 2013
@@ -573,12 +573,7 @@ public class PolicyEnforcer implements S
         if (WSSecurityEventConstants.Operation.equals(securityEvent.getSecurityEventType()))
{
             operationSecurityEventOccured = true;
             final OperationSecurityEvent operationSecurityEvent = (OperationSecurityEvent)
securityEvent;
-            if (effectivePolicy != null) {
-                //soap-action spoofing detection
-                if (!effectivePolicy.getOperationName().equals(operationSecurityEvent.getOperation().getLocalPart()))
{
-                    throw new WSSecurityException(WSSecurityException.ErrorCode.INVALID_SECURITY,
new WSSPolicyException("SOAPAction (" + effectivePolicy.getOperationName() + ") does not match
with the current Operation: " + operationSecurityEvent.getOperation()));
-                }
-            } else {
+            if (effectivePolicy == null) {
                 effectivePolicy = findPolicyBySOAPOperationName(operationPolicies, operationSecurityEvent.getOperation().getLocalPart());
                 if (effectivePolicy == null) {
                     //no policy to the operation given

Modified: webservices/wss4j/trunk/ws-security-policy-stax/src/test/java/org/apache/wss4j/policy/stax/test/VulnerabliltyVectorsTest.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-policy-stax/src/test/java/org/apache/wss4j/policy/stax/test/VulnerabliltyVectorsTest.java?rev=1528933&r1=1528932&r2=1528933&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-policy-stax/src/test/java/org/apache/wss4j/policy/stax/test/VulnerabliltyVectorsTest.java
(original)
+++ webservices/wss4j/trunk/ws-security-policy-stax/src/test/java/org/apache/wss4j/policy/stax/test/VulnerabliltyVectorsTest.java
Thu Oct  3 16:56:55 2013
@@ -48,8 +48,9 @@ public class VulnerabliltyVectorsTest ex
     /**
      * Tests what happens when an soapAction from an other operation is provided.
      * Can the policy framework be bypassed?
+     * @Ignoring as SOAP Action spoofing detection should be left to the SOAP stack
      */
-    @Test
+    @Test(enabled=false)
     public void testSOAPActionSpoofing() throws Exception {
         WSSSecurityProperties outSecurityProperties = new WSSSecurityProperties();
         outSecurityProperties.setCallbackHandler(new CallbackHandlerImpl());

Modified: webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/WSSec.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/WSSec.java?rev=1528933&r1=1528932&r2=1528933&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/WSSec.java
(original)
+++ webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/WSSec.java
Thu Oct  3 16:56:55 2013
@@ -115,7 +115,8 @@ public class WSSec {
                     && securityProperties.getSignatureCrypto() == null) {
                     throw new WSSConfigurationException(WSSConfigurationException.ErrorCode.FAILURE,
"signatureKeyStoreNotSet");
                 }
-                if (securityProperties.getSignatureUser() == null) {
+                if (securityProperties.getSignatureUser() == null
+                    && !WSSConstants.NS_XMLDSIG_HMACSHA1.equals(securityProperties.getSignatureAlgorithm()))
{
                     throw new WSSConfigurationException(WSSConfigurationException.ErrorCode.FAILURE,
"noSignatureUser");
                 }
                 if (securityProperties.getCallbackHandler() == null



Mime
View raw message