[
https://issues.apache.org/jira/browse/CXF-2655?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
David Valeri updated CXF-2655:
------------------------------
Attachment: cxf-2655.patch
Attaching patch.
> WS-SP token protection security binding property not correctly applied to
> X509 token in outbound interceptors
> -------------------------------------------------------------------------------------------------------------
>
> Key: CXF-2655
> URL: https://issues.apache.org/jira/browse/CXF-2655
> Project: CXF
> Issue Type: Bug
> Components: WS-* Components
> Affects Versions: 2.3
> Reporter: David Valeri
> Attachments: cxf-2655-test.patch, cxf-2655.patch
>
>
> When a ProtectTokens assertion is used in an asymetric binding with X509
> token, CXF does not sign the BST included in the message. It is likely that
> CXF also does not sign the proper parts if an issuer serial or key identifier
> is used instead.
> The direct reference case is triggered by an issue in AsymetricBindingHandler
> lines 386-392. One cannot prepend the BST and then get its ID because WSS4J
> removes this info after the BST is prepended.
> Changing the order of operations is one approach while working with the WSS4J
> signature builder's capabilities to sign the "Token" based on the mechanism
> by which the token is referenced may be a better approach.
> Test case is pending.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
