Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Fetching contributors…

Cannot retrieve contributors at this time

760 lines (583 sloc) 39.053 kb
This file contains a listing of all Jira tickets that have been closed
for a given release.
Portions of this report were generated using the ReleaseNotes facility
in Jira.
Release 2.0.1
=============
Bug
[WSS-500] - Kerberos client/server actions are only supporting NT_HOSTBASED_SERVICE service name form
[WSS-501] - Kerberos token decoder default implementation fails to extract the session when validating a ticket issued by a KDC based on Active Directory
Improvement
[WSS-502] - Add an easy way to retrieve signature digest values
[WSS-503] - Share an existing global ehcache manager for ws security replay caches
Release 2.0.0
=============
Sub-task
[WSS-343] - Move 1.6.x code into a new module.
[WSS-344] - Refactor Crypto functionality to be used by both implementations
[WSS-345] - Refactor Exception functionality to be used by both implementations
[WSS-346] - Refactor SAML functionality to be used by both implementations
[WSS-347] - Refactor configuration and constants to be used by both implementations
[WSS-348] - Refactor Caching nonces/timestamp functionality to be used by both implementations
[WSS-349] - Refactor Derived Key / SecureConveration functionality to be used by both implementations
[WSS-350] - Update package names
[WSS-352] - Reconcile AssertionWrapper & SAMLAssertionWrapper
[WSS-353] - Add support in the streaming code for decrypting an EncryptedKey in the Subject of a SAML Assertion.
[WSS-354] - Add support for specifying different algs for sign or c14n a SAML Assertion in the streaming code.
[WSS-355] - Reconcile SAMLCallback between the two implementations
[WSS-356] - Investigate signing Crypto differences
[WSS-360] - Port BSP enforcer to streaming code.
[WSS-361] - Update code to use correct WSPasswordCallback code as per the DOM code.
[WSS-362] - Port Kerberos & SPNEGO work to streaming code
[WSS-363] - Support pluggable Validation of received tokens as per DOM code
[WSS-364] - Ensure that SecurityEvents let us see what was processed for the non-policy case.
[WSS-366] - Disable Cobertura by default
[WSS-367] - Set up a parent pom with dependency management.
[WSS-368] - Log4j configuration
[WSS-370] - Add CXF support for custom Algorithm Suites.
[WSS-371] - Add support for (custom) GCM algorithm-suites.
[WSS-372] - Add stricter enforcement of required policy elements as added to CXF.
[WSS-373] - Check sender-vouches and holder-of-key requirements for SAML tokens.
[WSS-374] - Support Kerberos token policy validation.
[WSS-375] - Support IssuedToken policy validation
[WSS-376] - Support Derived Keys policy validation
[WSS-377] - Verify Signed/Endorsing/Encrypted/SupportingTokens policy validation
[WSS-378] - Update tests in ws-security module to check security events.
[WSS-379] - Does the policy validation code support checking the token requirement against whether it is an initiator or recipient?
[WSS-381] - Support KeyValueTokens
[WSS-386] - Introduce proprietary Compress-Transformation for Encryption / Decryption
Bug
[WSS-408] - StAX - Exception handling and correct Fault-Codes per WSS spec
[WSS-421] - WSSecSignature does not allow access to the internal BinarySecurityToken after it is applied to the security header
[WSS-423] - Support CRL checking for streaming code
[WSS-424] - Signature Element is not inserted in the correct place in the header in certain circumstances
[WSS-427] - Add support for processing UsernameToken Created Dates
[WSS-433] - Specifying actions of "WSSConstants.SIGNATURE_CONFIRMATION, WSSConstants.SIGNATURE" hangs WSS4J
[WSS-436] - Outbound StaX code should fail on not finding a signature/encryption part
[WSS-437] - Error in using StaX WS-Security + CXF WS-Addressing
[WSS-439] - Error in using StaX WS-Security + CXF WS-Addressing
[WSS-442] - "Never" Token Inclustion is not handled correctly (for X.509 tokens)
[WSS-443] - Treat tokens received over TLS as "encrypted"
[WSS-446] - Enable SignatureConfirmation without a Signature
[WSS-448] - OnlySignEntireHeadersAndBody policy validation is incorrect
[WSS-449] - Receiving code can't handle the case of a Thumbprint reference to a BST in the token
[WSS-450] - Inbound Processing code fails with an Encrypted Signature
[WSS-452] - Streaming code does not support an EncryptedData security header element without a preceeding ReferenceList
[WSS-453] - "Once" Token Inclusion handling is not working
[WSS-454] - TokenProtection error
[WSS-457] - Incorrect validation of ProtectTokens assertion
[WSS-458] - Allow no security header in certain use-cases
[WSS-459] - RequiredParts + EncryptedParts policy validation not working
