1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
|
This file contains a listing of all Jira tickets that have been closed
for a given release.
Portions of this report were generated using the ReleaseNotes facility
in Jira.
Release 1.6.19
=============
Bug
[WSS-535] - Add WSSE and WSU xmlns definitions to signature's SecurityTokenReference
[WSS-536] - WSSecurityUtil.getCipherInstance() does not use configured provider
[WSS-548] - logging secretKey
[WSS-552] - The KerberosServiceExceptionAction and KerberosClientExceptionAction do not support HP JDK
Improvement
[WSS-533] - Also use signing key when trying to detect message replay attacks
Release 1.6.16
=============
Bug
[WSS-500] - Kerberos client/server actions are only supporting NT_HOSTBASED_SERVICE service name form
[WSS-501] - Kerberos token decoder default implementation fails to extract the session when validating a ticket issued by a KDC based on Active Directory
[WSS-504] - False control flow leading to warning "No Subject DN Certificate Constraints were defined. This could be a security issue"
New Feature
[WSS-497] - Support for SAML 2.0 EncryptedAssertion Element
Release 1.6.15
=============
Bug
[WSS-491] - Problem storing custom Principals
[WSS-492] - WSS4J adds invalid wsu:Id attribute on SAML assertions
Improvement
[WSS-495] - Add support to configure the digest method used for SAML Assertions
Release 1.6.14
=============
Bug
[WSS-488] - Regression in parsing SecurityTokenReferences inside of a SAML Signature KeyInfo
Release 1.6.13
=============
Improvement
[WSS-428] - It should be possible to use the useReqSigCert even when the certificate is not sent in the request
[WSS-477] - Support the ability to create SAML2 Assertions with OneTimeUse + ProxyRestriction Conditions
[WSS-478] - Support the ability to cache SAML2 Assertions with "OneTimeUse" Conditions
[WSS-483] - wsse:Reference without ValueType
Release 1.6.12
=============
Bug
[WSS-418] - Cannot configure SAML properties in WSS4JOutInterceptor without having to add that config file in the classpath
[WSS-473] - BST signature element
[WSS-474] - Missing the 'EncodingType' attribute in element built by STRTransformUtil#createBSTX509
[WSS-475] - Issue with multiple processing of ReferenceList in EncryptedKey element
Improvement
[WSS-465] - Possible information leak: incremental IDs
[WSS-467] - Support creating SAML 2.0 Tokens with the AuthnStatement SessionNotOnOrAfter attribute.
[WSS-476] - Add the ability to configure the Signature Canonicalization Algorithm via WSHandler
Release 1.6.11
=============
Improvement
[WSS-441] - Allow the date/time in the security headers to be spoofed
Task
[WSS-434] - Add ValueType attribute to a Signature/Encryption Reference to a DerivedKeyToken
Release 1.6.10
=============
Bug
[WSS-421] - WSSecSignature does not allow access to the internal BinarySecurityToken after it is applied to the security header
[WSS-424] - Signature Element is not inserted in the correct place in the header in certain circumstances
[WSS-427] - Add support for processing UsernameToken Created Dates
[WSS-431] - Performance bottleneck in MemoryReplayCache on high load
Improvement
[WSS-420] - Add the ability to explicitly allow/disallow UsernameTokens with no passwords
[WSS-422] - Move SAML Signature Profile Validation to the SamlAssertionValidator
Release 1.6.9
=============
Bug
[WSS-417] - Cannot deploy WSS4J 1.6.8 to an OSGi container
Release 1.6.8
=============
Sub-task
[WSS-410] - Reduce dependency on xmlsec library
Bug
[WSS-231] - There is an issue with the position of the <Timestamp> element in the <Security> header when using WSS4J calling .NET Web Services with WS-Security.
[WSS-399] - WSS4J: cannot set DigestMethod for KEYTRANSPORT_RSAOEP though requested by W3C
[WSS-407] - Error when signing a SOAP Body that is encrypted with a reference to a SAML Token
[WSS-409] - explicit dependency on XMLDSigRI in WSSConfig causes java.lang.ClassNotFoundException: org.apache.jcp.xml.dsig.internal.dom.XMLDSigRI on WAS 8.5
Improvement
[WSS-404] - Store Subject from JAAS LoginContext in WSSecurityEngineResult
[WSS-406] - Add the ability to define which algorithms are acceptable when processing a security header
[WSS-411] - STRTransform does not work in certain circumstances
Release 1.6.7
=============
Bug
[WSS-392] - WSS4J can't handle SAML KeyIdentifier references to encrypted SAML Assertions stored in the cache
[WSS-393] - WSS4J is not handling KeyIdentifier inside SecurityTokenReference inside a KeyInfo
[WSS-394] - WSS4J is not handling X509Data inside SecurityTokenReference inside a KeyInfo
[WSS-396] - ConcurrentModificationException in MemoryReplayCache.processTokenExpiry
[WSS-398] - Can't create a UsernameToken without a password
Improvement
[WSS-395] - Support Certificate Constraints on the Subject DN of the certificate used for signature validation
Release 1.6.6
=============
Bug
[WSS-357] - WSS4J can't handle thumbprint/ski references to a token in the security header
[WSS-385] - UsernameToken handles long strings badly
[WSS-389] - WSS4J TimeToLive value has a maximum of 25 days
[WSS-390] - AssertionWrapper always tries to re-marshal when toDOM is called
Improvement
[WSS-387] - Support future TTL setting when processing SAML Tokens
[WSS-388] - Add support for populating SAML2 SubjectConfirmationData attributes when creating a SAML Assertion
New Feature
[WSS-380] - SAML1 AuthenticationStatement only supports AuthenticationMethod Password
Task
[WSS-358] - Record how a certificate was referenced for signature or encryption
Release 1.6.5
=============
Bug
[WSS-316] - Tests failing with: The signature or decryption was invalid
[WSS-331] - Insufficient checking of SAML Condition NotBefore/NotOnOrAfter validation dates (?)
[WSS-333] - MerlinDevice tries to load truststore of type "trustStorePassword"
[WSS-335] - SAML NotOnOrAfter Conditions not set correctly in certain circumstances
[WSS-341] - the "FIRST step" check in SignatureTrustValidator.verifyTrustInCert ignore the enableRevocation status
Improvement
[WSS-187] - Support Nonce Caching in Username Token Processing
[WSS-325] - Add support for GCM algorithms via BouncyCastle
[WSS-326] - Upgrade to Santuario 1.5.0
[WSS-329] - Support validating Conditions in the SAMLAssertionValidator.
[WSS-332] - Make Spnego Client and Service Actions pluggable
[WSS-337] - Validate SAML Assertions against schema/specs
[WSS-340] - support Certificates revocation check before encrypt on sender side
New Feature
[WSS-336] - Option for checking EncryptedData elements are covered by signature
Release 1.6.4
=============
Bug
[WSS-319] - NPE when certificate identified by SKI can't be found
[WSS-320] - ClassCastException when verifying XML signature, multiple WARs deployed to same Tomcat instance
[WSS-321] - Cannot configure for no password element expected using Spring configuration
[WSS-323] - WS-Trust 1.3 namespace not supported when looking for a BinarySecret in a SAML KeyInfo
[WSS-324] - org.apache.ws.security.str.SignatureSTRParser throws ArrayIndexOutOfBoundsException: 0 when crypto returns zero-length array of certificates
Improvement
[WSS-322] - Add the ability to set DOM Elements directly on a SAMLCallback object
[WSS-327] - Add support for obtaining and validating SPNEGO tokens.
Release 1.6.3
=============
Bug
[WSS-304] - WSSecEncryptedKey should initialize cipher using WRAP_MODE instead of ENCRYPT_MODE.
[WSS-306] - It would be nice to have WSSecEncryptedKey generate secret keys by means of KeyGenerator
[WSS-317] - SAML Assertions have invalid ID values
[WSS-318] - WsiBSPCompliant defaults to true
Improvement
[WSS-305] - Migrate to OpenSaml2 2.5.1 from 2.4.1
[WSS-307] - Support the ability to sign and encrypt message parts using a Kerberos Ticket
[WSS-309] - Improve the configurability of the SAML signature creation in AssertionWrapper
[WSS-310] - Reference and DerivedKeyToken message tokens are missing equals and hashcode methods for logical comparision
[WSS-312] - Improve logging levels
[WSS-314] - Add a Merlin configuration option to specify a default password to use to access a private key
[WSS-315] - jaasLoginModuleName methods in KerberosTokenValidator.java should be renamed to contextName
New Feature
[WSS-313] - Support UsernameToken validation against JAAS LoginModule
Release 1.6.2
=============
Bug
* [WSS-294] - Merlin doesn't support physical providers with no keystore file
* [WSS-295] - org.apache.ws.security.saml.ext.bean.AttributeBean attributeValues is not correct
* [WSS-296] - SubjectLocality is missing from AuthenticationStatementBean
* [WSS-297] - Subject Bean is missing NameID Format variable
* [WSS-299] - UsernameToken Salt Mac/Encryption Flag on Wrong End of Array
* [WSS-300] - SubjectKeyIidentifier (SKI) incorrectly calculated for 2048-bit RSA key
* [WSS-301] - WSS4J 1.6 incorrectly using XML-Security ResourceResolvers
* [WSS-302] - Unable to load keystore/truststore when it cannot be loaded from an InputStream
* [WSS-303] - Support SKI_KEY_IDENTIFIER, THUMBPRINT_IDENTIFIER, ISSUER_SERIAL when signing "sender vouches" assertions
New Feature
* [WSS-251] - Support WSS Kerberos Token Profile
Release 1.6.1
=============
Bug
* [WSS-273] - org.apache.ws.security.transform.STRTransform causes ClassCastException when wss4j is running on IBM 1.6 JVM
* [WSS-276] - Support signing a SAML Assertion using a derived key
* [WSS-280] - USE_DERIVED_KEY instead of USE_DERIVED_KEY_FOR_MAC in WSHandler
* [WSS-283] - ClassCastException when signing message with existing WSSE header containing Text as first child
* [WSS-285] - Error in SAML1.1 Conditions support
* [WSS-286] - Evidence element not present in SAML AuthzDecisionStatement
* [WSS-291] - Default to allowing Timestamps Created up to 60 seconds in the future to avoid clock skew problems
Improvement
* [WSS-275] - Use SLF4J for logging framework for 1.6
* [WSS-278] - verifyTrust in Crypto should use CRLs as well
* [WSS-284] - Improvements to wsse11:EncryptedHeader support
* [WSS-287] - No longer use keystore for truststore purposes if the latter is explicitly specified.
* [WSS-288] - Incorporating Colm's Blog entries into WSS4J documentation
* [WSS-289] - Text improvements to website pages
* [WSS-290] - Create Principals when processing SAML and BinarySecurityTokens
Release 1.6.0
=============
Bug
* [WSS-40] - WSSecurityEngine does not support chained certificates
* [WSS-81] - Compatibility between WSS4J and WebLogic 9 for Encryption
* [WSS-90] - SamlUtil.java throws XMLSecurityException when SAML SubjectConfirmation element doesn't have KeyInfo child
* [WSS-99] - JCE provider ordering on solaris
* [WSS-117] - WSS4J does not supports KeyIdentifiers to reference SAML tokens but this is allowed by the WSS specification. Integration tesitng with owsm failed.
* [WSS-136] - POM files needed in Maven repository for OpenSAML, WSS4J, and XML Security
* [WSS-147] - WCF interop issue: Security header ordering constraint
* [WSS-175] - Remove static class variables from WSHandler
* [WSS-176] - Problem with WSSecurityUtil.prependChildElement and JBossWS
* [WSS-178] - signature verification failure of signed saml token due to The Reference for URI (bst-saml-uri) has no XMLSignatureInput
* [WSS-182] - Encryption with symmetric key with encryptSymmKey set to false generates invalid xml without xenc defined
* [WSS-185] - NullPointerException on empty UsernameToken
* [WSS-196] - STRTransform not compatible with Sun's SAAJ implementation
* [WSS-198] - Problem when body is signed and then an XPath is encrypted
* [WSS-201] - Some of the processors use the wrong Crypto implementation
* [WSS-205] - WSS4J Handler passes null to MessageContext.setProperty
* [WSS-206] - The way referncelist processing of SAML issued tokens doesn't work properly and need to extract necessary information to do algorithm validation
* [WSS-209] - NPE in AbstractCrypto.getCryptoProvider()
* [WSS-210] - NPE in CryptoBase.getAliasForX509Cert(Certificate cert) if Keystore does not contain a Certifcate entry for each alias
* [WSS-211] - WSS4J does not support ThumbprintSHA1 in DerivedKeyTokens
* [WSS-212] - Replace deprecated references to getSubject/IssuerDN
* [WSS-219] - empty/blank password not supported in username token. value read by wss4j is null instead of empty string
* [WSS-220] - WSHandler is using default configuration
* [WSS-221] - UUIDGenerator generates duplicate identifiers when used in a multi-threaded environment
* [WSS-222] - SignatureProcessor does not provide correct signature coverage results with STR Dereference Transform
* [WSS-223] - Incorrect xpath set on WSDataRef when decrypting an EncryptedHeader instance.
* [WSS-224] - SAMLTokenSignedAction and WSSecSignatureSAML do not honor signature algorithm or digest algorithm from WSSHandler configuration
* [WSS-225] - 'Unprintable' characters in Distinguished Name causing comparison failure
* [WSS-226] - Interoperability b/w Java consumer of .NET Web Service with WS-Security on WSE 2.0
* [WSS-227] - CryptoBase.getPrivateKey() unable to handle empty (null) passwords
* [WSS-234] - Comment as first element in document causes NPE
* [WSS-241] - WSS4j needs to export a version in it's Export-Package directive.
* [WSS-242] - Signing EncryptedData or EncryptedKey elements creates extraneous Id attributes
* [WSS-243] - Can't use Password Digest on Z/OS
* [WSS-244] - Loading of Signature and Encryption property files not trimming trailing whitespace - Leads to ClassNotFoundException
* [WSS-245] - WSHandlerConstants.PW_CALLBACK_REF isn't correctly searched for
* [WSS-254] - Encryption/signing of multiple message parts with same name not working
* [WSS-258] - Newer version of SecureConversation not recognised for derived key algorithm
* [WSS-260] - WSS4J can't process a STR to a SAML Assertion that is not in the SOAP message
* [WSS-261] - Rampart failing to extract keyinfo from SAML assertion
* [WSS-262] - WSS4J accepts Timestamps that are "Created" in the future
* [WSS-270] - No need to ensure Crypto object is non-null for SAML signature verification using a secret key
Improvement
* [WSS-69] - maven2
* [WSS-84] - Make the use of the VM-wide keystore (lib/security/cacerts) optional
* [WSS-131] - no support for extension of SecurityHeader
* [WSS-146] - Upgrade opensaml dependency to 2.x line
* [WSS-158] - Upgrade to BouncyCastle 1.43
* [WSS-169] - Add an EncodingType attribute for a UsernameToken nonce
* [WSS-170] - SignatureAction does not set DigestAlgorithm on WSSecSignature instance
* [WSS-171] - Improve XML encryption processing
* [WSS-173] - Remove unnecessary namespace definitions
* [WSS-174] - Remove deprecated APIs
* [WSS-177] - Allow encryption using a symmetric key and EncryptedKeySHA1
* [WSS-179] - Allow signature using a symmetric key and EncryptedKeySHA1
* [WSS-180] - Support symmetric signature/encryption via configuration
* [WSS-183] - Change the UsernameTokenProcessor to validate plaintext passwords
* [WSS-184] - Specifying alternate cacerts keystore via properties?
* [WSS-186] - Move TTL validation to the TimestampProcessor
* [WSS-188] - CallbackHandler behaviour for derived keys
* [WSS-189] - Refactor signature confirmation code
* [WSS-190] - Replace all Vector references with Lists.
* [WSS-191] - Move certificate validation our of WSHandler and into SignatureProcessor
* [WSS-192] - Share code between the EncryptedKeyProcessor and the ReferenceListProcessor
* [WSS-195] - More detailed exception thrown from CryptoBase.getPrivateKey()
* [WSS-199] - Add support for WCF non-standard Username Tokens
* [WSS-202] - Upgrade to XML Security 1.4.3.
* [WSS-203] - Move trunk to use JSR-105 APIs instead of custom XML-Security APIs for XML digital signature functionality.
* [WSS-215] - SignatureProcessor is not reusing results from WSDocInfo for the Reference case.
* [WSS-216] - SignatureProcessor does not support directly referencing a SecurityContextToken
* [WSS-217] - Add ability to specify a reference to an absolute URI in the derived key functionality
* [WSS-229] - UsernameTokenProcessor should be able to act as a UsernameToken parser only and not enforce the validation of passwords
* [WSS-232] - Performance Improvement in WSSConfig
* [WSS-233] - Allow configuration of UsernameTokenSpec 1.1 derived key functionality through WSHandler
* [WSS-236] - Provide signature digest algorithm in signature processor results.
* [WSS-237] - Provide key transport algorithm in encryption processor results
* [WSS-238] - Switch to wsse:KeyIdentifier instead of wsse:Reference for SAML references within SOAP:body EncryptedData elements.
* [WSS-239] - Need ability to handle password "equivalent" between WSPasswordCallback and UsernameToken when it's binary data
* [WSS-240] - Support KeyValue in SAML subject
* [WSS-247] - Upgrade to XML Security 1.4.4
* [WSS-253] - UsernameTokenProcessor logs the password to the log
* [WSS-257] - Avoid converting the SOAP Body to DOM on the processing side if possible
* [WSS-259] - Improve outbound DOM element location
* [WSS-263] - Store secret key from signature processor
* [WSS-264] - OSGi bundle should NOT specify the universal DynamicImport-Package: *
* [WSS-266] - Provide better support for pluggable authentication/verification of security tokens
* [WSS-271] - Add support for custom validation of BinarySecurityTokens
* [WSS-274] - Add support for allowing future-dated Timestamps
New Feature
* [WSS-194] - Support overriding KeyStore alias for signature so that it can be different than user name used for UsernameToken
* [WSS-204] - Support validating SAML 2.0 tokens
* [WSS-255] - Add support for enforcing a text or digest password type when processing a UsernameToken
Task
* [WSS-246] - Upgrade to BouncyCastle 1.45
* [WSS-248] - Remove Axis1 artifacts in WSS4J 1.6
* [WSS-249] - Parameterize Collections in WSS4J 1.6
* [WSS-250] - Refactor testing
* [WSS-256] - Review Basic Security Profile and Reliable Secure Profile spec compliance
* [WSS-268] - Upload Opensaml2 artifacts, and dependencies, to Maven Central
* [WSS-269] - Refactor the Crypto interface
Test
* [WSS-172] - Test encrypted headers
Release 1.5.11
=============
Bug
* [WSS-258] - Newer version of SecureConversation not recognised for derived key algorithm
* [WSS-260] - WSS4J can't process a STR to a SAML Assertion that is not in the SOAP message
* [WSS-261] - Rampart failing to extract keyinfo from SAML assertion
* [WSS-262] - WSS4J accepts Timestamps that are "Created" in the future
Improvement
* [WSS-263] - Store secret key from signature processor
Release 1.5.10
=============
** Bug
* [WSS-40] - WSSecurityEngine does not support chained certificates
** Improvement
* [WSS-238] - Switch to wsse:KeyIdentifier instead of wsse:Reference for SAML references within SOAP:body EncryptedData elements.
* [WSS-239] - Need ability to handle password "equivalent" between WSPasswordCallback and UsernameToken when it's binary data
* [WSS-247] - Upgrade to XML Security 1.4.4
* [WSS-253] - UsernameTokenProcessor logs the password to the log
Release 1.5.9
=============
** Bug
* [WSS-205] - WSS4J Handler passes null to MessageContext.setProperty
* [WSS-206] - The way referncelist processing of SAML issued tokens doesn't work properly and need to extract necessary information to do algorithm validation
* [WSS-209] - NPE in AbstractCrypto.getCryptoProvider()
* [WSS-210] - NPE in CryptoBase.getAliasForX509Cert(Certificate cert) if Keystore does not contain a Certifcate entry for each alias
* [WSS-211] - WSS4J does not support ThumbprintSHA1 in DerivedKeyTokens
* [WSS-212] - Replace deprecated references to getSubject/IssuerDN
* [WSS-219] - empty/blank password not supported in username token. value read by wss4j is null instead of empty string
* [WSS-220] - WSHandler is using default configuration
* [WSS-221] - UUIDGenerator generates duplicate identifiers when used in a multi-threaded environment
* [WSS-222] - SignatureProcessor does not provide correct signature coverage results with STR Dereference Transform
* [WSS-223] - Incorrect xpath set on WSDataRef when decrypting an EncryptedHeader instance.
* [WSS-224] - SAMLTokenSignedAction and WSSecSignatureSAML do not honor signature algorithm or digest algorithm from WSSHandler configuration
* [WSS-225] - 'Unprintable' characters in Distinguished Name causing comparison failure
* [WSS-226] - Interoperability b/w Java consumer of .NET Web Service with WS-Security on WSE 2.0
* [WSS-227] - CryptoBase.getPrivateKey() unable to handle empty (null) passwords
* [WSS-234] - Comment as first element in document causes NPE
* [WSS-241] - WSS4j needs to export a version in it's Export-Package directive.
* [WSS-242] - Signing EncryptedData or EncryptedKey elements creates extraneous Id attributes
* [WSS-243] - Can't use Password Digest on Z/OS
* [WSS-244] - Loading of Signature and Encryption property files not trimming trailing whitespace - Leads to ClassNotFoundException
* [WSS-245] - WSHandlerConstants.PW_CALLBACK_REF isn't correctly searched for
** Improvement
* [WSS-180] - Support symmetric signature/encryption via configuration
* [WSS-214] - SignatureProcessor is not reusing results from BinarySecurityTokenProcessor or DerivedKeyTokenProcessor
* [WSS-215] - SignatureProcessor is not reusing results from WSDocInfo for the Reference case.
* [WSS-216] - SignatureProcessor does not support directly referencing a SecurityContextToken
* [WSS-217] - Add ability to specify a reference to an absolute URI in the derived key functionality
* [WSS-233] - Allow configuration of UsernameTokenSpec 1.1 derived key functionality through WSHandler
* [WSS-236] - Provide signature digest algorithm in signature processor results.
* [WSS-237] - Provide key transport algorithm in encryption processor results
* [WSS-240] - Support KeyValue in SAML subject
** New Feature
* [WSS-204] - Support validating SAML 2.0 tokens
** Task
* [WSS-246] - Upgrade to BouncyCastle 1.45
Release 1.5.8
=============
** Bug
* [WSS-147] - WCF interop issue: Security header ordering constraint
* [WSS-176] - Problem with WSSecurityUtil.prependChildElement and JBossWS
* [WSS-178] - signature verification failure of signed saml token due to The Reference for URI (bst-saml-uri) has no XMLSignatureInput
* [WSS-182] - Encryption with symmetric key with encryptSymmKey set to false generates invalid xml without xenc defined
* [WSS-196] - STRTransform not compatible with Sun's SAAJ implementation
* [WSS-198] - Problem when body is signed and then an XPath is encrypted
* [WSS-201] - Some of the processors use the wrong Crypto implementation
** Improvement
* [WSS-131] - no support for extension of SecurityHeader
* [WSS-158] - Upgrade to BouncyCastle 1.43
* [WSS-177] - Allow encryption using a symmetric key and EncryptedKeySHA1
* [WSS-179] - Allow signature using a symmetric key and EncryptedKeySHA1
* [WSS-195] - More detailed exception thrown from CryptoBase.getPrivateKey()
* [WSS-199] - Add support for WCF non-standard Username Tokens
* [WSS-202] - Upgrade to XML Security 1.4.3.
** New Feature
* [WSS-194] - Support overriding KeyStore alias for signature so that it can be different than user name used for UsernameToken
Release 1.5.7
=============
** Bug
* [WSS-90] - SamlUtil.java throws XMLSecurityException when SAML SubjectConfirmation element doesn't have KeyInfo child
* [WSS-99] - JCE provider ordering on solaris
* [WSS-117] - WSS4J does not supports KeyIdentifiers to reference SAML tokens but this is allowed by the WSS specification. Integration tesitng with owsm failed.
* [WSS-136] - POM files needed in Maven repository for OpenSAML, WSS4J, and XML Security
** Improvement
* [WSS-84] - Make the use of the VM-wide keystore (lib/security/cacerts) optional
* [WSS-169] - Add an EncodingType attribute for a UsernameToken nonce
* [WSS-170] - SignatureAction does not set DigestAlgorithm on WSSecSignature instance
** Test
* [WSS-172] - Test encrypted headers
Release 1.5.6
=============
** Bug
* [WSS-105] - Make WSS4J compliant with X.509 1.1 specification
* [WSS-162] - With SecureConv tokens, URI reference processing can strip off first char of ID....
* [WSS-163] - No way to set SC ValueType attribute for references in WSSecEncrypt
* [WSS-164] - Related to WSS-162, there isn't anyway to create a direct Reference based on identifier
* [WSS-165] - Problems verifying trusted certs if provider not specified in properties
* [WSS-168] - Verification/Decryption failure with a DN String from a different provider
** Improvement
* [WSS-143] - Better management of namespace declarations....
* [WSS-157] - Remove spurious calls to MessageDigest.reset()
* [WSS-160] - Add AccessController.doPrivileged blocks to the Loader
* [WSS-161] - Add JAX-WS handler support
* [WSS-166] - Refactor unit tests
* [WSS-167] - Apply PMD to source tree
** New Feature
* [WSS-156] - Add support for RSAKeyValue tokens/signatures (needed for WS-SecurityPolicy KeyValueToken)
Release 1.5.5
=============
** Bug
* [WSS-42] - java.lang.NoClassDefFoundError: org/apache/xml/security/encryption/XMLEncryptionException
* [WSS-60] - Problems when SOAP envelope namespace prefix is null
* [WSS-62] - the crypto file not being retrieved in the doReceiverAction method for the Saml Signed Token
* [WSS-86] - CryptoBase.splitAndTrim does not take into account the format of a DN constructed by different providers
* [WSS-87] - CryptoBase.getAliasForX509Cert(String, BigInteger) fails when issuer string contains OIDs
* [WSS-94] - Security Breach : The client certificate signature is not verified if the serial number is known in the keystore
* [WSS-111] - Some work on UsernameToken derived keys
* [WSS-121] - Bug in default value for SAML issuer class property
* [WSS-126] - SignatureProcessor:verifyXMLSignature method - Crypto object can have null values in the following scenario but it throws an Exception if the Crypto object is null
* [WSS-127] - No way of signing with UsernameToken without sending the password
* [WSS-129] - Couple places where "cause" of WSSecurityException not set
* [WSS-133] - Method and variable misspellings fixed
* [WSS-140] - WSSecEncryptedKey produces EncryptedKey element with invalid Id attribute
* [WSS-141] - handleUsernameToken gives too much information. Can be used to deternine if a username exists or not
* [WSS-142] - We ship opensaml 1.0.1 even though we use opensaml 1.1 in maven
* [WSS-149] - AbstractCrypto requires org.apache.ws.security.crypto.merlin.file to be set and point to an existing file
* [WSS-151] - Password type in UsernameToken not deserialized correctly
* [WSS-152] - Problem with processing Username Tokens with no password type
* [WSS-153] - Signature confirmation of multiple signatures doesn't work
** Improvement
* [WSS-79] - Compatibility issue with weblogic wsse
* [WSS-85] - Better exception handling in the crypto (e.g. no e.printStackTrace())
* [WSS-110] - Add OSGi entries to jar manifest.
* [WSS-118] - Support for SAML 1.1 SecurityTokenReferences in /org/apache/ws/security/processor/DerivedKeyTokenProcessor
* [WSS-122] - Some fixes for the website
* [WSS-123] - 1.5.4 requires opensaml jar, older versions did not
* [WSS-125] - Upgrade BouncyCastle version
* [WSS-128] - Use xml-sec 1.4.1 version
* [WSS-135] - Fix for minor checkstyle issues
* [WSS-137] - "Unexpected number of X509Data: for Signature" error doesn't make sense.
* [WSS-138] - Add Nabble to site mailing list page
* [WSS-145] - Problem in upgrading to xml-sec 1.4.2
* [WSS-150] - Upgrade to XALAN 2.7.1
* [WSS-154] - Allow WSSConfig injection in WSHandler and improve WSSConfig for injection of Processors instances
** New Feature
* [WSS-23] - no way to programmatically set crypto.properties
** Task
* [WSS-124] - Get maven dependencies pushed to central
* [WSS-132] - TestWSSecurityX509v1 failing
* [WSS-144] - Remove tab characters from WSS4J files
** Wish
* [WSS-75] - remove dependency on xalan because it gets in the way of trax resolution
* [WSS-91] - carriage return/line feed in the security header
Release 1.5.4
=============
** Bug
* [WSS-51] - Incorrect test for null in WSHandler
* [WSS-52] - ArrayIndexOutOfBoundsException if certs.length > 1
* [WSS-54] - UsernameTokenProcessor not processing unhashed UsernameToken
* [WSS-56] - WSS4j statically inserts Bouncycastle and Juice in list of JCE providers
* [WSS-66] - Possible security hole when PasswordDigest is used by client.
* [WSS-68] - No way to create a UsernameToken with absent <Password> element
* [WSS-70] - WSHandler checkReceiverResults causes security problem
* [WSS-82] - Add the ability to use a custom-loaded JCE provider instance instead of using the system-provided one
* [WSS-89] - Error in verifying the signature with encrypted key
* [WSS-93] - xmlsec NPE on Reference URI and ValueType attributes
* [WSS-95] - Missing NOTICE file in WSS4J release
* [WSS-96] - Error when making a signature when containing a WSSecTimestamp
* [WSS-97] - Merlin passes invalid OID to getExtensionValue
* [WSS-100] - Bug in wsse11 element creation
* [WSS-101] - Bug in Encrypted SOAP Header creation
* [WSS-103] - BinarySecurityToken processor does not allow for custom token types
* [WSS-105] - Make WSS4J compliant with X.509 1.1 specification
* [WSS-106] - Certs are expired in wss4j.keystore
* [WSS-108] - Some work on KeyIdentifiers
* [WSS-109] - Review of error handling messages
* [WSS-112] - DerivedKeyProcessor is overwritten if more derivedkeys are present in a Soap Message.
* [WSS-113] - Bug in WSHandler#getPassword
* [WSS-114] - Some test reports are deleted by intermediate tasks in the ant build
* [WSS-116] - EncryptedKeyProcessor fails to record QName of decrypted element
* [WSS-119] - Error in Singature Processor
** Improvement
* [WSS-37] - Make it easier to set key-stores programmatically
* [WSS-38] - Make it easier to set key-stores programmatically
* [WSS-74] - Allow Actions and Processors to be customizable
* [WSS-80] - Doc fixes to main WSS4J page
* [WSS-88] - SecureRandom.getInstance("SHA1PRNG") is slow on IBM JDK 1.4.2 (And perhaps others)
* [WSS-92] - Support for Encrypted Header
* [WSS-104] - Reference List processor should provide more information
* [WSS-107] - X509NameTokenizer.java contains Bouncy Castle JCE copyright code
Version prior to 1.5.4
======================
no record
|
