[prev in list] [next in list] [prev in thread] [next in thread]
List: sandesha-dev
Subject: New security patch, and a comment on the RampartBasedSecurityManager
From: Matthew Lovett <MLOVETT () uk ! ibm ! com>
Date: 2006-09-28 12:57:31
Message-ID: OFC17CA9D0.2BCD07B2-ON802571F7.00465679-802571F7.0046FA23 () uk ! ibm ! com
[Download RAW message or body]
Hi all,
I just attached a new patch to
https://issues.apache.org/jira/browse/SANDESHA2-16, to implement the TODOs
left behind from some refactoring.
While putting that in I had a quick look at the rampart security manager,
and I think that it is missing a bit of logic in the
checkProofOfPossession() method. The purpose if that check is to ensure
that the sender of 'this' message has possession of the token that was
embedded in the create sequence message. See the public review draft of
the WS-RM 1.1 spec for the justification for this - in short it is to
prevent hijacking of the Sequence by another authorized user. If you have
a no-op there then I expect that you have left this hole open, though I
can't be 100% sure as I've not used rampart.
Thanks
Matt
---------------------------------------------------------------------
To unsubscribe, e-mail: sandesha-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: sandesha-dev-help@ws.apache.org
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic