[jira] [Created] (CXF-4587) Signature Confirmation does not work with TransportBinding and EndorsingSupportingToken

Fri, 19 Oct 2012 12:19:15 -0700 

Sunil Bapat created CXF-4587:
--------------------------------

             Summary: Signature Confirmation does not work with 
TransportBinding and EndorsingSupportingToken
                 Key: CXF-4587
                 URL: https://issues.apache.org/jira/browse/CXF-4587
             Project: CXF
          Issue Type: Bug
          Components: WS-* Components
    Affects Versions: 2.6.2
            Reporter: Sunil Bapat
            Priority: Minor


This is based on the discussion in 
http://cxf.547215.n5.nabble.com/TransportBinding-and-SignatureConfirmation-td5715655.html.
 

Signature Confirmation does not work on the client side, when the web service 
is secured by TransportBinding with EndorsingSupportingToken. 
The response from the server contains a Signature Confirmation element, and the 
response fails with the error:
Received a SignatureConfirmation element, but there are no stored signature 
values

Debugging through the CXF code, here's what is happening:

- After configuring the client, the WSS11Builder calls 
setRequireSignatureConfirmation(true) based on the policy 
(<sp:RequireSignatureConfirmation/>).

- In the constructor of AbstractBindingBuilder, it initializes the signatures 
array property with an empty array, and puts it in the message as follows:
message.getExchange().put(WSHandlerConstants.SEND_SIGV, signatures)

- In the TransportBindingHandler.handleEndorsingToken (line 300), it calls 
addSig, which eventually calls the doSignature. However, the signature is never 
added to the signatures array. (SymmetricBindingHandler and 
AsymmetricBindingHandler do a signatures.add)

- As a result when the service response comes to the WSS4JInInterceptor, it 
calls checkSignatureConfirmation in WSHandler, which retrieves the 
savedSignatures using
List<byte[]> savedSignatures = 
            (List<byte[]>) getProperty(reqData.getMsgContext(), 
WSHandlerConstants.SEND_SIGV);

- This array is empty, since the signature was never added by 
TransportBindingHandler. Therefore it throws the above exception.


--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to