Bug 5756 – allow developer to bypass secure msg consistency check

Bug 5756 - allow developer to bypass secure msg consistency check

Summary:

allow developer to bypass secure msg consistency check

Status:	RESOLVED FIXED

Product:	Java WS Security
Component:	Authentication
Version:	4.0.5
Platform:	PC Linux

Importance:	P3 normal
Target Milestone:	4.0.7
Assigned To:	Rachana Ananthakrishnan

URL:	http://www-unix.mcs.anl.gov/~tfreeman...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2008-01-04 11:34 by Tim Freeman
Modified:	2008-01-22 15:33 (History)

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note

You need to log in before you can comment on or make changes to this bug.

Description From Tim Freeman 2008-01-04 11:34:56

(see patch URL)

Don't require secure envelope on response

  - since this is an https connection, the deployment does not see the need to
encode the reply in a secure envelope.  The server trusts the client via secure
message (allowing for anonymous clients in the TLS connection) but assumes
client will trust response via its https configuration.

   - boils down to bypassing the consistency check in WSSecurityClientHandler
for the call

   - Introduces Constants.GSI_SEC_MSG_SECREPLY_UNECESSARY --> Boolean.TRUE

------- Comment #1 From Rachana Ananthakrishnan 2008-01-22 15:33:59 -------

Patch committed to branch and trunk. Thanks Tim.