ws-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Daniel Kulp <>
Subject Re: [VOTE] release wss4j-1.5.6
Date Wed, 11 Mar 2009 00:55:17 GMT


As Colm mentioned,  there is a patch on the Jira already.  (actually, Colm 
could just commit it probably, but I suppose having someone look at it is a 
good idea)

Basically, this is a bug in Rampart.   Rampart is suffering from the same 
"blindly strip the first char" problem that wss4j did.  If you put some 
printlns in the rampart token store, with 1.5.5, you can see:

add: 7EA37A075C8888C7BE12367220453773
add: #sctId-1176318351
get: #sctId-1176318351: org.apache.rahas.Token@364e50ee
get: 7EA37A075C8888C7BE12367220453773: org.apache.rahas.Token@420253af
Service invoked
get: sctId-1176318351: org.apache.rahas.Token@420253af
get: EA37A075C8888C7BE12367220453773: org.apache.rahas.Token@364e50ee

The last line is the tell tale sign.  That ID is NOT a valid token ID, but the 
token store is finding a token for it.   That's probably some sort of security 
violation or something.  Not sure how exploitable it is.    What's worse, in 
SOME cases, if you pass the VALID id in, the store doesn't find the token for 

Actually, I would take the patch one furthur and update the 
STSClient.findIdentifier method to check the unattached first instead of the 
attached.   With that, all the "add" calls would be with the full id and not 
the wsu:Id.  The lookups later would be a bit quicker then as well.  

My recommendation would be to get wss4j 1.5.6 out and then follow it up with a 
rampart release that fixes those issues.


On Tue March 10 2009 4:53:23 pm Glen Daniels wrote:
> Hi Colm, all:
> -1 from me, unfortunately, since running the Rampart build with the new
> WSS4J produced a test failure.  In particular the testWithPolicy() test
> in RampartTest (integration module) fails.
> DanK believes this might have to do with the way WSS4J has corrected its
> URL handling (it was previously truncating the 1st char of all urls
> assuming that they'd be of the form "#urn...").
> Could someone from rampart-dev have a look at this?
> Thanks,
> --Glen
> P.S.  A huge +1, by the way, to the congratulations on all the hard work
> and interop success!
> Colm O hEigeartaigh wrote:
> > To the Apache Web Services Community,
> >
> > This is a call for votes for the wss4j-1.5.6 release.
> >
> > The distribution can be found at the following URL:
> >
> >
> >
> > You can also point maven at the following URL to pull down the 1.5.6
> > release POM, source, and class JARs:
> >
> >
> >
> > Additionally, the generated version of the web site can be found at
> >
> >
> >
> > The list of bugs fixed in this release can be seen here:
> >
> >
> > 3&styleName=Html&version=12313623
> >
> > This vote will stay open for at least 72 hours.
> >
> > Here is my (non-binding and advisory) +1.
> >
> > Thanks,
> >
> > Colm.
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:

Daniel Kulp

View raw message