This file contains a listing of all Jira tickets that have been closed for a given release. Portions of this report were generated using the ReleaseNotes facility in Jira. Release 1.6.19 ============= Bug [WSS-535] - Add WSSE and WSU xmlns definitions to signature's SecurityTokenReference [WSS-536] - WSSecurityUtil.getCipherInstance() does not use configured provider [WSS-548] - logging secretKey [WSS-552] - The KerberosServiceExceptionAction and KerberosClientExceptionAction do not support HP JDK Improvement [WSS-533] - Also use signing key when trying to detect message replay attacks Release 1.6.16 ============= Bug [WSS-500] - Kerberos client/server actions are only supporting NT_HOSTBASED_SERVICE service name form [WSS-501] - Kerberos token decoder default implementation fails to extract the session when validating a ticket issued by a KDC based on Active Directory [WSS-504] - False control flow leading to warning "No Subject DN Certificate Constraints were defined. This could be a security issue" New Feature [WSS-497] - Support for SAML 2.0 EncryptedAssertion Element Release 1.6.15 ============= Bug [WSS-491] - Problem storing custom Principals [WSS-492] - WSS4J adds invalid wsu:Id attribute on SAML assertions Improvement [WSS-495] - Add support to configure the digest method used for SAML Assertions Release 1.6.14 ============= Bug [WSS-488] - Regression in parsing SecurityTokenReferences inside of a SAML Signature KeyInfo Release 1.6.13 ============= Improvement [WSS-428] - It should be possible to use the useReqSigCert even when the certificate is not sent in the request [WSS-477] - Support the ability to create SAML2 Assertions with OneTimeUse + ProxyRestriction Conditions [WSS-478] - Support the ability to cache SAML2 Assertions with "OneTimeUse" Conditions [WSS-483] - wsse:Reference without ValueType Release 1.6.12 ============= Bug [WSS-418] - Cannot configure SAML properties in WSS4JOutInterceptor without having to add that config file in the classpath [WSS-473] - BST signature element [WSS-474] - Missing the 'EncodingType' attribute in element built by STRTransformUtil#createBSTX509 [WSS-475] - Issue with multiple processing of ReferenceList in EncryptedKey element Improvement [WSS-465] - Possible information leak: incremental IDs [WSS-467] - Support creating SAML 2.0 Tokens with the AuthnStatement SessionNotOnOrAfter attribute. [WSS-476] - Add the ability to configure the Signature Canonicalization Algorithm via WSHandler Release 1.6.11 ============= Improvement [WSS-441] - Allow the date/time in the security headers to be spoofed Task [WSS-434] - Add ValueType attribute to a Signature/Encryption Reference to a DerivedKeyToken Release 1.6.10 ============= Bug [WSS-421] - WSSecSignature does not allow access to the internal BinarySecurityToken after it is applied to the security header [WSS-424] - Signature Element is not inserted in the correct place in the header in certain circumstances [WSS-427] - Add support for processing UsernameToken Created Dates [WSS-431] - Performance bottleneck in MemoryReplayCache on high load Improvement [WSS-420] - Add the ability to explicitly allow/disallow UsernameTokens with no passwords [WSS-422] - Move SAML Signature Profile Validation to the SamlAssertionValidator Release 1.6.9 ============= Bug [WSS-417] - Cannot deploy WSS4J 1.6.8 to an OSGi container Release 1.6.8 ============= Sub-task [WSS-410] - Reduce dependency on xmlsec library Bug [WSS-231] - There is an issue with the position of the element in the header when using WSS4J calling .NET Web Services with WS-Security. [WSS-399] - WSS4J: cannot set DigestMethod for KEYTRANSPORT_RSAOEP though requested by W3C [WSS-407] - Error when signing a SOAP Body that is encrypted with a reference to a SAML Token [WSS-409] - explicit dependency on XMLDSigRI in WSSConfig causes java.lang.ClassNotFoundException: org.apache.jcp.xml.dsig.internal.dom.XMLDSigRI on WAS 8.5 Improvement [WSS-404] - Store Subject from JAAS LoginContext in WSSecurityEngineResult [WSS-406] - Add the ability to define which algorithms are acceptable when processing a security header [WSS-411] - STRTransform does not work in certain circumstances Release 1.6.7 ============= Bug [WSS-392] - WSS4J can't handle SAML KeyIdentifier references to encrypted SAML Assertions stored in the cache [WSS-393] - WSS4J is not handling KeyIdentifier inside SecurityTokenReference inside a KeyInfo [WSS-394] - WSS4J is not handling X509Data inside SecurityTokenReference inside a KeyInfo [WSS-396] - ConcurrentModificationException in MemoryReplayCache.processTokenExpiry [WSS-398] - Can't create a UsernameToken without a password Improvement [WSS-395] - Support Certificate Constraints on the Subject DN of the certificate used for signature validation Release 1.6.6 ============= Bug [WSS-357] - WSS4J can't handle thumbprint/ski references to a token in the security header [WSS-385] - UsernameToken handles long strings badly [WSS-389] - WSS4J TimeToLive value has a maximum of 25 days [WSS-390] - AssertionWrapper always tries to re-marshal when toDOM is called Improvement [WSS-387] - Support future TTL setting when processing SAML Tokens [WSS-388] - Add support for populating SAML2 SubjectConfirmationData attributes when creating a SAML Assertion New Feature [WSS-380] - SAML1 AuthenticationStatement only supports AuthenticationMethod Password Task [WSS-358] - Record how a certificate was referenced for signature or encryption Release 1.6.5 ============= Bug [WSS-316] - Tests failing with: The signature or decryption was invalid [WSS-331] - Insufficient checking of SAML Condition NotBefore/NotOnOrAfter validation dates (?) [WSS-333] - MerlinDevice tries to load truststore of type "trustStorePassword" [WSS-335] - SAML NotOnOrAfter Conditions not set correctly in certain circumstances [WSS-341] - the "FIRST step" check in SignatureTrustValidator.verifyTrustInCert ignore the enableRevocation status Improvement [WSS-187] - Support Nonce Caching in Username Token Processing [WSS-325] - Add support for GCM algorithms via BouncyCastle [WSS-326] - Upgrade to Santuario 1.5.0 [WSS-329] - Support validating Conditions in the SAMLAssertionValidator. [WSS-332] - Make Spnego Client and Service Actions pluggable [WSS-337] - Validate SAML Assertions against schema/specs [WSS-340] - support Certificates revocation check before encrypt on sender side New Feature [WSS-336] - Option for checking EncryptedData elements are covered by signature Release 1.6.4 ============= Bug [WSS-319] - NPE when certificate identified by SKI can't be found [WSS-320] - ClassCastException when verifying XML signature, multiple WARs deployed to same Tomcat instance [WSS-321] - Cannot configure for no password element expected using Spring configuration [WSS-323] - WS-Trust 1.3 namespace not supported when looking for a BinarySecret in a SAML KeyInfo [WSS-324] - org.apache.ws.security.str.SignatureSTRParser throws ArrayIndexOutOfBoundsException: 0 when crypto returns zero-length array of certificates Improvement [WSS-322] - Add the ability to set DOM Elements directly on a SAMLCallback object [WSS-327] - Add support for obtaining and validating SPNEGO tokens. Release 1.6.3 ============= Bug [WSS-304] - WSSecEncryptedKey should initialize cipher using WRAP_MODE instead of ENCRYPT_MODE. [WSS-306] - It would be nice to have WSSecEncryptedKey generate secret keys by means of KeyGenerator [WSS-317] - SAML Assertions have invalid ID values [WSS-318] - WsiBSPCompliant defaults to true Improvement [WSS-305] - Migrate to OpenSaml2 2.5.1 from 2.4.1 [WSS-307] - Support the ability to sign and encrypt message parts using a Kerberos Ticket [WSS-309] - Improve the configurability of the SAML signature creation in AssertionWrapper [WSS-310] - Reference and DerivedKeyToken message tokens are missing equals and hashcode methods for logical comparision [WSS-312] - Improve logging levels [WSS-314] - Add a Merlin configuration option to specify a default password to use to access a private key [WSS-315] - jaasLoginModuleName methods in KerberosTokenValidator.java should be renamed to contextName New Feature [WSS-313] - Support UsernameToken validation against JAAS LoginModule Release 1.6.2 ============= Bug * [WSS-294] - Merlin doesn't support physical providers with no keystore file * [WSS-295] - org.apache.ws.security.saml.ext.bean.AttributeBean attributeValues is not correct * [WSS-296] - SubjectLocality is missing from AuthenticationStatementBean * [WSS-297] - Subject Bean is missing NameID Format variable * [WSS-299] - UsernameToken Salt Mac/Encryption Flag on Wrong End of Array * [WSS-300] - SubjectKeyIidentifier (SKI) incorrectly calculated for 2048-bit RSA key * [WSS-301] - WSS4J 1.6 incorrectly using XML-Security ResourceResolvers * [WSS-302] - Unable to load keystore/truststore when it cannot be loaded from an InputStream * [WSS-303] - Support SKI_KEY_IDENTIFIER, THUMBPRINT_IDENTIFIER, ISSUER_SERIAL when signing "sender vouches" assertions New Feature * [WSS-251] - Support WSS Kerberos Token Profile Release 1.6.1 ============= Bug * [WSS-273] - org.apache.ws.security.transform.STRTransform causes ClassCastException when wss4j is running on IBM 1.6 JVM * [WSS-276] - Support signing a SAML Assertion using a derived key * [WSS-280] - USE_DERIVED_KEY instead of USE_DERIVED_KEY_FOR_MAC in WSHandler * [WSS-283] - ClassCastException when signing message with existing WSSE header containing Text as first child * [WSS-285] - Error in SAML1.1 Conditions support * [WSS-286] - Evidence element not present in SAML AuthzDecisionStatement * [WSS-291] - Default to allowing Timestamps Created up to 60 seconds in the future to avoid clock skew problems Improvement * [WSS-275] - Use SLF4J for logging framework for 1.6 * [WSS-278] - verifyTrust in Crypto should use CRLs as well * [WSS-284] - Improvements to wsse11:EncryptedHeader support * [WSS-287] - No longer use keystore for truststore purposes if the latter is explicitly specified. * [WSS-288] - Incorporating Colm's Blog entries into WSS4J documentation * [WSS-289] - Text improvements to website pages * [WSS-290] - Create Principals when processing SAML and BinarySecurityTokens Release 1.6.0 ============= Bug * [WSS-40] - WSSecurityEngine does not support chained certificates * [WSS-81] - Compatibility between WSS4J and WebLogic 9 for Encryption * [WSS-90] - SamlUtil.java throws XMLSecurityException when SAML SubjectConfirmation element doesn't have KeyInfo child * [WSS-99] - JCE provider ordering on solaris * [WSS-117] - WSS4J does not supports KeyIdentifiers to reference SAML tokens but this is allowed by the WSS specification. Integration tesitng with owsm failed. * [WSS-136] - POM files needed in Maven repository for OpenSAML, WSS4J, and XML Security * [WSS-147] - WCF interop issue: Security header ordering constraint * [WSS-175] - Remove static class variables from WSHandler * [WSS-176] - Problem with WSSecurityUtil.prependChildElement and JBossWS * [WSS-178] - signature verification failure of signed saml token due to The Reference for URI (bst-saml-uri) has no XMLSignatureInput * [WSS-182] - Encryption with symmetric key with encryptSymmKey set to false generates invalid xml without xenc defined * [WSS-185] - NullPointerException on empty UsernameToken * [WSS-196] - STRTransform not compatible with Sun's SAAJ implementation * [WSS-198] - Problem when body is signed and then an XPath is encrypted * [WSS-201] - Some of the processors use the wrong Crypto implementation * [WSS-205] - WSS4J Handler passes null to MessageContext.setProperty * [WSS-206] - The way referncelist processing of SAML issued tokens doesn't work properly and need to extract necessary information to do algorithm validation * [WSS-209] - NPE in AbstractCrypto.getCryptoProvider() * [WSS-210] - NPE in CryptoBase.getAliasForX509Cert(Certificate cert) if Keystore does not contain a Certifcate entry for each alias * [WSS-211] - WSS4J does not support ThumbprintSHA1 in DerivedKeyTokens * [WSS-212] - Replace deprecated references to getSubject/IssuerDN * [WSS-219] - empty/blank password not supported in username token. value read by wss4j is null instead of empty string * [WSS-220] - WSHandler is using default configuration * [WSS-221] - UUIDGenerator generates duplicate identifiers when used in a multi-threaded environment * [WSS-222] - SignatureProcessor does not provide correct signature coverage results with STR Dereference Transform * [WSS-223] - Incorrect xpath set on WSDataRef when decrypting an EncryptedHeader instance. * [WSS-224] - SAMLTokenSignedAction and WSSecSignatureSAML do not honor signature algorithm or digest algorithm from WSSHandler configuration * [WSS-225] - 'Unprintable' characters in Distinguished Name causing comparison failure * [WSS-226] - Interoperability b/w Java consumer of .NET Web Service with WS-Security on WSE 2.0 * [WSS-227] - CryptoBase.getPrivateKey() unable to handle empty (null) passwords * [WSS-234] - Comment as first element in document causes NPE * [WSS-241] - WSS4j needs to export a version in it's Export-Package directive. * [WSS-242] - Signing EncryptedData or EncryptedKey elements creates extraneous Id attributes * [WSS-243] - Can't use Password Digest on Z/OS * [WSS-244] - Loading of Signature and Encryption property files not trimming trailing whitespace - Leads to ClassNotFoundException * [WSS-245] - WSHandlerConstants.PW_CALLBACK_REF isn't correctly searched for * [WSS-254] - Encryption/signing of multiple message parts with same name not working * [WSS-258] - Newer version of SecureConversation not recognised for derived key algorithm * [WSS-260] - WSS4J can't process a STR to a SAML Assertion that is not in the SOAP message * [WSS-261] - Rampart failing to extract keyinfo from SAML assertion * [WSS-262] - WSS4J accepts Timestamps that are "Created" in the future * [WSS-270] - No need to ensure Crypto object is non-null for SAML signature verification using a secret key Improvement * [WSS-69] - maven2 * [WSS-84] - Make the use of the VM-wide keystore (lib/security/cacerts) optional * [WSS-131] - no support for extension of SecurityHeader * [WSS-146] - Upgrade opensaml dependency to 2.x line * [WSS-158] - Upgrade to BouncyCastle 1.43 * [WSS-169] - Add an EncodingType attribute for a UsernameToken nonce * [WSS-170] - SignatureAction does not set DigestAlgorithm on WSSecSignature instance * [WSS-171] - Improve XML encryption processing * [WSS-173] - Remove unnecessary namespace definitions * [WSS-174] - Remove deprecated APIs * [WSS-177] - Allow encryption using a symmetric key and EncryptedKeySHA1 * [WSS-179] - Allow signature using a symmetric key and EncryptedKeySHA1 * [WSS-180] - Support symmetric signature/encryption via configuration * [WSS-183] - Change the UsernameTokenProcessor to validate plaintext passwords * [WSS-184] - Specifying alternate cacerts keystore via properties? * [WSS-186] - Move TTL validation to the TimestampProcessor * [WSS-188] - CallbackHandler behaviour for derived keys * [WSS-189] - Refactor signature confirmation code * [WSS-190] - Replace all Vector references with Lists. * [WSS-191] - Move certificate validation our of WSHandler and into SignatureProcessor * [WSS-192] - Share code between the EncryptedKeyProcessor and the ReferenceListProcessor * [WSS-195] - More detailed exception thrown from CryptoBase.getPrivateKey() * [WSS-199] - Add support for WCF non-standard Username Tokens * [WSS-202] - Upgrade to XML Security 1.4.3. * [WSS-203] - Move trunk to use JSR-105 APIs instead of custom XML-Security APIs for XML digital signature functionality. * [WSS-215] - SignatureProcessor is not reusing results from WSDocInfo for the Reference case. * [WSS-216] - SignatureProcessor does not support directly referencing a SecurityContextToken * [WSS-217] - Add ability to specify a reference to an absolute URI in the derived key functionality * [WSS-229] - UsernameTokenProcessor should be able to act as a UsernameToken parser only and not enforce the validation of passwords * [WSS-232] - Performance Improvement in WSSConfig * [WSS-233] - Allow configuration of UsernameTokenSpec 1.1 derived key functionality through WSHandler * [WSS-236] - Provide signature digest algorithm in signature processor results. * [WSS-237] - Provide key transport algorithm in encryption processor results * [WSS-238] - Switch to wsse:KeyIdentifier instead of wsse:Reference for SAML references within SOAP:body EncryptedData elements. * [WSS-239] - Need ability to handle password "equivalent" between WSPasswordCallback and UsernameToken when it's binary data * [WSS-240] - Support KeyValue in SAML subject * [WSS-247] - Upgrade to XML Security 1.4.4 * [WSS-253] - UsernameTokenProcessor logs the password to the log * [WSS-257] - Avoid converting the SOAP Body to DOM on the processing side if possible * [WSS-259] - Improve outbound DOM element location * [WSS-263] - Store secret key from signature processor * [WSS-264] - OSGi bundle should NOT specify the universal DynamicImport-Package: * * [WSS-266] - Provide better support for pluggable authentication/verification of security tokens * [WSS-271] - Add support for custom validation of BinarySecurityTokens * [WSS-274] - Add support for allowing future-dated Timestamps New Feature * [WSS-194] - Support overriding KeyStore alias for signature so that it can be different than user name used for UsernameToken * [WSS-204] - Support validating SAML 2.0 tokens * [WSS-255] - Add support for enforcing a text or digest password type when processing a UsernameToken Task * [WSS-246] - Upgrade to BouncyCastle 1.45 * [WSS-248] - Remove Axis1 artifacts in WSS4J 1.6 * [WSS-249] - Parameterize Collections in WSS4J 1.6 * [WSS-250] - Refactor testing * [WSS-256] - Review Basic Security Profile and Reliable Secure Profile spec compliance * [WSS-268] - Upload Opensaml2 artifacts, and dependencies, to Maven Central * [WSS-269] - Refactor the Crypto interface Test * [WSS-172] - Test encrypted headers Release 1.5.11 ============= Bug * [WSS-258] - Newer version of SecureConversation not recognised for derived key algorithm * [WSS-260] - WSS4J can't process a STR to a SAML Assertion that is not in the SOAP message * [WSS-261] - Rampart failing to extract keyinfo from SAML assertion * [WSS-262] - WSS4J accepts Timestamps that are "Created" in the future Improvement * [WSS-263] - Store secret key from signature processor Release 1.5.10 ============= ** Bug * [WSS-40] - WSSecurityEngine does not support chained certificates ** Improvement * [WSS-238] - Switch to wsse:KeyIdentifier instead of wsse:Reference for SAML references within SOAP:body EncryptedData elements. * [WSS-239] - Need ability to handle password "equivalent" between WSPasswordCallback and UsernameToken when it's binary data * [WSS-247] - Upgrade to XML