[WSS-462] - ProtectionOrderAssertionState.testProtectionOrder is not working
[WSS-463] - Refactor Signature + Encryption referencing
[WSS-466] - assure compatibility with the change in ehcache CacheManager's create method from version 2.5.1 to 2.5.2 and up
[WSS-468] - Symmetric Binding + EncryptBeforeSigning puts the Signature in front of the EncryptedKey
[WSS-469] - Symmetric Binding + Derived Keys is not currently working
[WSS-470] - AsymmetricBinding + ProtectTokens validation not working
[WSS-471] - AsymmetricBinding validation without IncludeTimestamp doesn't work
[WSS-472] - Incorrect Symmetric Key Derivation Length validation
[WSS-479] - Inbound streaming does not handle Symmetric Holder-Of-Key correctly
[WSS-480] - Streaming code hangs on a symmetric derived key response
[WSS-481] - Problem with EncryptSignature + EndorsingSupportingTokens
[WSS-482] - EncryptedElements + SignedElements validation not working
[WSS-484] - Streaming code can't process a Key reference pointing to an EncryptedData element
[WSS-486] - Streaming code does not process a (non-secured) SOAP Fault correctly
[WSS-487] - Certain action combinations causes WSS4J to hang
[WSS-490] - Derived Endorsing policy validation error
[WSS-491] - Problem storing custom Principals
[WSS-496] - "tests" classifier artifacts dependencies should not have compile scope
[WSS-498] - Retrieving of public key from certificates in missing for signed results in compare credential method of org.apache.wss4j.dom.saml.DOMSAMLUtil
Improvement
[WSS-383] - Allow encrypted password storage in signaturePropFile
[WSS-391] - Create a PrivateKeyPasswordCallback for retrieval of server key passwords
[WSS-403] - Use a common method for all of the P_hash implementations
[WSS-412] - Unify error messages for the streaming code
[WSS-413] - EncryptedKey security issue with streaming code
[WSS-414] - Ensure that Algorithms are checked in streaming code before they are used
[WSS-415] - Reject RSA v1.5 Key Transport Algorithm by default
[WSS-420] - Add the ability to explicitly allow/disallow UsernameTokens with no passwords
[WSS-422] - Move SAML Signature Profile Validation to the SamlAssertionValidator
[WSS-426] - Support future TTL in the StaX code for Timestamps
[WSS-438] - Support Signature Cert Constraints as per the DOM code
[WSS-447] - Add the ability to include the signing token for IssuerSerial/Thumbprint Reference cases
[WSS-489] - Extend Crypto interface with verifyTrustDirect() method
[WSS-495] - Add support to configure the digest method used for SAML Assertions
New Feature
[WSS-311] - Streaming-WebService-Security-Framework contribution/donation
[WSS-430] - Support for secured SOAP attachments
[WSS-497] - Support for SAML 2.0 EncryptedAssertion Element
Task
[WSS-342] - Refactoring
[WSS-351] - SAML work
[WSS-359] - Streaming WS-Security support
[WSS-365] - Build issues
[WSS-369] - WS-SecurityPolicy work
[WSS-405] - Support for XML Encryption 1.1 algorithms
[WSS-425] - Add + update OSGi import/export information in the new modules
[WSS-429] - Consider some @Deprecated classes in the old namespace
[WSS-432] - Support EncryptedKeySHA1 KeyIdentifier in the StaX code
[WSS-434] - Add ValueType attribute to a Signature/Encryption Reference to a DerivedKeyToken
[WSS-460] - Support RequireSignatureConfirmation policy validation
[WSS-494] - WSS4j documentation links are broken.
Release 1.6.15
=============
Bug
[WSS-491] - Problem storing custom Principals
[WSS-492] - WSS4J adds invalid wsu:Id attribute on SAML assertions
Improvement
[WSS-495] - Add support to configure the digest method used for SAML Assertions
Release 1.6.14
=============
Bug
[WSS-488] - Regression in parsing SecurityTokenReferences inside of a SAML Signature KeyInfo
Release 1.6.13
=============
Improvement
[WSS-428] - It should be possible to use the useReqSigCert even when the certificate is not sent in the request
[WSS-477] - Support the ability to create SAML2 Assertions with OneTimeUse + ProxyRestriction Conditions
[WSS-478] - Support the ability to cache SAML2 Assertions with "OneTimeUse" Conditions
[WSS-483] - wsse:Reference without ValueType
Release 1.6.12
=============
Bug
[WSS-418] - Cannot configure SAML properties in WSS4JOutInterceptor without having to add that config file in the classpath
[WSS-473] - BST signature element
[WSS-474] - Missing the 'EncodingType' attribute in element built by STRTransformUtil#createBSTX509
[WSS-475] - Issue with multiple processing of ReferenceList in EncryptedKey element
Improvement
[WSS-465] - Possible information leak: incremental IDs
[WSS-467] - Support creating SAML 2.0 Tokens with the AuthnStatement SessionNotOnOrAfter attribute.
[WSS-476] - Add the ability to configure the Signature Canonicalization Algorithm via WSHandler
Release 1.6.11
=============
Improvement
[WSS-441] - Allow the date/time in the security headers to be spoofed
Task
[WSS-434] - Add ValueType attribute to a Signature/Encryption Reference to a DerivedKeyToken
Release 1.6.10
=============
Bug
[WSS-421] - WSSecSignature does not allow access to the internal BinarySecurityToken after it is applied to the security header
[WSS-424] - Signature Element is not inserted in the correct place in the header in certain circumstances
[WSS-427] - Add support for processing UsernameToken Created Dates
[WSS-431] - Performance bottleneck in MemoryReplayCache on high load
Improvement
[WSS-420] - Add the ability to explicitly allow/disallow UsernameTokens with no passwords
[WSS-422] - Move SAML Signature Profile Validation to the SamlAssertionValidator
Release 1.6.9
=============
Bug
[WSS-417] - Cannot deploy WSS4J 1.6.8 to an OSGi container
Release 1.6.8
=============
Sub-task
[WSS-410] - Reduce dependency on xmlsec library
Bug
[WSS-231] - There is an issue with the position of the <Timestamp> element in the <Security> header when using WSS4J calling .NET Web Services with WS-Security.
[WSS-399] - WSS4J: cannot set DigestMethod for KEYTRANSPORT_RSAOEP though requested by W3C
[WSS-407] - Error when signing a SOAP Body that is encrypted with a reference to a SAML Token
[WSS-409] - explicit dependency on XMLDSigRI in WSSConfig causes java.lang.ClassNotFoundException: org.apache.jcp.xml.dsig.internal.dom.XMLDSigRI on WAS 8.5
Improvement
[WSS-404] - Store Subject from JAAS LoginContext in WSSecurityEngineResult
[WSS-406] - Add the ability to define which algorithms are acceptable when processing a security header
[WSS-411] - STRTransform does not work in certain circumstances
Release 1.6.7
=============
Bug
[WSS-392] - WSS4J can't handle SAML KeyIdentifier references to encrypted SAML Assertions stored in the cache
[WSS-393] - WSS4J is not handling KeyIdentifier inside SecurityTokenReference inside a KeyInfo
[WSS-394] - WSS4J is not handling X509Data inside SecurityTokenReference inside a KeyInfo
[WSS-396] - ConcurrentModificationException in MemoryReplayCache.processTokenExpiry
[WSS-398] - Can't create a UsernameToken without a password
Improvement
[WSS-395] - Support Certificate Constraints on the Subject DN of the certificate used for signature validation
Release 1.6.6
=============
Bug
[WSS-357] - WSS4J can't handle thumbprint/ski references to a token in the security header
[WSS-385] - UsernameToken handles long strings badly
[WSS-389] - WSS4J TimeToLive value has a maximum of 25 days
[WSS-390] - AssertionWrapper always tries to re-marshal when toDOM is called
Improvement
[WSS-387] - Support future TTL setting when processing SAML Tokens
[WSS-388] - Add support for populating SAML2 SubjectConfirmationData attributes when creating a SAML Assertion
New Feature
[WSS-380] - SAML1 AuthenticationStatement only supports AuthenticationMethod Password
Task
[WSS-358] - Record how a certificate was referenced for signature or encryption
Release 1.6.5
=============
Bug
[WSS-316] - Tests failing with: The signature or decryption was invalid
[WSS-331] - Insufficient checking of SAML Condition NotBefore/NotOnOrAfter validation dates (?)
[WSS-333] - MerlinDevice tries to load truststore of type "trustStorePassword"
[WSS-335] - SAML NotOnOrAfter Conditions not set correctly in certain circumstances
[WSS-341] - the "FIRST step" check in SignatureTrustValidator.verifyTrustInCert ignore the enableRevocation status
Improvement
[WSS-187] - Support Nonce Caching in Username Token Processing
[WSS-325] - Add support for GCM algorithms via BouncyCastle
[WSS-326] - Upgrade to Santuario 1.5.0
[WSS-329] - Support validating Conditions in the SAMLAssertionValidator.
[WSS-332] - Make Spnego Client and Service Actions pluggable
[WSS-337] - Validate SAML Assertions against schema/specs
[WSS-340] - support Certificates revocation check before encrypt on sender side
New Feature
[WSS-336] - Option for checking EncryptedData elements are covered by signature
Release 1.6.4
=============
Bug
[WSS-319] - NPE when certificate identified by SKI can't be found
[WSS-320] - ClassCastException when verifying XML signature, multiple WARs deployed to same Tomcat instance
[WSS-321] - Cannot configure for no password element expected using Spring configuration
[WSS-323] - WS-Trust 1.3 namespace not supported when looking for a BinarySecret in a SAML KeyInfo
[WSS-324] - org.apache.ws.security.str.SignatureSTRParser throws ArrayIndexOutOfBoundsException: 0 when crypto returns zero-length array of certificates
Improvement
[WSS-322] - Add the ability to set DOM Elements directly on a SAMLCallback object
[WSS-327] - Add support for obtaining and validating SPNEGO tokens.
Release 1.6.3
=============
Bug
[WSS-304] - WSSecEncryptedKey should initialize cipher using WRAP_MODE instead of ENCRYPT_MODE.
[WSS-306] - It would be nice to have WSSecEncryptedKey generate secret keys by means of KeyGenerator
[WSS-317] - SAML Assertions have invalid ID values
[WSS-318] - WsiBSPCompliant defaults to true
Improvement
[WSS-305] - Migrate to OpenSaml2 2.5.1 from 2.4.1
[WSS-307] - Support the ability to sign and encrypt message parts using a Kerberos Ticket
[WSS-309] - Improve the configurability of the SAML signature creation in AssertionWrapper
[WSS-310] - Reference and DerivedKeyToken message tokens are missing equals and hashcode methods for logical comparision
[WSS-312] - Improve logging levels
[WSS-314] - Add a Merlin configuration option to specify a default password to use to access a private key
[WSS-315] - jaasLoginModuleName methods in KerberosTokenValidator.java should be renamed to contextName
New Feature
[WSS-313] - Support UsernameToken validation against JAAS LoginModule
Release 1.6.2
=============
Bug
* [WSS-294] - Merlin doesn't support physical providers with no keystore file
* [WSS-295] - org.apache.ws.security.saml.ext.bean.AttributeBean attributeValues is not correct
* [WSS-296] - SubjectLocality is missing from AuthenticationStatementBean
* [WSS-297] - Subject Bean is missing NameID Format variable
* [WSS-299] - UsernameToken Salt Mac/Encryption Flag on Wrong End of Array
* [WSS-300] - SubjectKeyIidentifier (SKI) incorrectly calculated for 2048-bit RSA key
* [WSS-301] - WSS4J 1.6 incorrectly using XML-Security ResourceResolvers
* [WSS-302] - Unable to load keystore/truststore when it cannot be loaded from an InputStream
* [WSS-303] - Support SKI_KEY_IDENTIFIER, THUMBPRINT_IDENTIFIER, ISSUER_SERIAL when signing "sender vouches" assertions
New Feature
* [WSS-251] - Support WSS Kerberos Token Profile
Release 1.6.1
=============
Bug
* [WSS-273] - org.apache.ws.security.transform.STRTransform causes ClassCastException when wss4j is running on IBM 1.6 JVM
* [WSS-276] - Support signing a SAML Assertion using a derived key
* [WSS-280] - USE_DERIVED_KEY instead of USE_DERIVED_KEY_FOR_MAC in WSHandler
* [WSS-283] - ClassCastException when signing message with existing WSSE header containing Text as first child
* [WSS-285] - Error in SAML1.1 Conditions support
* [WSS-286] - Evidence element not present in SAML AuthzDecisionStatement
* [WSS-291] - Default to allowing Timestamps Created up to 60 seconds in the future to avoid clock skew problems
Improvement
* [WSS-275] - Use SLF4J for logging framework for 1.6
* [WSS-278] - verifyTrust in Crypto should use CRLs as well
* [WSS-284] - Improvements to wsse11:EncryptedHeader support
* [WSS-287] - No longer use keystore for truststore purposes if the latter is explicitly specified.
* [WSS-288] - Incorporating Colm's Blog entries into WSS4J documentation
* [WSS-289] - Text improvements to website pages
* [WSS-290] - Create Principals when processing SAML and BinarySecurityTokens
Release 1.6.0
=============
Bug
* [WSS-40] - WSSecurityEngine does not support chained certificates
* [WSS-81] - Compatibility between WSS4J and WebLogic 9 for Encryption
* [WSS-90] - SamlUtil.java throws XMLSecurityException when SAML SubjectConfirmation element doesn't have KeyInfo child
* [WSS-99] - JCE provider ordering on solaris
* [WSS-117] - WSS4J does not supports KeyIdentifiers to reference SAML tokens but this is allowed by the WSS specification. Integration tesitng with owsm failed.
* [WSS-136] - POM files needed in Maven repository for OpenSAML, WSS4J, and XML Security
* [WSS-147] - WCF interop issue: Security header ordering constraint
* [WSS-175] - Remove static class variables from WSHandler
* [WSS-176] - Problem with WSSecurityUtil.prependChildElement and JBossWS
* [WSS-178] - signature verification failure of signed saml token due to The Reference for URI (bst-saml-uri) has no XMLSignatureInput
* [WSS-182] - Encryption with symmetric key with encryptSymmKey set to false generates invalid xml without xenc defined
* [WSS-185] - NullPointerException on empty UsernameToken
* [WSS-196] - STRTransform not compatible with Sun's SAAJ implementation
* [WSS-198] - Problem when body is signed and then an XPath is encrypted
* [WSS-201] - Some of the processors use the wrong Crypto implementation
* [WSS-205] - WSS4J Handler passes null to MessageContext.setProperty
* [WSS-206] - The way referncelist processing of SAML issued tokens doesn't work properly and need to extract necessary information to do algorithm validation
* [WSS-209] - NPE in AbstractCrypto.getCryptoProvider()
* [WSS-210] - NPE in CryptoBase.getAliasForX509Cert(Certificate cert) if Keystore does not contain a Certifcate entry for each alias
* [WSS-211] - WSS4J does not support ThumbprintSHA1 in DerivedKeyTokens
* [WSS-212] - Replace deprecated references to getSubject/IssuerDN
* [WSS-219] - empty/blank password not supported in username token. value read by wss4j is null instead of empty string
* [WSS-220] - WSHandler is using default configuration
* [WSS-221] - UUIDGenerator generates duplicate identifiers when used in a multi-threaded environment
* [WSS-222] - SignatureProcessor does not provide correct signature coverage results with STR Dereference Transform
* [WSS-223] - Incorrect xpath set on WSDataRef when decrypting an EncryptedHeader instance.
* [WSS-224] - SAMLTokenSignedAction and WSSecSignatureSAML do not honor signature algorithm or digest algorithm from WSSHandler configuration
* [WSS-225] - 'Unprintable' characters in Distinguished Name causing comparison failure
* [WSS-226] - Interoperability b/w Java consumer of .NET Web Service with WS-Security on WSE 2.0
* [WSS-227] - CryptoBase.getPrivateKey() unable to handle empty (null) passwords
* [WSS-234] - Comment as first element in document causes NPE
* [WSS-241] - WSS4j needs to export a version in it's Export-Package directive.
* [WSS-242] - Signing EncryptedData or EncryptedKey elements creates extraneous Id attributes
* [WSS-243] - Can't use Password Digest on Z/OS
* [WSS-244] - Loading of Signature and Encryption property files not trimming trailing whitespace - Leads to ClassNotFoundException
* [WSS-245] - WSHandlerConstants.PW_CALLBACK_REF isn't correctly searched for
* [WSS-254] - Encryption/signing of multiple message parts with same name not working
* [WSS-258] - Newer version of SecureConversation not recognised for derived key algorithm
* [WSS-260] - WSS4J can't process a STR to a SAML Assertion that is not in the SOAP message
* [WSS-261] - Rampart failing to extract keyinfo from SAML assertion
* [WSS-262] - WSS4J accepts Timestamps that are "Created" in the future
* [WSS-270] - No need to ensure Crypto object is non-null for SAML signature verification using a secret key
Improvement
* [WSS-69] - maven2
* [WSS-84] - Make the use of the VM-wide keystore (lib/security/cacerts) optional
* [WSS-131] - no support for extension of SecurityHeader
* [WSS-146] - Upgrade opensaml dependency to 2.x line
* [WSS-158] - Upgrade to BouncyCastle 1.43
* [WSS-169] - Add an EncodingType attribute for a UsernameToken nonce
* [WSS-170] - SignatureAction does not set DigestAlgorithm on WSSecSignature instance
* [WSS-171] - Improve XML encryption processing
* [WSS-173] - Remove unnecessary namespace definitions
* [WSS-174] - Remove deprecated APIs
* [WSS-177] - Allow encryption using a symmetric key and EncryptedKeySHA1
* [WSS-179] - Allow signature using a symmetric key and EncryptedKeySHA1
* [WSS-180] - Support symmetric signature/encryption via configuration
* [WSS-183] - Change the UsernameTokenProcessor to validate plaintext passwords
* [WSS-184] - Specifying alternate cacerts keystore via properties?
* [WSS-186] - Move TTL validation to the TimestampProcessor
* [WSS-188] - CallbackHandler behaviour for derived keys
* [WSS-189] - Refactor signature confirmation code
* [WSS-190] - Replace all Vector references with Lists.
* [WSS-191] - Move certificate validation our of WSHandler and into SignatureProcessor
* [WSS-192] - Share code between the EncryptedKeyProcessor and the ReferenceListProcessor
* [WSS-195] - More detailed exception thrown from CryptoBase.getPrivateKey()
* [WSS-199] - Add support for WCF non-standard Username Tokens
* [WSS-202] - Upgrade to XML Security 1.4.3.
* [WSS-203] - Move trunk to use JSR-105 APIs instead of custom XML-Security APIs for XML digital signature functionality.
* [WSS-215] - SignatureProcessor is not reusing results from WSDocInfo for the Reference case.
* [WSS-216] - SignatureProcessor does not support directly referencing a SecurityContextToken
* [WSS-217] - Add ability to specify a reference to an absolute URI in the derived key functionality
* [WSS-229] - UsernameTokenProcessor should be able to act as a UsernameToken parser only and not enforce the validation of passwords
* [WSS-232] - Performance Improvement in WSSConfig
* [WSS-233] - Allow configuration of UsernameTokenSpec 1.1 derived key functionality through WSHandler
* [WSS-236] - Provide signature digest algorithm in signature processor results.
