Holodeck fails to properly generate unique IDs within WS-Security header
RudanF opened this issue · 1 comments
When trying to send messages which require signing both SOAP header data and SOAP body data. Bug was encountered resulting in all of generated IDs, (including signature references, encryption data references, encryption keys references, ...) inside WSS header to consist of prefix only without uniquely generated number following it.
For instance both header and body are assigned same id: id-. Same happens for other references SIG-, ED-, EK- ,... This leads to failed decryption of WSS header, and thus entire message, on recipients side.
Bug was traced to lines 451 & 455 respectively in source code of SecurityHeaderCreator. There is a subtle bug due to operator precedence between ternary operator and addition operator, leading to improper string concatenation.
Code in WsuIdAllocator anonymous class:
public String createId(String prefix, Object o) {
return !Utils.isNullOrEmpty(prefix) ? prefix : "" + HB2B_ID_PREFIX + UUID.randomUUID().toString();
}
public String createSecureId(String prefix, Object o) {
return !Utils.isNullOrEmpty(prefix) ? prefix : "" + HB2B_ID_PREFIX + UUID.randomUUID().toString();
}
Proposed fix: parentheses around ternary operator expression.
public String createId(String prefix, Object o) {
return (!Utils.isNullOrEmpty(prefix) ? prefix : "") + HB2B_ID_PREFIX + UUID.randomUUID().toString();
}
public String createSecureId(String prefix, Object o) {
return (!Utils.isNullOrEmpty(prefix) ? prefix : "") + HB2B_ID_PREFIX + UUID.randomUUID().toString();
}
After testing proposed solution, WSS processor starts generating unique IDs inside WSS header.
Hi Filip,
thanks for reporting this bug and proposed solution. I have already applied it and will release new patch version shortly.
Regards,
Sander