Security 1.4.4 * [WSS-253] - UsernameTokenProcessor logs the password to the log Release 1.5.9 ============= ** Bug * [WSS-205] - WSS4J Handler passes null to MessageContext.setProperty * [WSS-206] - The way referncelist processing of SAML issued tokens doesn't work properly and need to extract necessary information to do algorithm validation * [WSS-209] - NPE in AbstractCrypto.getCryptoProvider() * [WSS-210] - NPE in CryptoBase.getAliasForX509Cert(Certificate cert) if Keystore does not contain a Certifcate entry for each alias * [WSS-211] - WSS4J does not support ThumbprintSHA1 in DerivedKeyTokens * [WSS-212] - Replace deprecated references to getSubject/IssuerDN * [WSS-219] - empty/blank password not supported in username token. value read by wss4j is null instead of empty string * [WSS-220] - WSHandler is using default configuration * [WSS-221] - UUIDGenerator generates duplicate identifiers when used in a multi-threaded environment * [WSS-222] - SignatureProcessor does not provide correct signature coverage results with STR Dereference Transform * [WSS-223] - Incorrect xpath set on WSDataRef when decrypting an EncryptedHeader instance. * [WSS-224] - SAMLTokenSignedAction and WSSecSignatureSAML do not honor signature algorithm or digest algorithm from WSSHandler configuration * [WSS-225] - 'Unprintable' characters in Distinguished Name causing comparison failure * [WSS-226] - Interoperability b/w Java consumer of .NET Web Service with WS-Security on WSE 2.0 * [WSS-227] - CryptoBase.getPrivateKey() unable to handle empty (null) passwords * [WSS-234] - Comment as first element in document causes NPE * [WSS-241] - WSS4j needs to export a version in it's Export-Package directive. * [WSS-242] - Signing EncryptedData or EncryptedKey elements creates extraneous Id attributes * [WSS-243] - Can't use Password Digest on Z/OS * [WSS-244] - Loading of Signature and Encryption property files not trimming trailing whitespace - Leads to ClassNotFoundException * [WSS-245] - WSHandlerConstants.PW_CALLBACK_REF isn't correctly searched for ** Improvement * [WSS-180] - Support symmetric signature/encryption via configuration * [WSS-214] - SignatureProcessor is not reusing results from BinarySecurityTokenProcessor or DerivedKeyTokenProcessor * [WSS-215] - SignatureProcessor is not reusing results from WSDocInfo for the Reference case. * [WSS-216] - SignatureProcessor does not support directly referencing a SecurityContextToken * [WSS-217] - Add ability to specify a reference to an absolute URI in the derived key functionality * [WSS-233] - Allow configuration of UsernameTokenSpec 1.1 derived key functionality through WSHandler * [WSS-236] - Provide signature digest algorithm in signature processor results. * [WSS-237] - Provide key transport algorithm in encryption processor results * [WSS-240] - Support KeyValue in SAML subject ** New Feature * [WSS-204] - Support validating SAML 2.0 tokens ** Task * [WSS-246] - Upgrade to BouncyCastle 1.45 Release 1.5.8 ============= ** Bug * [WSS-147] - WCF interop issue: Security header ordering constraint * [WSS-176] - Problem with WSSecurityUtil.prependChildElement and JBossWS * [WSS-178] - signature verification failure of signed saml token due to The Reference for URI (bst-saml-uri) has no XMLSignatureInput * [WSS-182] - Encryption with symmetric key with encryptSymmKey set to false generates invalid xml without xenc defined * [WSS-196] - STRTransform not compatible with Sun's SAAJ implementation * [WSS-198] - Problem when body is signed and then an XPath is encrypted * [WSS-201] - Some of the processors use the wrong Crypto implementation ** Improvement * [WSS-131] - no support for extension of SecurityHeader * [WSS-158] - Upgrade to BouncyCastle 1.43 * [WSS-177] - Allow encryption using a symmetric key and EncryptedKeySHA1 * [WSS-179] - Allow signature using a symmetric key and EncryptedKeySHA1 * [WSS-195] - More detailed exception thrown from CryptoBase.getPrivateKey() * [WSS-199] - Add support for WCF non-standard Username Tokens * [WSS-202] - Upgrade to XML Security 1.4.3. ** New Feature * [WSS-194] - Support overriding KeyStore alias for signature so that it can be different than user name used for UsernameToken Release 1.5.7 ============= ** Bug * [WSS-90] - SamlUtil.java throws XMLSecurityException when SAML SubjectConfirmation element doesn't have KeyInfo child * [WSS-99] - JCE provider ordering on solaris * [WSS-117] - WSS4J does not supports KeyIdentifiers to reference SAML tokens but this is allowed by the WSS specification. Integration tesitng with owsm failed. * [WSS-136] - POM files needed in Maven repository for OpenSAML, WSS4J, and XML Security ** Improvement * [WSS-84] - Make the use of the VM-wide keystore (lib/security/cacerts) optional * [WSS-169] - Add an EncodingType attribute for a UsernameToken nonce * [WSS-170] - SignatureAction does not set DigestAlgorithm on WSSecSignature instance ** Test * [WSS-172] - Test encrypted headers Release 1.5.6 ============= ** Bug * [WSS-105] - Make WSS4J compliant with X.509 1.1 specification * [WSS-162] - With SecureConv tokens, URI reference processing can strip off first char of ID.... * [WSS-163] - No way to set SC ValueType attribute for references in WSSecEncrypt * [WSS-164] - Related to WSS-162, there isn't anyway to create a direct Reference based on identifier * [WSS-165] - Problems verifying trusted certs if provider not specified in properties * [WSS-168] - Verification/Decryption failure with a DN String from a different provider ** Improvement * [WSS-143] - Better management of namespace declarations.... * [WSS-157] - Remove spurious calls to MessageDigest.reset() * [WSS-160] - Add AccessController.doPrivileged blocks to the Loader * [WSS-161] - Add JAX-WS handler support * [WSS-166] - Refactor unit tests * [WSS-167] - Apply PMD to source tree ** New Feature * [WSS-156] - Add support for RSAKeyValue tokens/signatures (needed for WS-SecurityPolicy KeyValueToken) Release 1.5.5 ============= ** Bug * [WSS-42] - java.lang.NoClassDefFoundError: org/apache/xml/security/encryption/XMLEncryptionException * [WSS-60] - Problems when SOAP envelope namespace prefix is null * [WSS-62] - the crypto file not being retrieved in the doReceiverAction method for the Saml Signed Token * [WSS-86] - CryptoBase.splitAndTrim does not take into account the format of a DN constructed by different providers * [WSS-87] - CryptoBase.getAliasForX509Cert(String, BigInteger) fails when issuer string contains OIDs * [WSS-94] - Security Breach : The client certificate signature is not verified if the serial number is known in the keystore * [WSS-111] - Some work on UsernameToken derived keys * [WSS-121] - Bug in default value for SAML issuer class property * [WSS-126] - SignatureProcessor:verifyXMLSignature method - Crypto object can have null values in the following scenario but it throws an Exception if the Crypto object is null * [WSS-127] - No way of signing with UsernameToken without sending the password * [WSS-129] - Couple places where "cause" of WSSecurityException not set * [WSS-133] - Method and variable misspellings fixed * [WSS-140] - WSSecEncryptedKey produces EncryptedKey element with invalid Id attribute * [WSS-141] - handleUsernameToken gives too much information. Can be used to deternine if a username exists or not * [WSS-142] - We ship opensaml 1.0.1 even though we use opensaml 1.1 in maven * [WSS-149] - AbstractCrypto requires org.apache.ws.security.crypto.merlin.file to be set and point to an existing file * [WSS-151] - Password type in UsernameToken not deserialized correctly * [WSS-152] - Problem with processing Username Tokens with no password type * [WSS-153] - Signature confirmation of multiple signatures doesn't work ** Improvement * [WSS-79] - Compatibility issue with weblogic wsse * [WSS-85] - Better exception handling in the crypto (e.g. no e.printStackTrace()) * [WSS-110] - Add OSGi entries to jar manifest. * [WSS-118] - Support for SAML 1.1 SecurityTokenReferences in /org/apache/ws/security/processor/DerivedKeyTokenProcessor * [WSS-122] - Some fixes for the website * [WSS-123] - 1.5.4 requires opensaml jar, older versions did not * [WSS-125] - Upgrade BouncyCastle version * [WSS-128] - Use xml-sec 1.4.1 version * [WSS-135] - Fix for minor checkstyle issues * [WSS-137] - "Unexpected number of X509Data: for Signature" error doesn't make sense. * [WSS-138] - Add Nabble to site mailing list page * [WSS-145] - Problem in upgrading to xml-sec 1.4.2 * [WSS-150] - Upgrade to XALAN 2.7.1 * [WSS-154] - Allow WSSConfig injection in WSHandler and improve WSSConfig for injection of Processors instances ** New Feature * [WSS-23] - no way to programmatically set crypto.properties ** Task * [WSS-124] - Get maven dependencies pushed to central * [WSS-132] - TestWSSecurityX509v1 failing * [WSS-144] - Remove tab characters from WSS4J files ** Wish * [WSS-75] - remove dependency on xalan because it gets in the way of trax resolution * [WSS-91] - carriage return/line feed in the security header Release 1.5.4 ============= ** Bug * [WSS-51] - Incorrect test for null in WSHandler * [WSS-52] - ArrayIndexOutOfBoundsException if certs.length > 1 * [WSS-54] - UsernameTokenProcessor not processing unhashed UsernameToken * [WSS-56] - WSS4j statically inserts Bouncycastle and Juice in list of JCE providers * [WSS-66] - Possible security hole when PasswordDigest is used by client. * [WSS-68] - No way to create a UsernameToken with absent element * [WSS-70] - WSHandler checkReceiverResults causes security problem * [WSS-82] - Add the ability to use a custom-loaded JCE provider instance instead of using the system-provided one * [WSS-89] - Error in verifying the signature with encrypted key * [WSS-93] - xmlsec NPE on Reference URI and ValueType attributes * [WSS-95] - Missing NOTICE file in WSS4J release * [WSS-96] - Error when making a signature when containing a WSSecTimestamp * [WSS-97] - Merlin passes invalid OID to getExtensionValue * [WSS-100] - Bug in wsse11 element creation * [WSS-101] - Bug in Encrypted SOAP Header creation * [WSS-103] - BinarySecurityToken processor does not allow for custom token types * [WSS-105] - Make WSS4J compliant with X.509 1.1 specification * [WSS-106] - Certs are expired in wss4j.keystore * [WSS-108] - Some work on KeyIdentifiers * [WSS-109] - Review of error handling messages * [WSS-112] - DerivedKeyProcessor is overwritten if more derivedkeys are present in a Soap Message. * [WSS-113] - Bug in WSHandler#getPassword * [WSS-114] - Some test reports are deleted by intermediate tasks in the ant build * [WSS-116] - EncryptedKeyProcessor fails to record QName of decrypted element * [WSS-119] - Error in Singature Processor ** Improvement * [WSS-37] - Make it easier to set key-stores programmatically * [WSS-38] - Make it easier to set key-stores programmatically * [WSS-74] - Allow Actions and Processors to be customizable * [WSS-80] - Doc fixes to main WSS4J page * [WSS-88] - SecureRandom.getInstance("SHA1PRNG") is slow on IBM JDK 1.4.2 (And perhaps others) * [WSS-92] - Support for Encrypted Header * [WSS-104] - Reference List processor should provide more information * [WSS-107] - X509NameTokenizer.java contains Bouncy Castle JCE copyright code Version prior to 1.5.4 ====================== no record