forked from apache/ws-wss4j
-
Notifications
You must be signed in to change notification settings - Fork 0
/
ChangeLog.txt
1193 lines (862 loc) · 52.1 KB
/
ChangeLog.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
This file contains a listing of all Jira tickets that have been closed
for a given release.
Portions of this report were generated using the ReleaseNotes facility
in Jira.
Release 2.4.1
==============
Bug
[WSS-692] - Timestamp of content in jar-files are invalid.
Release 2.4.0
==============
Bug
[WSS-678] - OpenSAML Decrypter initialization failed
Improvement
[WSS-679] - Fix regression in signing KeyInfos
Release 2.3.2
==============
Bug
[WSS-685] - Signature before timestamp results in signing after encryption
Release 2.3.1
==============
Bug
[WSS-677] - Comparison in validate class is vulnerable to timing side channels
[WSS-678] - OpenSAML Decrypter initialization failed
Improvement
[WSS-679] - Fix regression in signing KeyInfos
Release 2.3.0
==============
Bug
[WSS-634] - Nodes are not imported correctly when creating headers
[WSS-643] - NullPointerException in getCacheManager
[WSS-644] - Error when a SOAP-Fault is thrown with MTOM enabled
[WSS-648] - Performance problem with very big request
[WSS-651] - Incorrect signature if document has WSU_NS declared on SOAP Header or Envelope
[WSS-652] - MTOM Content-Id handling doesn't comply with RFC2392: .NET issues
[WSS-659] - SecurityContextToken validator set by wrong QName
[WSS-663] - Missing ECC key support
[WSS-670] - Expected signature algorithm is overwriten with default in case of DSA and EC Keys
Improvement
[WSS-640] - Streaming Sender-Vouches validation does not work with SOAP 1.2
[WSS-641] - Add the ability to configure a different separator for certificate constraints
[WSS-650] - Exclude guava 19.0 dependency
[WSS-656] - Add the ability to specify a security Provider to use with Signature
[WSS-657] - Update OpenSAML Dependency to 3.4.x
[WSS-658] - Enable signature confirmation for signed SAML tokens
[WSS-661] - Change BouncyCastle provider registering
[WSS-662] - [OSGi] Support for SAAJ-RI 1.4.0
[WSS-666] - Support processing SignatureValue bytes stored in attachments
[WSS-667] - Support JDK14
[WSS-668] - Rename WSSConstants ENCRYPT actions
[WSS-669] - Rename ConfigurationConstants ENCRYPT actions
[WSS-673] - Using default Java Security and Merlin is very slow for PKCS12
Task
[WSS-632] - Support EhCache 3+
[WSS-633] - Upgrade ErrorProne to support Java 11
[WSS-637] - Refactor ReplayCache interface to use an expiry Instant instead of a long TTL value
[WSS-649] - Remove Doctypes from the streaming schemas
[WSS-672] - Make sure to process all elements of the SAML Signature KeyInfo
Release 2.2.5
==============
Bug
[WSS-659] - SecurityContextToken validator set by wrong QName
[WSS-663] - Missing ECC key support
Improvement
[WSS-653] - Better diagnostics for null password
[WSS-656] - Add the ability to specify a security Provider to use with Signature
[WSS-658] - Enable signature confirmation for signed SAML tokens
[WSS-666] - Support processing SignatureValue bytes stored in attachments
Task
[WSS-665] - Add cryptacular dependency and upgrade to 1.2.4 to fix CVE-2020-7226
Release 2.2.4
==============
Bug
[WSS-648] - Performance problem with very big request
[WSS-651] - Incorrect signature if document has WSU_NS declared on SOAP Header or Envelope
[WSS-652] - MTOM Content-Id handling doesn't comply with RFC2392: .NET issues
Task
[WSS-633] - Upgrade ErrorProne to support Java 11
[WSS-649] - Remove Doctypes from the streaming schemas
Release 2.2.3
==============
Bug
[WSS-634] - Nodes are not imported correctly when creating headers
[WSS-644] - Error when a SOAP-Fault is thrown with MTOM enabled
Improvement
[WSS-640] - Streaming Sender-Vouches validation does not work with SOAP 1.2
[WSS-641] - Add the ability to configure a different separator for certificate constraints
[WSS-642] - Use LinkedHashSet instead of TreeSet within getInclusivePrefixes
Release 2.2.2
==============
Bug
[WSS-624] - Support for SAAJ-RI 1.4.0
[WSS-625] - Use RFC4648 base64 encoder for signature values and BST
[WSS-626] - Duplicates in the PrefixList
New Feature
[WSS-623] - NameIdBean SPNameQualifier support
Improvement
[WSS-627] - Java 10 SAAJ support
[WSS-628] - Support processing xop:Include for the streaming WS-Security stack
[WSS-629] - Support additional elements in SubjectConfirmationData
Wish
[WSS-622] - from SAMLCallback no possible setting SAML2 SubjectConfirmation.NameID
Release 2.2.1
==============
Bug
[WSS-540] - Need to load properties outside of classpath
[WSS-617] - Allow to configure the SAML Signed Action with "signatureUser"
[WSS-618] - Cannot create signature which includes KeyInfo
