'Re: Problems using both InflowSecurity and OutflowSecurity'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       wss4j-dev
Subject:    Re: Problems using both InflowSecurity and OutflowSecurity
From:       "Ruchith Fernando" <ruchith.fernando () gmail ! com>
Date:       2006-05-23 19:29:22
Message-ID: 559c463d0605231217y2719fc82we33bbcd1bfdf20ad () mail ! gmail ! com
[Download RAW message or body]

Hi Werner,

Yep .. my bad !! thanks for correction ... the spec [1] clearly states
that we have to include one SignatureConfirmation element.

1428 If no <ds:Signature> elements are present in the original request
message, the responder
1429 MUST include exactly one <wsse11:SignatureConfirmation> element.

IMHO this allows for a case where there will be a
SignatureConfirmation element with no stored signature value at the
requester... therefore IMHO we should not throw an exception in such a
scenario.

Thanks,
Ruchith

[1] https://svn.apache.org/repos/asf/webservices/wss4j/trunk/specs/oasis-2005xx-wss-soap-message-security-1.1-CD.pdf


On 5/23/06, Werner Dittmann <Werner.Dittmann@t-online.de> wrote:
> Hi,
> 
> I haven't checked it yet - but according to the WSS specs
> sending of security confirmation is also required (AFAIK)
> in any case even if the request didn't contain an Signature
> 
> I'll cross check it.
> 
> Regards,
> Werner
> 
> Ruchith Fernando wrote:
> > Hi,
> > 
> > On 5/23/06, mpollmeier@s-und-n.de <mpollmeier@s-und-n.de> wrote:
> > > Hi Ruchith,
> > > 
> > > thanks again, this works. But isn't this a bug?
> > > Why does it include a SignatureConfirmation if there is no signature to
> > > confirm?
> > 
> > Yep ... I agree that we should not return SignatureConfirmation when
> > there's no signature in the request... please file a JIRA bug here:
> > [1]
> > 
> > > If this behaviour is correct, the default value of
> > > enableSignatureConfirmation should be "false", shouldn't it?
> > 
> > +1 on making the default false... and I believe this will be fixed
> > when we support WS-SecurityPolicy (in WSS4J 2.0).
> > 
> > Thanks,
> > Ruchith
> > 
> > [1] http://issues.apache.org/jira/browse/WSS
> > 
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
> > For additional commands, e-mail: wss4j-dev-help@ws.apache.org
> > 
> > 
> 
> 

---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic