ws-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Colm O hEigeartaigh (JIRA)" <>
Subject [jira] [Closed] (WSS-457) Incorrect validation of ProtectTokens assertion
Date Tue, 06 May 2014 09:12:01 GMT


Colm O hEigeartaigh closed WSS-457.

> Incorrect validation of ProtectTokens assertion
> -----------------------------------------------
>                 Key: WSS-457
>                 URL:
>             Project: WSS4J
>          Issue Type: Bug
>            Reporter: Colm O hEigeartaigh
>            Assignee: Marc Giger
>             Fix For: 2.0.0
> The streaming code doesn't validate the ProtectTokens assertion properly in the case
of a SymmetricBinding. The scenario is that the Signature should reference (sign) the EncryptedKey,
and also reference it in the signing KeyInfo. However, the streaming code complains with:
> Original Exception was org.apache.wss4j.policy.stax.PolicyViolationException: Token /{}Envelope/{}Header/{}Security/{}BinarySecurityToken
must be signed by its signature.
> However, the BinarySecurityToken in question is the certificate used to encrypt the symmetric
key, and not the signing credential.

This message was sent by Atlassian JIRA

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message