[WSS-620] - The SecurityTokenRefSTRParser should derive the key length from the DerivedKeyToken "Length" parameter
Improvement
[WSS-619] - Support adding a custom KeyInfo Element for Signature
Release 2.2.0
==============
Bug
[WSS-558] - org.apache.ws.security.message.WSSecSignature can't support custom provider
[WSS-560] - NullPointerException in WSSecEncrypt when encrypted header element has attributes
[WSS-562] - Support processing EncryptedAssertions that contain EncryptedKey children
[WSS-563] - Cannot decrypt non XML conform attachements
[WSS-564] - Allow WS-SecurityPolicy 1.1 tokens to have an optional policy element
[WSS-565] - Support the ability to create and process EncryptedKeys that reference a PublicKey
[WSS-580] - ThreadLocalSecurityProvider returns null instead of empty collection
[WSS-582] - Don't cache Crypto key references in WSHandler
[WSS-583] - crypto.verifyTrust can fail when the DN of the issuer is more than once in the truststore
[WSS-587] - Concurrency issue in EHCacheManagerHolder
[WSS-590] - WSS4J relies on deafult locale
[WSS-594] - Copy Security Header SOAP MustUnderstand/Actor to an EncryptedHeader element
[WSS-602] - ConfigurationConstants.VALIDATOR_MAP is not supported
[WSS-603] - Improper date check in SamlAssertionWrapper.checkIssueInstant
[WSS-604] - UsernameTokenNoPassword does not work via WSHandler
[WSS-610] - WSSecurityUtil.decodeAction misbehaving when sending NoSecurity
[WSS-611] - CAs with the NameConstraint extension cause exceptions when verifying trust
[WSS-612] - CertificateStore crypto implementation does not correctly handle certificate chains
Improvement
[WSS-569] - Improvements to error messages
[WSS-570] - Typo in the constant name for "RSAOAEP"
[WSS-584] - Don't create ReplayCache instances internally
[WSS-586] - Don't query a CallbackHandler for a secret key when parsing a SAML Subject for credentials
[WSS-592] - Add support for a comma-separated list of crls
[WSS-596] - org.apache.wss4j.common.crypto.CryptoFactory add security provider always
[WSS-597] - Implement equals/hashCode for the WSS4J policy model
[WSS-599] - Upgrade to Java 8 DateTime API
[WSS-600] - Get the configured ParserPool via OpenSAMLUtil
[WSS-601] - Optionally skip XACML initialization for OpenSAML
[WSS-605] - Ensure the ws-security-dom can work with the saaj impl in latest Java9 EA kit
[WSS-608] - Allow policy tokens not to have a wsp:Policy child element
[WSS-613] - Update OpenSAMLUtil to be able to sign generic SignableSAMLObjects
New Feature
[WSS-571] - Truststore Provider
[WSS-593] - Implement Certificate Issuer DN Constraint support
[WSS-598] - Add support for signing + encrypting messages using MTOM
Wish
[WSS-573] - Ignore IntelliJ user files
Release 2.1.10
==============
Improvement
[WSS-608] - Allow policy tokens not to have a wsp:Policy child element
New Feature
[WSS-606] - Possibility to configure the SAML attribute //Assertion/Subject/NameID/@SPProvidedID in a CallbackHandler
Release 2.1.9
=============
Bug
[WSS-558] - org.apache.ws.security.message.WSSecSignature can't support custom provider
[WSS-602] - ConfigurationConstants.VALIDATOR_MAP is not supported
[WSS-603] - Improper date check in SamlAssertionWrapper.checkIssueInstant
[WSS-604] - UsernameTokenNoPassword does not work via WSHandler
Improvement
[WSS-597] - Implement equals/hashCode for the WSS4J policy model
[WSS-600] - Get the configured ParserPool via OpenSAMLUtil
[WSS-601] - Optionally skip XACML initialization for OpenSAML
Release 2.1.8
=============
Bug
[WSS-585] - Kerberos processing fails on HP Java 8.0.06
[WSS-587] - Concurrency issue in EHCacheManagerHolder
[WSS-590] - WSS4J relies on deafult locale
[WSS-594] - Copy Security Header SOAP MustUnderstand/Actor to an EncryptedHeader element
Improvement
[WSS-592] - Add support for a comma-separated list of crls
New Feature
[WSS-593] - Implement Certificate Issuer DN Constraint support
Release 2.1.7
=============
Bug
[WSS-582] - Don't cache Crypto key references in WSHandler
[WSS-583] - crypto.verifyTrust can fail when the DN of the issuer is more than once in the truststore
Improvement
[WSS-584] - Don't create ReplayCache instances internally
Release 2.1.6
=============
Bug
[WSS-577] - Binary compatibility broken between version <=2.1.3 and >=2.1.4 with org.apache.wss4j.dom.WSSecurityEngineResult
[WSS-578] - Binary compatibility breaks between 2.1.5 and 2.1.6-SNAPSHOT
[WSS-580] - ThreadLocalSecurityProvider returns null instead of empty collection
New Feature
[WSS-575] - Support for Digest other than sha1 in xenc:EncryptionMethod
Release 2.1.5
=============
Bug
[WSS-560] - NullPointerException in WSSecEncrypt when encrypted header element has attributes
[WSS-562] - Support processing EncryptedAssertions that contain EncryptedKey children
[WSS-563] - Cannot decrypt non XML conform attachements
