WS-SP support does not enforce signature algorithm or digest algorithm on
server side
-------------------------------------------------------------------------------------
Key: CXF-2924
URL: https://issues.apache.org/jira/browse/CXF-2924
Project: CXF
Issue Type: Bug
Affects Versions: 2.3, 2.2.10
Reporter: David Valeri
Fix For: 2.3
A WS-SP policy document that includes an algorithm suite assertion for a
signature operation, such as the example below, does not trigger the
enforcement of the algorithm suite in the inbound interceptors.
{code:xml}
...
<sp:AsymmetricBinding>
<wsp:Policy>
<sp:InitiatorToken>
<wsp:Policy>
<sp:X509Token
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never";>
<wsp:Policy>
<sp:RequireIssuerSerialReference />
<sp:WssX509V3Token10 />
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:InitiatorToken>
<sp:RecipientToken>
<wsp:Policy>
<sp:X509Token
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never";>
<wsp:Policy>
<sp:RequireIssuerSerialReference />
<sp:WssX509V3Token10 />
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:RecipientToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic256Sha256 />
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Strict />
</wsp:Policy>
</sp:Layout>
</wsp:Policy>
</sp:AsymmetricBinding>
...
{code}
While the message could be inspected in order to extract this information,
WSS4J already possesses the information. Unfortunately, WSS4J does not report
the information in the result data (1.5.8). This issue is blocked on the
addition of this information to the WSS4J results. See WSS-236.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
