WS-SP token protection security binding property not correctly applied to X509 
token in outbound interceptors
-------------------------------------------------------------------------------------------------------------

                 Key: CXF-2655
                 URL: https://issues.apache.org/jira/browse/CXF-2655
             Project: CXF
          Issue Type: Bug
          Components: WS-* Components
    Affects Versions: 2.3
            Reporter: David Valeri


When a ProtectTokens assertion is used in an asymetric binding with X509 token, 
CXF does not sign the BST included in the message.  It is likely that CXF also 
does not sign the proper parts if an issuer serial or key identifier is used 
instead.

The direct reference case is triggered by an issue in AsymetricBindingHandler 
lines 386-392.  One cannot prepend the BST and then get its ID because WSS4J 
removes this info after the BST is prepended.

Changing the order of operations is one approach while working with the WSS4J 
signature builder's capabilities to sign the "Token" based on the mechanism by 
which the token is referenced may be a better approach.

Test case is pending.


-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

Reply via email to