ws-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Glen Daniels <g...@thoughtcraft.com>
Subject Re: [VOTE] release wss4j-1.5.6
Date Wed, 11 Mar 2009 01:14:21 GMT
Hey Dan, Colm, all:

This makes sense, and you can consider my -1 withdrawn.

I would, however, like to see Nandana's +1 on this before it goes out.

Thanks,
--Glen

Daniel Kulp wrote:
> As Colm mentioned,  there is a patch on the Jira already.  (actually, Colm 
> could just commit it probably, but I suppose having someone look at it is a 
> good idea)
> 
> Basically, this is a bug in Rampart.   Rampart is suffering from the same 
> "blindly strip the first char" problem that wss4j did.  If you put some 
> printlns in the rampart token store, with 1.5.5, you can see:
> 
> add: 7EA37A075C8888C7BE12367220453773
> add: #sctId-1176318351
> get: #sctId-1176318351: org.apache.rahas.Token@364e50ee
> get: 7EA37A075C8888C7BE12367220453773: org.apache.rahas.Token@420253af
> Service invoked
> get: sctId-1176318351: org.apache.rahas.Token@420253af
> get: EA37A075C8888C7BE12367220453773: org.apache.rahas.Token@364e50ee
> 
> The last line is the tell tale sign.  That ID is NOT a valid token ID, but the 
> token store is finding a token for it.   That's probably some sort of security 
> violation or something.  Not sure how exploitable it is.    What's worse, in 
> SOME cases, if you pass the VALID id in, the store doesn't find the token for 
> it.  
> 
> Actually, I would take the patch one furthur and update the 
> STSClient.findIdentifier method to check the unattached first instead of the 
> attached.   With that, all the "add" calls would be with the full id and not 
> the wsu:Id.  The lookups later would be a bit quicker then as well.  
> 
> 
> My recommendation would be to get wss4j 1.5.6 out and then follow it up with a 
> rampart release that fixes those issues.
> 
> Dan
> 
> 
> On Tue March 10 2009 4:53:23 pm Glen Daniels wrote:
>> Hi Colm, all:
>>
>> -1 from me, unfortunately, since running the Rampart build with the new
>> WSS4J produced a test failure.  In particular the testWithPolicy() test
>> in RampartTest (integration module) fails.
>>
>> DanK believes this might have to do with the way WSS4J has corrected its
>> URL handling (it was previously truncating the 1st char of all urls
>> assuming that they'd be of the form "#urn...").
>>
>> Could someone from rampart-dev have a look at this?
>>
>> Thanks,
>> --Glen
>>
>> P.S.  A huge +1, by the way, to the congratulations on all the hard work
>> and interop success!
>>
>> Colm O hEigeartaigh wrote:
>>> To the Apache Web Services Community,
>>>
>>> This is a call for votes for the wss4j-1.5.6 release.
>>>
>>> The distribution can be found at the following URL:
>>>
>>> http://people.apache.org/~coheigea/stage/wss4j/1.5.6/dist/
>>>
>>> You can also point maven at the following URL to pull down the 1.5.6
>>> release POM, source, and class JARs:
>>>
>>> http://people.apache.org/~coheigea/stage/wss4j/1.5.6/maven/
>>>
>>> Additionally, the generated version of the web site can be found at
>>>
>>> http://people.apache.org/~coheigea/stage/wss4j/1.5.6/site/
>>>
>>> The list of bugs fixed in this release can be seen here:
>>>
>>> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=1231006
>>> 3&styleName=Html&version=12313623
>>>
>>> This vote will stay open for at least 72 hours.
>>>
>>> Here is my (non-binding and advisory) +1.
>>>
>>> Thanks,
>>>
>>> Colm.
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
>> For additional commands, e-mail: wss4j-dev-help@ws.apache.org
> 

Mime
View raw message