ws-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nandana Mihindukulasooriya <nandana....@gmail.com>
Subject Re: [VOTE] release wss4j-1.5.6
Date Wed, 11 Mar 2009 06:13:26 GMT
+1. Tested the rampart trunk with the staged wss4j 1.5.6 with Clom's patch.

thanks,
Nandana

On Wed, Mar 11, 2009 at 6:59 AM, Nandana Mihindukulasooriya <
nandana.cse@gmail.com> wrote:

> Hi Clom,
>      I will test this first thing today morning and update the vote.
>
> thanks,
> Nandana
>
> P.S. : Congratulations on getting WSS4J 1.5.6 out and  getting WS Trust
> stuff working.
>
>
> On Wed, Mar 11, 2009 at 6:44 AM, Glen Daniels <glen@thoughtcraft.com>wrote:
>
>> Hey Dan, Colm, all:
>>
>> This makes sense, and you can consider my -1 withdrawn.
>> .
>> I would, however, like to see Nandana's +1 on this before it goes out.
>>
>> Thanks,
>> --Glen
>>
>> Daniel Kulp wrote:
>> > As Colm mentioned,  there is a patch on the Jira already.  (actually,
>> Colm
>> > could just commit it probably, but I suppose having someone look at it
>> is a
>> > good idea)
>> >
>> > Basically, this is a bug in Rampart.   Rampart is suffering from the
>> same
>> > "blindly strip the first char" problem that wss4j did.  If you put some
>> > printlns in the rampart token store, with 1.5.5, you can see:
>> >
>> > add: 7EA37A075C8888C7BE12367220453773
>> > add: #sctId-1176318351
>> > get: #sctId-1176318351: org.apache.rahas.Token@364e50ee
>> > get: 7EA37A075C8888C7BE12367220453773: org.apache.rahas.Token@420253af
>> > Service invoked
>> > get: sctId-1176318351: org.apache.rahas.Token@420253af
>> > get: EA37A075C8888C7BE12367220453773: org.apache.rahas.Token@364e50ee
>> >
>> > The last line is the tell tale sign.  That ID is NOT a valid token ID,
>> but the
>> > token store is finding a token for it.   That's probably some sort of
>> security
>> > violation or something.  Not sure how exploitable it is.    What's
>> worse, in
>> > SOME cases, if you pass the VALID id in, the store doesn't find the
>> token for
>> > it.
>> >
>> > Actually, I would take the patch one furthur and update the
>> > STSClient.findIdentifier method to check the unattached first instead of
>> the
>> > attached.   With that, all the "add" calls would be with the full id and
>> not
>> > the wsu:Id.  The lookups later would be a bit quicker then as well.
>> >
>> >
>> > My recommendation would be to get wss4j 1.5.6 out and then follow it up
>> with a
>> > rampart release that fixes those issues.
>> >
>> > Dan
>> >
>> >
>> > On Tue March 10 2009 4:53:23 pm Glen Daniels wrote:
>> >> Hi Colm, all:
>> >>
>> >> -1 from me, unfortunately, since running the Rampart build with the new
>> >> WSS4J produced a test failure.  In particular the testWithPolicy() test
>> >> in RampartTest (integration module) fails.
>> >>
>> >> DanK believes this might have to do with the way WSS4J has corrected
>> its
>> >> URL handling (it was previously truncating the 1st char of all urls
>> >> assuming that they'd be of the form "#urn...").
>> >>
>> >> Could someone from rampart-dev have a look at this?
>> >>
>> >> Thanks,
>> >> --Glen
>> >>
>> >> P.S.  A huge +1, by the way, to the congratulations on all the hard
>> work
>> >> and interop success!
>> >>
>> >> Colm O hEigeartaigh wrote:
>> >>> To the Apache Web Services Community,
>> >>>
>> >>> This is a call for votes for the wss4j-1.5.6 release.
>> >>>
>> >>> The distribution can be found at the following URL:
>> >>>
>> >>> http://people.apache.org/~coheigea/stage/wss4j/1.5.6/dist/<http://people.apache.org/%7Ecoheigea/stage/wss4j/1.5.6/dist/>
>> >>>
>> >>> You can also point maven at the following URL to pull down the 1.5.6
>> >>> release POM, source, and class JARs:
>> >>>
>> >>> http://people.apache.org/~coheigea/stage/wss4j/1.5.6/maven/<http://people.apache.org/%7Ecoheigea/stage/wss4j/1.5.6/maven/>
>> >>>
>> >>> Additionally, the generated version of the web site can be found at
>> >>>
>> >>> http://people.apache.org/~coheigea/stage/wss4j/1.5.6/site/<http://people.apache.org/%7Ecoheigea/stage/wss4j/1.5.6/site/>
>> >>>
>> >>> The list of bugs fixed in this release can be seen here:
>> >>>
>> >>>
>> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=1231006
>> >>> 3&styleName=Html&version=12313623
>> >>>
>> >>> This vote will stay open for at least 72 hours.
>> >>>
>> >>> Here is my (non-binding and advisory) +1.
>> >>>
>> >>> Thanks,
>> >>>
>> >>> Colm.
>> >> ---------------------------------------------------------------------
>> >> To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
>> >> For additional commands, e-mail: wss4j-dev-help@ws.apache.org
>> >
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
>> For additional commands, e-mail: wss4j-dev-help@ws.apache.org
>>
>>

Mime
View raw message