* [WSS-237] - Provide key transport algorithm in encryption processor results
* [WSS-238] - Switch to wsse:KeyIdentifier instead of wsse:Reference for SAML references within SOAP:body EncryptedData elements.
* [WSS-239] - Need ability to handle password "equivalent" between WSPasswordCallback and UsernameToken when it's binary data
* [WSS-240] - Support KeyValue in SAML subject
* [WSS-247] - Upgrade to XML Security 1.4.4
* [WSS-253] - UsernameTokenProcessor logs the password to the log
* [WSS-257] - Avoid converting the SOAP Body to DOM on the processing side if possible
* [WSS-259] - Improve outbound DOM element location
* [WSS-263] - Store secret key from signature processor
* [WSS-264] - OSGi bundle should NOT specify the universal DynamicImport-Package: *
* [WSS-266] - Provide better support for pluggable authentication/verification of security tokens
* [WSS-271] - Add support for custom validation of BinarySecurityTokens
* [WSS-274] - Add support for allowing future-dated Timestamps
New Feature
* [WSS-194] - Support overriding KeyStore alias for signature so that it can be different than user name used for UsernameToken
* [WSS-204] - Support validating SAML 2.0 tokens
* [WSS-255] - Add support for enforcing a text or digest password type when processing a UsernameToken
Task
* [WSS-246] - Upgrade to BouncyCastle 1.45
* [WSS-248] - Remove Axis1 artifacts in WSS4J 1.6
* [WSS-249] - Parameterize Collections in WSS4J 1.6
* [WSS-250] - Refactor testing
* [WSS-256] - Review Basic Security Profile and Reliable Secure Profile spec compliance
* [WSS-268] - Upload Opensaml2 artifacts, and dependencies, to Maven Central
* [WSS-269] - Refactor the Crypto interface
Test
* [WSS-172] - Test encrypted headers
Release 1.5.11
=============
Bug
* [WSS-258] - Newer version of SecureConversation not recognised for derived key algorithm
* [WSS-260] - WSS4J can't process a STR to a SAML Assertion that is not in the SOAP message
* [WSS-261] - Rampart failing to extract keyinfo from SAML assertion
* [WSS-262] - WSS4J accepts Timestamps that are "Created" in the future
Improvement
* [WSS-263] - Store secret key from signature processor
Release 1.5.10
=============
** Bug
* [WSS-40] - WSSecurityEngine does not support chained certificates
** Improvement
* [WSS-238] - Switch to wsse:KeyIdentifier instead of wsse:Reference for SAML references within SOAP:body EncryptedData elements.
* [WSS-239] - Need ability to handle password "equivalent" between WSPasswordCallback and UsernameToken when it's binary data
* [WSS-247] - Upgrade to XML Security 1.4.4
* [WSS-253] - UsernameTokenProcessor logs the password to the log
Release 1.5.9
=============
** Bug
* [WSS-205] - WSS4J Handler passes null to MessageContext.setProperty
* [WSS-206] - The way referncelist processing of SAML issued tokens doesn't work properly and need to extract necessary information to do algorithm validation
* [WSS-209] - NPE in AbstractCrypto.getCryptoProvider()
* [WSS-210] - NPE in CryptoBase.getAliasForX509Cert(Certificate cert) if Keystore does not contain a Certifcate entry for each alias
* [WSS-211] - WSS4J does not support ThumbprintSHA1 in DerivedKeyTokens
* [WSS-212] - Replace deprecated references to getSubject/IssuerDN
* [WSS-219] - empty/blank password not supported in username token. value read by wss4j is null instead of empty string
* [WSS-220] - WSHandler is using default configuration
* [WSS-221] - UUIDGenerator generates duplicate identifiers when used in a multi-threaded environment
* [WSS-222] - SignatureProcessor does not provide correct signature coverage results with STR Dereference Transform
* [WSS-223] - Incorrect xpath set on WSDataRef when decrypting an EncryptedHeader instance.
* [WSS-224] - SAMLTokenSignedAction and WSSecSignatureSAML do not honor signature algorithm or digest algorithm from WSSHandler configuration
* [WSS-225] - 'Unprintable' characters in Distinguished Name causing comparison failure
* [WSS-226] - Interoperability b/w Java consumer of .NET Web Service with WS-Security on WSE 2.0
* [WSS-227] - CryptoBase.getPrivateKey() unable to handle empty (null) passwords
* [WSS-234] - Comment as first element in document causes NPE
* [WSS-241] - WSS4j needs to export a version in it's Export-Package directive.
* [WSS-242] - Signing EncryptedData or EncryptedKey elements creates extraneous Id attributes
* [WSS-243] - Can't use Password Digest on Z/OS
* [WSS-244] - Loading of Signature and Encryption property files not trimming trailing whitespace - Leads to ClassNotFoundException
* [WSS-245] - WSHandlerConstants.PW_CALLBACK_REF isn't correctly searched for
** Improvement
* [WSS-180] - Support symmetric signature/encryption via configuration
* [WSS-214] - SignatureProcessor is not reusing results from BinarySecurityTokenProcessor or DerivedKeyTokenProcessor
* [WSS-215] - SignatureProcessor is not reusing results from WSDocInfo for the Reference case.
