WS-SecurityPolicy SignedElements, SignedParts, EncryptedParts,
EncryptedElements, and ContentEncryptedElements assertions incorrectly verified
----------------------------------------------------------------------------------------------------------------------------------------------
Key: CXF-2638
URL: https://issues.apache.org/jira/browse/CXF-2638
Project: CXF
Issue Type: Bug
Components: WS-* Components
Affects Versions: 2.3
Reporter: David Valeri
When security configuration is provided via WS-SecurityPolicy, the
PolicyBasedWSS4JInInterceptor enforces the SignedElements assertion
incorrectly. If there is more than one match to the assertion XPath, the
validation code does not correctly detect the unsigned matches so long as any
one of the matches is signed. This logic does not accurately reflect the case
in which multiple matches for the signature coverage XPath exist in the message
and may provide a false sense of integrity in the message.
Per section 1.2 of the WS-Security spec:
The XPath expression "identifies the nodes to be integrity protected."
Based on this language, it seems as if all nodes matching the XPath expression
must be integrity constrained.
Similar issues exist with the SignedParts, EncryptedParts, EncryptedElements,
and ContentEncryptedElements assertions as well.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
