Issue Details (XML | Word | Printable)

Key: WSIT-1656
Type: Bug Bug
Status: Open Open
Priority: Major Major
Assignee: symonchang
Reporter: btse
Votes: 3
Watchers: 4
Operations

If you were logged in you would be able to see more operations.
wsit

Exclusive XML Canonicalization changed in 2.2 comparing to 2.1

Created: 12/Oct/12 04:52 AM   Updated: 31/Mar/14 09:20 AM
Component/s: security
Affects Version/s: 2.2
Fix Version/s: None

Time Tracking:
Not Specified

Environment:

Windows 7


Tags: regression
Participants: btse, hle, kumarjayanti and symonchang


 Description  « Hide

After upgrading to Metro 2.2, we noticed that the exclusive XML canonicalization (StAXEXC14nCanonicalizerImpl) produces different result comparing to Metro 2.1
The difference in canonicalization causes different digest being produced. Below are example of canonicalization being produced in 2.1 and 2.2, notice that 2.2 contains extra xmlns="" attributes in the default namespace elements. We identified that the changes were made in SVN r6737, part of WSS1717 (WSIT-1546) fix.

Metro 2.1:
<S:Body xmlns:S="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="_5003">
<ns9:GetAllForceModuleCompositeRequest xmlns:ns9="http://metadata.dod.mil/mdr/ns/NECC-AP/JFW/rr">
<itemsPerPage>2000</itemsPerPage>
<includeTotalCount>true</includeTotalCount>
<planId>94TC5</planId>
</ns9:GetAllForceModuleCompositeRequest>
</S:Body>

Metro 2.2:
<S:Body xmlns:S="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="_5003">
<ns9:GetAllForceModuleCompositeRequest xmlns:ns9="http://metadata.dod.mil/mdr/ns/NECC-AP/JFW/rr">
<itemsPerPage xmlns="">2000</itemsPerPage>
<includeTotalCount xmlns="">true</includeTotalCount>
<planId xmlns="">94TC5</planId>
</ns9:GetAllForceModuleCompositeRequest>
</S:Body>



hle added a comment - 31/Mar/14 09:20 AM

Is there any update on this? We cannot upgrade from version 2.1.1 due to this regression.


btse added a comment - 30/Jan/14 11:54 PM

Bump.
Can this be included in upcoming releases?


symonchang added a comment - 16/Jan/13 07:19 AM

This is a regression, and should be fixed in this release.


btse added a comment - 16/Oct/12 04:53 PM

There were multiple file changes in r6737. I think the specific changes that caused the bug were in:
com.sun.xml.wss.impl.c14n.StAXEXC14nCanonicalizerImpl.writeNamespace(String, String)
where the original empty prefix and namespace check was removed.

Please note that, there are specific cases, per W3C, that xmlns="" is necessary
Reference: http://www.w3.org/TR/xml-exc-c14n/#sec-Specification


kumarjayanti added a comment - 16/Oct/12 10:07 AM

Sounds like one of my fixes is causing this regression. Can you post the details of SVN r6737 here. I don't actively work on this project, but would like to fix this.