* [WSS-216] - SignatureProcessor does not support directly referencing a SecurityContextToken
* [WSS-217] - Add ability to specify a reference to an absolute URI in the derived key functionality
* [WSS-233] - Allow configuration of UsernameTokenSpec 1.1 derived key functionality through WSHandler
* [WSS-236] - Provide signature digest algorithm in signature processor results.
* [WSS-237] - Provide key transport algorithm in encryption processor results
* [WSS-240] - Support KeyValue in SAML subject
** New Feature
* [WSS-204] - Support validating SAML 2.0 tokens
** Task
* [WSS-246] - Upgrade to BouncyCastle 1.45
Release 1.5.8
=============
** Bug
* [WSS-147] - WCF interop issue: Security header ordering constraint
* [WSS-176] - Problem with WSSecurityUtil.prependChildElement and JBossWS
* [WSS-178] - signature verification failure of signed saml token due to The Reference for URI (bst-saml-uri) has no XMLSignatureInput
* [WSS-182] - Encryption with symmetric key with encryptSymmKey set to false generates invalid xml without xenc defined
* [WSS-196] - STRTransform not compatible with Sun's SAAJ implementation
* [WSS-198] - Problem when body is signed and then an XPath is encrypted
* [WSS-201] - Some of the processors use the wrong Crypto implementation
** Improvement
* [WSS-131] - no support for extension of SecurityHeader
* [WSS-158] - Upgrade to BouncyCastle 1.43
* [WSS-177] - Allow encryption using a symmetric key and EncryptedKeySHA1
* [WSS-179] - Allow signature using a symmetric key and EncryptedKeySHA1
* [WSS-195] - More detailed exception thrown from CryptoBase.getPrivateKey()
* [WSS-199] - Add support for WCF non-standard Username Tokens
* [WSS-202] - Upgrade to XML Security 1.4.3.
** New Feature
* [WSS-194] - Support overriding KeyStore alias for signature so that it can be different than user name used for UsernameToken
Release 1.5.7
=============
** Bug
* [WSS-90] - SamlUtil.java throws XMLSecurityException when SAML SubjectConfirmation element doesn't have KeyInfo child
* [WSS-99] - JCE provider ordering on solaris
* [WSS-117] - WSS4J does not supports KeyIdentifiers to reference SAML tokens but this is allowed by the WSS specification. Integration tesitng with owsm failed.
* [WSS-136] - POM files needed in Maven repository for OpenSAML, WSS4J, and XML Security
** Improvement
* [WSS-84] - Make the use of the VM-wide keystore (lib/security/cacerts) optional
* [WSS-169] - Add an EncodingType attribute for a UsernameToken nonce
* [WSS-170] - SignatureAction does not set DigestAlgorithm on WSSecSignature instance
** Test
* [WSS-172] - Test encrypted headers
Release 1.5.6
=============
** Bug
* [WSS-105] - Make WSS4J compliant with X.509 1.1 specification
* [WSS-162] - With SecureConv tokens, URI reference processing can strip off first char of ID....
* [WSS-163] - No way to set SC ValueType attribute for references in WSSecEncrypt
* [WSS-164] - Related to WSS-162, there isn't anyway to create a direct Reference based on identifier
* [WSS-165] - Problems verifying trusted certs if provider not specified in properties
* [WSS-168] - Verification/Decryption failure with a DN String from a different provider
** Improvement
* [WSS-143] - Better management of namespace declarations....
* [WSS-157] - Remove spurious calls to MessageDigest.reset()
* [WSS-160] - Add AccessController.doPrivileged blocks to the Loader
* [WSS-161] - Add JAX-WS handler support
* [WSS-166] - Refactor unit tests
* [WSS-167] - Apply PMD to source tree
** New Feature
* [WSS-156] - Add support for RSAKeyValue tokens/signatures (needed for WS-SecurityPolicy KeyValueToken)
Release 1.5.5
=============
** Bug
* [WSS-42] - java.lang.NoClassDefFoundError: org/apache/xml/security/encryption/XMLEncryptionException
* [WSS-60] - Problems when SOAP envelope namespace prefix is null
* [WSS-62] - the crypto file not being retrieved in the doReceiverAction method for the Saml Signed Token
* [WSS-86] - CryptoBase.splitAndTrim does not take into account the format of a DN constructed by different providers
* [WSS-87] - CryptoBase.getAliasForX509Cert(String, BigInteger) fails when issuer string contains OIDs
* [WSS-94] - Security Breach : The client certificate signature is not verified if the serial number is known in the keystore
* [WSS-111] - Some work on UsernameToken derived keys
* [WSS-121] - Bug in default value for SAML issuer class property
* [WSS-126] - SignatureProcessor:verifyXMLSignature method - Crypto object can have null values in the following scenario but it throws an Exception if the Crypto object is null
* [WSS-127] - No way of signing with UsernameToken without sending the password
* [WSS-129] - Couple places where "cause" of WSSecurityException not set
* [WSS-133] - Method and variable misspellings fixed
* [WSS-140] - WSSecEncryptedKey produces EncryptedKey element with invalid Id attribute
* [WSS-141] - handleUsernameToken gives too much information. Can be used to deternine if a username exists or not
* [WSS-142] - We ship opensaml 1.0.1 even though we use opensaml 1.1 in maven
* [WSS-149] - AbstractCrypto requires org.apache.ws.security.crypto.merlin.file to be set and point to an existing file
* [WSS-151] - Password type in UsernameToken not deserialized correctly
* [WSS-152] - Problem with processing Username Tokens with no password type
* [WSS-153] - Signature confirmation of multiple signatures doesn't work
** Improvement
* [WSS-79] - Compatibility issue with weblogic wsse
* [WSS-85] - Better exception handling in the crypto (e.g. no e.printStackTrace())
* [WSS-110] - Add OSGi entries to jar manifest.
