ws-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Colm O hEigeartaigh (JIRA)" <j...@apache.org>
Subject [jira] [Closed] (WSS-505) WSSecurityUtil .storeElementInContext throws ArrayIndexOutOfBoundsException
Date Sat, 04 Oct 2014 21:08:35 GMT

     [ https://issues.apache.org/jira/browse/WSS-505?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Colm O hEigeartaigh closed WSS-505.
-----------------------------------

> WSSecurityUtil .storeElementInContext throws ArrayIndexOutOfBoundsException
> ---------------------------------------------------------------------------
>
>                 Key: WSS-505
>                 URL: https://issues.apache.org/jira/browse/WSS-505
>             Project: WSS4J
>          Issue Type: Bug
>          Components: WSS4J Core
>    Affects Versions: 1.6.16
>         Environment: Windows 7, Java 7
>            Reporter: Bruno Campolo
>            Assignee: Colm O hEigeartaigh
>             Fix For: 1.6.17
>
>
> When calling an Apache CXF STS, a RSTR is sent along with a corresponding Signature element
in the Security header.  The XML Signature specification states that a Reference URI="" should
be allowed, but WSS4J throws an ArrayIndexOutOfBoundsException in this case.
>       <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
>         <SignedInfo>
>           <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"
/>
>           <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"
/>
>           <Reference URI="">
>             <Transforms>
>               <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
>             </Transforms>
>             <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
>             <DigestValue>#### REMOVED ####</DigestValue>
>           </Reference>
>         </SignedInfo>
>         <SignatureValue>#### REMOVED ####</SignatureValue>
>         <KeyInfo>
>           <wsse:SecurityTokenReference wsu:Id="STR-96B0809D81C151981114049297131153">
>             <wsse:Reference URI="1058eb35-d9a6-4ff8-84ac-4f6d35ba3b3c"
>                             ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"
/>
>           </wsse:SecurityTokenReference>
>         </KeyInfo>
>       </Signature>
> It appears that the code that fails is in org.apache.ws.security.util.SecurityUtil:
>     public static void storeElementInContext(DOMCryptoContext context, String uri, Element
element) {
>         String id = uri;
>         if (uri.charAt(0) == '#') {    <---- Exception thrown here since uri = ""
>             id = id.substring(1);
>         }
>         



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For additional commands, e-mail: dev-help@ws.apache.org


Mime
View raw message