* [WSS-118] - Support for SAML 1.1 SecurityTokenReferences in /org/apache/ws/security/processor/DerivedKeyTokenProcessor
* [WSS-122] - Some fixes for the website
* [WSS-123] - 1.5.4 requires opensaml jar, older versions did not
* [WSS-125] - Upgrade BouncyCastle version
* [WSS-128] - Use xml-sec 1.4.1 version
* [WSS-135] - Fix for minor checkstyle issues
* [WSS-137] - "Unexpected number of X509Data: for Signature" error doesn't make sense.
* [WSS-138] - Add Nabble to site mailing list page
* [WSS-145] - Problem in upgrading to xml-sec 1.4.2
* [WSS-150] - Upgrade to XALAN 2.7.1
* [WSS-154] - Allow WSSConfig injection in WSHandler and improve WSSConfig for injection of Processors instances
** New Feature
* [WSS-23] - no way to programmatically set crypto.properties
** Task
* [WSS-124] - Get maven dependencies pushed to central
* [WSS-132] - TestWSSecurityX509v1 failing
* [WSS-144] - Remove tab characters from WSS4J files
** Wish
* [WSS-75] - remove dependency on xalan because it gets in the way of trax resolution
* [WSS-91] - carriage return/line feed in the security header
Release 1.5.4
=============
** Bug
* [WSS-51] - Incorrect test for null in WSHandler
* [WSS-52] - ArrayIndexOutOfBoundsException if certs.length > 1
* [WSS-54] - UsernameTokenProcessor not processing unhashed UsernameToken
* [WSS-56] - WSS4j statically inserts Bouncycastle and Juice in list of JCE providers
* [WSS-66] - Possible security hole when PasswordDigest is used by client.
* [WSS-68] - No way to create a UsernameToken with absent <Password> element
* [WSS-70] - WSHandler checkReceiverResults causes security problem
* [WSS-82] - Add the ability to use a custom-loaded JCE provider instance instead of using the system-provided one
* [WSS-89] - Error in verifying the signature with encrypted key
* [WSS-93] - xmlsec NPE on Reference URI and ValueType attributes
* [WSS-95] - Missing NOTICE file in WSS4J release
* [WSS-96] - Error when making a signature when containing a WSSecTimestamp
* [WSS-97] - Merlin passes invalid OID to getExtensionValue
* [WSS-100] - Bug in wsse11 element creation
* [WSS-101] - Bug in Encrypted SOAP Header creation
* [WSS-103] - BinarySecurityToken processor does not allow for custom token types
* [WSS-105] - Make WSS4J compliant with X.509 1.1 specification
* [WSS-106] - Certs are expired in wss4j.keystore
* [WSS-108] - Some work on KeyIdentifiers
* [WSS-109] - Review of error handling messages
* [WSS-112] - DerivedKeyProcessor is overwritten if more derivedkeys are present in a Soap Message.
* [WSS-113] - Bug in WSHandler#getPassword
* [WSS-114] - Some test reports are deleted by intermediate tasks in the ant build
* [WSS-116] - EncryptedKeyProcessor fails to record QName of decrypted element
* [WSS-119] - Error in Singature Processor
** Improvement
* [WSS-37] - Make it easier to set key-stores programmatically
* [WSS-38] - Make it easier to set key-stores programmatically
* [WSS-74] - Allow Actions and Processors to be customizable
* [WSS-80] - Doc fixes to main WSS4J page
* [WSS-88] - SecureRandom.getInstance("SHA1PRNG") is slow on IBM JDK 1.4.2 (And perhaps others)
* [WSS-92] - Support for Encrypted Header
* [WSS-104] - Reference List processor should provide more information
* [WSS-107] - X509NameTokenizer.java contains Bouncy Castle JCE copyright code
Version prior to 1.5.4
======================
no record
Jump to Line
Something went wrong with that request. Please try again.