[WSS-564] - Allow WS-SecurityPolicy 1.1 tokens to have an optional policy element
[WSS-565] - Support the ability to create and process EncryptedKeys that reference a PublicKey
[WSS-566] - AES_128_GCM does not work for attachments
[WSS-567] - processSecurityHeadaers does not work for 1.1 namespace
Improvement
[WSS-561] - No way to set SAML Issuer Format Value
[WSS-569] - Improvements to error messages
[WSS-570] - Typo in the constant name for "RSAOAEP"
New Feature
[WSS-571] - Truststore Provider
Wish
[WSS-573] - Ignore IntelliJ user files
Release 2.1.4
=============
Bug
[WSS-552] - The KerberosServiceExceptionAction and KerberosClientExceptionAction do not support HP JDK
[WSS-553] - <wsu:Expires> and <wsu:Created> elements not use UTC time format
[WSS-556] - Basic256Sha256 policy uses wrong minimum symmetric key length for signature
[WSS-557] - Using MTOM and WS-Security leads to "Attachment not found"
[WSS-559] - NullPointerException in TimestampInputHandler.checkBSPCompliance
Improvement
[WSS-554] - Improved error message for timestamp in the future
Release 2.1.3
=============
Bug
[WSS-548] - logging secretKey
[WSS-549] - Don't write out a ReferenceList if there are no elements to encrypt
[WSS-551] - Property passwordEncryptorInstance is not honored
Improvement
[WSS-550] - Add the ability to specify a MGF-SHA algorithm in the policy AlgorithmSuiteType
Release 2.1.2
=============
Bug
[WSS-541] - No support for signing and encrypting attachments while using derived keys
[WSS-542] - Secure Conversation Renew is missing Instance creation
[WSS-546] - Support sp11:WssX509V1Token10 in the policy model
Improvement
[WSS-539] - Support MTOM/XOP-optimized content within a CipherValue element
[WSS-544] - Support the ability to store message bytes in attachments (when using MTOM)
[WSS-545] - Add the ability to create DelegateRestrictionType Conditions when creating SAML Assertions
New Feature
[WSS-543] - Create a Merlin implementation that retrieves CA certs via their SubjectKeyIdentifier
Release 2.1.1
=============
Bug
[WSS-538] - Signing/Validating SAML Assertions not working in an OSGi container
Release 2.1.0
=============
Bug
[WSS-535] - Add WSSE and WSU xmlns definitions to signature's SecurityTokenReference
[WSS-536] - WSSecurityUtil.getCipherInstance() does not use configured provider
Improvement
[WSS-529] - Support Inclusive C14N via policy
[WSS-530] - Add a property to enforce that a received Timestamp has an "Expires" Element
[WSS-531] - Only create an EncryptedHeader if the parent node is the SOAP Header
[WSS-533] - Also use signing key when trying to detect message replay attacks
[WSS-534] - Allow SupportingToken policies to have more than one token
Release 2.0.3
=============
Bug
[WSS-514] - Missing CUSTOM_TOKEN action in WSSecurityUtil#decodeHandlerAction @l961
[WSS-517] - Cannot resolve WSS signature reference URI that points to AssertionID attribute of SAML 1.1 token
[WSS-519] - SAML 2.0 - WSS4J is expecting SecurityTokenReference under KeyInfo in EcryptedAssertion element
Improvement
[WSS-515] - Add support for creating SAML Assertions with "Advice" Elements
[WSS-518] - WSConfig static initializer attempts to modify JCE Providers fail in JVM with restrictive security policies
[WSS-521] - Validate that a SAML Assertion "IssueInstant" is not "in the future"
[WSS-522] - Enforce security constraints on SAML AuthnStatement attributes
[WSS-523] - Add the ability to supply AudienceRestrictions when validating SAML tokens
[WSS-524] - Set a default TTL of 30 minutes on a SAML Assertion with no NotOnOrAfter Condition
[WSS-525] - Provide a means of unifying all error messages
Release 2.0.2
=============
Bug
[WSS-508] - When using "add inclusive prefixes" and EXC C14N - signature cannot be validated
[WSS-513] - Fails to parse Timestamp headers in Thai locale
Improvement
[WSS-499] - Re-enable KerberosTests
[WSS-510] - Provide a way of requiring a particular SAML subject confirmation method
[WSS-511] - Provide a (default) way of requiring at least one standard Subject Confirmation Method
[WSS-512] - Provide a configurable way of enforcing that SAML Bearer Tokens must have an internal signature
New Feature
[WSS-507] - ThreadLocal based Security Provider proxy
Release 2.0.1
=============
Bug
[WSS-500] - Kerberos client/server actions are only supporting NT_HOSTBASED_SERVICE service name form
[WSS-501] - Kerberos token decoder default implementation fails to extract the session when validating a ticket issued by a KDC based on Active Directory
Improvement
[WSS-502] - Add an easy way to retrieve signature digest values
[WSS-503] - Share an existing global ehcache manager for ws security replay caches
Release 2.0.0
=============
Sub-task
[WSS-343] - Move 1.6.x code into a new module.
[WSS-344] - Refactor Crypto functionality to be used by both implementations
[WSS-345] - Refactor Exception functionality to be used by both implementations
[WSS-346] - Refactor SAML functionality to be used by both implementations
[WSS-347] - Refactor configuration and constants to be used by both implementations
[WSS-348] - Refactor Caching nonces/timestamp functionality to be used by both implementations
[WSS-349] - Refactor Derived Key / SecureConveration functionality to be used by both implementations
[WSS-350] - Update package names
[WSS-352] - Reconcile AssertionWrapper & SAMLAssertionWrapper
[WSS-353] - Add support in the streaming code for decrypting an EncryptedKey in the Subject of a SAML Assertion.
[WSS-354] - Add support for specifying different algs for sign or c14n a SAML Assertion in the streaming code.
[WSS-355] - Reconcile SAMLCallback between the two implementations
[WSS-356] - Investigate signing Crypto differences
[WSS-360] - Port BSP enforcer to streaming code.
[WSS-361] - Update code to use correct WSPasswordCallback code as per the DOM code.
[WSS-362] - Port Kerberos & SPNEGO work to streaming code
[WSS-363] - Support pluggable Validation of received tokens as per DOM code
[WSS-364] - Ensure that SecurityEvents let us see what was processed for the non-policy case.
[WSS-366] - Disable Cobertura by default
[WSS-367] - Set up a parent pom with dependency management.
[WSS-368] - Log4j configuration
[WSS-370] - Add CXF support for custom Algorithm Suites.
[WSS-371] - Add support for (custom) GCM algorithm-suites.
[WSS-372] - Add stricter enforcement of required policy elements as added to CXF.
[WSS-373] - Check sender-vouches and holder-of-key requirements for SAML tokens.
[WSS-374] - Support Kerberos token policy validation.
[WSS-375] - Support IssuedToken policy validation
[WSS-376] - Support Derived Keys policy validation
[WSS-377] - Verify Signed/Endorsing/Encrypted/SupportingTokens policy validation
[WSS-378] - Update tests in ws-security module to check security events.
[WSS-379] - Does the policy validation code support checking the token requirement against whether it is an initiator or recipient?
[WSS-381] - Support KeyValueTokens
[WSS-386] - Introduce proprietary Compress-Transformation for Encryption / Decryption
Bug
[WSS-408] - StAX - Exception handling and correct Fault-Codes per WSS spec
[WSS-421] - WSSecSignature does not allow access to the internal BinarySecurityToken after it is applied to the security header
[WSS-423] - Support CRL checking for streaming code
[WSS-424] - Signature Element is not inserted in the correct place in the header in certain circumstances
[WSS-427] - Add support for processing UsernameToken Created Dates
[WSS-433] - Specifying actions of "WSSConstants.SIGNATURE_CONFIRMATION, WSSConstants.SIGNATURE" hangs WSS4J
[WSS-436] - Outbound StaX code should fail on not finding a signature/encryption part
[WSS-437] - Error in using StaX WS-Security + CXF WS-Addressing
[WSS-439] - Error in using StaX WS-Security + CXF WS-Addressing
[WSS-442] - "Never" Token Inclustion is not handled correctly (for X.509 tokens)
[WSS-443] - Treat tokens received over TLS as "encrypted"
[WSS-446] - Enable SignatureConfirmation without a Signature
[WSS-448] - OnlySignEntireHeadersAndBody policy validation is incorrect
[WSS-449] - Receiving code can't handle the case of a Thumbprint reference to a BST in the token
[WSS-450] - Inbound Processing code fails with an Encrypted Signature
[WSS-452] - Streaming code does not support an EncryptedData security header element without a preceeding ReferenceList
[WSS-453] - "Once" Token Inclusion handling is not working
[WSS-454] - TokenProtection error
[WSS-457] - Incorrect validation of ProtectTokens assertion
[WSS-458] - Allow no security header in certain use-cases
[WSS-459] - RequiredParts + EncryptedParts policy validation not working
[WSS-462] - ProtectionOrderAssertionState.testProtectionOrder is not working
[WSS-463] - Refactor Signature + Encryption referencing
[WSS-466] - assure compatibility with the change in ehcache CacheManager's create method from version 2.5.1 to 2.5.2 and up
[WSS-468] - Symmetric Binding + EncryptBeforeSigning puts the Signature in front of the EncryptedKey
[WSS-469] - Symmetric Binding + Derived Keys is not currently working
[WSS-470] - AsymmetricBinding + ProtectTokens validation not working
[WSS-471] - AsymmetricBinding validation without IncludeTimestamp doesn't work
[WSS-472] - Incorrect Symmetric Key Derivation Length validation
[WSS-479] - Inbound streaming does not handle Symmetric Holder-Of-Key correctly
[WSS-480] - Streaming code hangs on a symmetric derived key response
[WSS-481] - Problem with EncryptSignature + EndorsingSupportingTokens
[WSS-482] - EncryptedElements + SignedElements validation not working
[WSS-484] - Streaming code can't process a Key reference pointing to an EncryptedData element
[WSS-486] - Streaming code does not process a (non-secured) SOAP Fault correctly
[WSS-487] - Certain action combinations causes WSS4J to hang
[WSS-490] - Derived Endorsing policy validation error
[WSS-491] - Problem storing custom Principals
[WSS-496] - "tests" classifier artifacts dependencies should not have compile scope
[WSS-498] - Retrieving of public key from certificates in missing for signed results in compare credential method of org.apache.wss4j.dom.saml.DOMSAMLUtil
Improvement
[WSS-383] - Allow encrypted password storage in signaturePropFile
[WSS-391] - Create a PrivateKeyPasswordCallback for retrieval of server key passwords
[WSS-403] - Use a common method for all of the P_hash implementations
[WSS-412] - Unify error messages for the streaming code
[WSS-413] - EncryptedKey security issue with streaming code
[WSS-414] - Ensure that Algorithms are checked in streaming code before they are used
[WSS-415] - Reject RSA v1.5 Key Transport Algorithm by default
[WSS-420] - Add the ability to explicitly allow/disallow UsernameTokens with no passwords
[WSS-422] - Move SAML Signature Profile Validation to the SamlAssertionValidator
[WSS-426] - Support future TTL in the StaX code for Timestamps
[WSS-438] - Support Signature Cert Constraints as per the DOM code
[WSS-447] - Add the ability to include the signing token for IssuerSerial/Thumbprint Reference cases
[WSS-489] - Extend Crypto interface with verifyTrustDirect() method
[WSS-495] - Add support to configure the digest method used for SAML Assertions
New Feature
[WSS-311] - Streaming-WebService-Security-Framework contribution/donation
[WSS-430] - Support for secured SOAP attachments
[WSS-497] - Support for SAML 2.0 EncryptedAssertion Element
Task
[WSS-342] - Refactoring
[WSS-351] - SAML work
[WSS-359] - Streaming WS-Security support
[WSS-365] - Build issues
[WSS-369] - WS-SecurityPolicy work
[WSS-405] - Support for XML Encryption 1.1 algorithms
[WSS-425] - Add + update OSGi import/export information in the new modules
[WSS-429] - Consider some @Deprecated classes in the old namespace
[WSS-432] - Support EncryptedKeySHA1 KeyIdentifier in the StaX code
[WSS-434] - Add ValueType attribute to a Signature/Encryption Reference to a DerivedKeyToken
[WSS-460] - Support RequireSignatureConfirmation policy validation
[WSS-494] - WSS4j documentation links are broken.
Release 1.6.15
=============
Bug
[WSS-491] - Problem storing custom Principals
[WSS-492] - WSS4J adds invalid wsu:Id attribute on SAML assertions
Improvement
[WSS-495] - Add support to configure the digest method used for SAML Assertions
Release 1.6.14
=============
Bug
[WSS-488] - Regression in parsing SecurityTokenReferences inside of a SAML Signature KeyInfo
Release 1.6.13
=============
Improvement
[WSS-428] - It should be possible to use the useReqSigCert even when the certificate is not sent in the request
[WSS-477] - Support the ability to create SAML2 Assertions with OneTimeUse + ProxyRestriction Conditions
[WSS-478] - Support the ability to cache SAML2 Assertions with "OneTimeUse" Conditions
[WSS-483] - wsse:Reference without ValueType
Release 1.6.12
=============
Bug
[WSS-418] - Cannot configure SAML properties in WSS4JOutInterceptor without having to add that config file in the classpath
[WSS-473] - BST signature element
[WSS-474] - Missing the 'EncodingType' attribute in element built by STRTransformUtil#createBSTX509
[WSS-475] - Issue with multiple processing of ReferenceList in EncryptedKey element
Improvement
[WSS-465] - Possible information leak: incremental IDs
[WSS-467] - Support creating SAML 2.0 Tokens with the AuthnStatement SessionNotOnOrAfter attribute.
[WSS-476] - Add the ability to configure the Signature Canonicalization Algorithm via WSHandler
Release 1.6.11
=============
Improvement
[WSS-441] - Allow the date/time in the security headers to be spoofed
Task
[WSS-434] - Add ValueType attribute to a Signature/Encryption Reference to a DerivedKeyToken
Release 1.6.10
=============
Bug
[WSS-421] - WSSecSignature does not allow access to the internal BinarySecurityToken after it is applied to the security header
[WSS-424] - Signature Element is not inserted in the correct place in the header in certain circumstances
[WSS-427] - Add support for processing UsernameToken Created Dates
[WSS-431] - Performance bottleneck in MemoryReplayCache on high load
Improvement
[WSS-420] - Add the ability to explicitly allow/disallow UsernameTokens with no passwords
[WSS-422] - Move SAML Signature Profile Validation to the SamlAssertionValidator
Release 1.6.9
=============
Bug
[WSS-417] - Cannot deploy WSS4J 1.6.8 to an OSGi container
Release 1.6.8
=============
Sub-task
[WSS-410] - Reduce dependency on xmlsec library
Bug
[WSS-231] - There is an issue with the position of the <Timestamp> element in the <Security> header when using WSS4J calling .NET Web Services with WS-Security.
[WSS-399] - WSS4J: cannot set DigestMethod for KEYTRANSPORT_RSAOEP though requested by W3C
[WSS-407] - Error when signing a SOAP Body that is encrypted with a reference to a SAML Token
[WSS-409] - explicit dependency on XMLDSigRI in WSSConfig causes java.lang.ClassNotFoundException: org.apache.jcp.xml.dsig.internal.dom.XMLDSigRI on WAS 8.5
Improvement
[WSS-404] - Store Subject from JAAS LoginContext in WSSecurityEngineResult
[WSS-406] - Add the ability to define which algorithms are acceptable when processing a security header
[WSS-411] - STRTransform does not work in certain circumstances
Release 1.6.7
=============
Bug
[WSS-392] - WSS4J can't handle SAML KeyIdentifier references to encrypted SAML Assertions stored in the cache
[WSS-393] - WSS4J is not handling KeyIdentifier inside SecurityTokenReference inside a KeyInfo
[WSS-394] - WSS4J is not handling X509Data inside SecurityTokenReference inside a KeyInfo
[WSS-396] - ConcurrentModificationException in MemoryReplayCache.processTokenExpiry
[WSS-398] - Can't create a UsernameToken without a password
Improvement
[WSS-395] - Support Certificate Constraints on the Subject DN of the certificate used for signature validation
Release 1.6.6
=============
Bug
[WSS-357] - WSS4J can't handle thumbprint/ski references to a token in the security header
[WSS-385] - UsernameToken handles long strings badly
[WSS-389] - WSS4J TimeToLive value has a maximum of 25 days
[WSS-390] - AssertionWrapper always tries to re-marshal when toDOM is called
Improvement
[WSS-387] - Support future TTL setting when processing SAML Tokens
[WSS-388] - Add support for populating SAML2 SubjectConfirmationData attributes when creating a SAML Assertion
New Feature
[WSS-380] - SAML1 AuthenticationStatement only supports AuthenticationMethod Password
Task
[WSS-358] - Record how a certificate was referenced for signature or encryption
Release 1.6.5
=============
Bug
[WSS-316] - Tests failing with: The signature or decryption was invalid
[WSS-331] - Insufficient checking of SAML Condition NotBefore/NotOnOrAfter validation dates (?)
[WSS-333] - MerlinDevice tries to load truststore of type "trustStorePassword"
[WSS-335] - SAML NotOnOrAfter Conditions not set correctly in certain circumstances
[WSS-341] - the "FIRST step" check in SignatureTrustValidator.verifyTrustInCert ignore the enableRevocation status
Improvement
[WSS-187] - Support Nonce Caching in Username Token Processing
[WSS-325] - Add support for GCM algorithms via BouncyCastle
[WSS-326] - Upgrade to Santuario 1.5.0
[WSS-329] - Support validating Conditions in the SAMLAssertionValidator.
[WSS-332] - Make Spnego Client and Service Actions pluggable
[WSS-337] - Validate SAML Assertions against schema/specs
[WSS-340] - support Certificates revocation check before encrypt on sender side
New Feature
[WSS-336] - Option for checking EncryptedData elements are covered by signature
Release 1.6.4
=============
Bug
[WSS-319] - NPE when certificate identified by SKI can't be found
[WSS-320] - ClassCastException when verifying XML signature, multiple WARs deployed to same Tomcat instance
[WSS-321] - Cannot configure for no password element expected using Spring configuration
[WSS-323] - WS-Trust 1.3 namespace not supported when looking for a BinarySecret in a SAML KeyInfo
[WSS-324] - org.apache.ws.security.str.SignatureSTRParser throws ArrayIndexOutOfBoundsException: 0 when crypto returns zero-length array of certificates
Improvement
[WSS-322] - Add the ability to set DOM Elements directly on a SAMLCallback object
[WSS-327] - Add support for obtaining and validating SPNEGO tokens.
Release 1.6.3
=============
Bug
[WSS-304] - WSSecEncryptedKey should initialize cipher using WRAP_MODE instead of ENCRYPT_MODE.
[WSS-306] - It would be nice to have WSSecEncryptedKey generate secret keys by means of KeyGenerator
[WSS-317] - SAML Assertions have invalid ID values
[WSS-318] - WsiBSPCompliant defaults to true
Improvement
[WSS-305] - Migrate to OpenSaml2 2.5.1 from 2.4.1
[WSS-307] - Support the ability to sign and encrypt message parts using a Kerberos Ticket
[WSS-309] - Improve the configurability of the SAML signature creation in AssertionWrapper
[WSS-310] - Reference and DerivedKeyToken message tokens are missing equals and hashcode methods for logical comparision
[WSS-312] - Improve logging levels
[WSS-314] - Add a Merlin configuration option to specify a default password to use to access a private key
[WSS-315] - jaasLoginModuleName methods in KerberosTokenValidator.java should be renamed to contextName
New Feature
[WSS-313] - Support UsernameToken validation against JAAS LoginModule
Release 1.6.2
=============
Bug
* [WSS-294] - Merlin doesn't support physical providers with no keystore file
* [WSS-295] - org.apache.ws.security.saml.ext.bean.AttributeBean attributeValues is not correct
* [WSS-296] - SubjectLocality is missing from AuthenticationStatementBean
* [WSS-297] - Subject Bean is missing NameID Format variable
* [WSS-299] - UsernameToken Salt Mac/Encryption Flag on Wrong End of Array
* [WSS-300] - SubjectKeyIidentifier (SKI) incorrectly calculated for 2048-bit RSA key
* [WSS-301] - WSS4J 1.6 incorrectly using XML-Security ResourceResolvers
* [WSS-302] - Unable to load keystore/truststore when it cannot be loaded from an InputStream
* [WSS-303] - Support SKI_KEY_IDENTIFIER, THUMBPRINT_IDENTIFIER, ISSUER_SERIAL when signing "sender vouches" assertions
New Feature
* [WSS-251] - Support WSS Kerberos Token Profile
Release 1.6.1
=============
Bug
* [WSS-273] - org.apache.ws.security.transform.STRTransform causes ClassCastException when wss4j is running on IBM 1.6 JVM
* [WSS-276] - Support signing a SAML Assertion using a derived key
* [WSS-280] - USE_DERIVED_KEY instead of USE_DERIVED_KEY_FOR_MAC in WSHandler
* [WSS-283] - ClassCastException when signing message with existing WSSE header containing Text as first child
* [WSS-285] - Error in SAML1.1 Conditions support
* [WSS-286] - Evidence element not present in SAML AuthzDecisionStatement
* [WSS-291] - Default to allowing Timestamps Created up to 60 seconds in the future to avoid clock skew problems
Improvement
* [WSS-275] - Use SLF4J for logging framework for 1.6
* [WSS-278] - verifyTrust in Crypto should use CRLs as well
* [WSS-284] - Improvements to wsse11:EncryptedHeader support
* [WSS-287] - No longer use keystore for truststore purposes if the latter is explicitly specified.
* [WSS-288] - Incorporating Colm's Blog entries into WSS4J documentation
* [WSS-289] - Text improvements to website pages
* [WSS-290] - Create Principals when processing SAML and BinarySecurityTokens
Release 1.6.0
=============
Bug
* [WSS-40] - WSSecurityEngine does not support chained certificates
* [WSS-81] - Compatibility between WSS4J and WebLogic 9 for Encryption
* [WSS-90] - SamlUtil.java throws XMLSecurityException when SAML SubjectConfirmation element doesn't have KeyInfo child
* [WSS-99] - JCE provider ordering on solaris
* [WSS-117] - WSS4J does not supports KeyIdentifiers to reference SAML tokens but this is allowed by the WSS specification. Integration tesitng with owsm failed.
* [WSS-136] - POM files needed in Maven repository for OpenSAML, WSS4J, and XML Security
* [WSS-147] - WCF interop issue: Security header ordering constraint
* [WSS-175] - Remove static class variables from WSHandler
* [WSS-176] - Problem with WSSecurityUtil.prependChildElement and JBossWS
* [WSS-178] - signature verification failure of signed saml token due to The Reference for URI (bst-saml-uri) has no XMLSignatureInput
* [WSS-182] - Encryption with symmetric key with encryptSymmKey set to false generates invalid xml without xenc defined
* [WSS-185] - NullPointerException on empty UsernameToken
* [WSS-196] - STRTransform not compatible with Sun's SAAJ implementation
* [WSS-198] - Problem when body is signed and then an XPath is encrypted
* [WSS-201] - Some of the processors use the wrong Crypto implementation
* [WSS-205] - WSS4J Handler passes null to MessageContext.setProperty
* [WSS-206] - The way referncelist processing of SAML issued tokens doesn't work properly and need to extract necessary information to do algorithm validation
* [WSS-209] - NPE in AbstractCrypto.getCryptoProvider()
* [WSS-210] - NPE in CryptoBase.getAliasForX509Cert(Certificate cert) if Keystore does not contain a Certifcate entry for each alias
* [WSS-211] - WSS4J does not support ThumbprintSHA1 in DerivedKeyTokens
* [WSS-212] - Replace deprecated references to getSubject/IssuerDN
* [WSS-219] - empty/blank password not supported in username token. value read by wss4j is null instead of empty string
* [WSS-220] - WSHandler is using default configuration
* [WSS-221] - UUIDGenerator generates duplicate identifiers when used in a multi-threaded environment
* [WSS-222] - SignatureProcessor does not provide correct signature coverage results with STR Dereference Transform
* [WSS-223] - Incorrect xpath set on WSDataRef when decrypting an EncryptedHeader instance.
* [WSS-224] - SAMLTokenSignedAction and WSSecSignatureSAML do not honor signature algorithm or digest algorithm from WSSHandler configuration
* [WSS-225] - 'Unprintable' characters in Distinguished Name causing comparison failure
* [WSS-226] - Interoperability b/w Java consumer of .NET Web Service with WS-Security on WSE 2.0
* [WSS-227] - CryptoBase.getPrivateKey() unable to handle empty (null) passwords
* [WSS-234] - Comment as first element in document causes NPE
* [WSS-241] - WSS4j needs to export a version in it's Export-Package directive.
* [WSS-242] - Signing EncryptedData or EncryptedKey elements creates extraneous Id attributes
* [WSS-243] - Can't use Password Digest on Z/OS
* [WSS-244] - Loading of Signature and Encryption property files not trimming trailing whitespace - Leads to ClassNotFoundException
* [WSS-245] - WSHandlerConstants.PW_CALLBACK_REF isn't correctly searched for
* [WSS-254] - Encryption/signing of multiple message parts with same name not working
* [WSS-258] - Newer version of SecureConversation not recognised for derived key algorithm
* [WSS-260] - WSS4J can't process a STR to a SAML Assertion that is not in the SOAP message
* [WSS-261] - Rampart failing to extract keyinfo from SAML assertion
* [WSS-262] - WSS4J accepts Timestamps that are "Created" in the future
* [WSS-270] - No need to ensure Crypto object is non-null for SAML signature verification using a secret key
Improvement
* [WSS-69] - maven2
* [WSS-84] - Make the use of the VM-wide keystore (lib/security/cacerts) optional
* [WSS-131] - no support for extension of SecurityHeader
* [WSS-146] - Upgrade opensaml dependency to 2.x line
* [WSS-158] - Upgrade to BouncyCastle 1.43
* [WSS-169] - Add an EncodingType attribute for a UsernameToken nonce
* [WSS-170] - SignatureAction does not set DigestAlgorithm on WSSecSignature instance
* [WSS-171] - Improve XML encryption processing
* [WSS-173] - Remove unnecessary namespace definitions
* [WSS-174] - Remove deprecated APIs
* [WSS-177] - Allow encryption using a symmetric key and EncryptedKeySHA1
* [WSS-179] - Allow signature using a symmetric key and EncryptedKeySHA1
* [WSS-180] - Support symmetric signature/encryption via configuration
* [WSS-183] - Change the UsernameTokenProcessor to validate plaintext passwords
* [WSS-184] - Specifying alternate cacerts keystore via properties?
* [WSS-186] - Move TTL validation to the TimestampProcessor
* [WSS-188] - CallbackHandler behaviour for derived keys
* [WSS-189] - Refactor signature confirmation code
* [WSS-190] - Replace all Vector references with Lists.
* [WSS-191] - Move certificate validation our of WSHandler and into SignatureProcessor
* [WSS-192] - Share code between the EncryptedKeyProcessor and the ReferenceListProcessor
* [WSS-195] - More detailed exception thrown from CryptoBase.getPrivateKey()
* [WSS-199] - Add support for WCF non-standard Username Tokens
* [WSS-202] - Upgrade to XML Security 1.4.3.
* [WSS-203] - Move trunk to use JSR-105 APIs instead of custom XML-Security APIs for XML digital signature functionality.
* [WSS-215] - SignatureProcessor is not reusing results from WSDocInfo for the Reference case.
* [WSS-216] - SignatureProcessor does not support directly referencing a SecurityContextToken
* [WSS-217] - Add ability to specify a reference to an absolute URI in the derived key functionality
* [WSS-229] - UsernameTokenProcessor should be able to act as a UsernameToken parser only and not enforce the validation of passwords
* [WSS-232] - Performance Improvement in WSSConfig
* [WSS-233] - Allow configuration of UsernameTokenSpec 1.1 derived key functionality through WSHandler
* [WSS-236] - Provide signature digest algorithm in signature processor results.
* [WSS-237] - Provide key transport algorithm in encryption processor results
* [WSS-238] - Switch to wsse:KeyIdentifier instead of wsse:Reference for SAML references within SOAP:body EncryptedData elements.
* [WSS-239] - Need ability to handle password "equivalent" between WSPasswordCallback and UsernameToken when it's binary data
* [WSS-240] - Support KeyValue in SAML subject
* [WSS-247] - Upgrade to XML Security 1.4.4
* [WSS-253] - UsernameTokenProcessor logs the password to the log
* [WSS-257] - Avoid converting the SOAP Body to DOM on the processing side if possible
* [WSS-259] - Improve outbound DOM element location
* [WSS-263] - Store secret key from signature processor
* [WSS-264] - OSGi bundle should NOT specify the universal DynamicImport-Package: *
* [WSS-266] - Provide better support for pluggable authentication/verification of security tokens
* [WSS-271] - Add support for custom validation of BinarySecurityTokens
* [WSS-274] - Add support for allowing future-dated Timestamps
New Feature
* [WSS-194] - Support overriding KeyStore alias for signature so that it can be different than user name used for UsernameToken
* [WSS-204] - Support validating SAML 2.0 tokens
* [WSS-255] - Add support for enforcing a text or digest password type when processing a UsernameToken
Task
* [WSS-246] - Upgrade to BouncyCastle 1.45
* [WSS-248] - Remove Axis1 artifacts in WSS4J 1.6
* [WSS-249] - Parameterize Collections in WSS4J 1.6
* [WSS-250] - Refactor testing
* [WSS-256] - Review Basic Security Profile and Reliable Secure Profile spec compliance
* [WSS-268] - Upload Opensaml2 artifacts, and dependencies, to Maven Central
* [WSS-269] - Refactor the Crypto interface
Test
* [WSS-172] - Test encrypted headers
Release 1.5.11
=============
Bug
* [WSS-258] - Newer version of SecureConversation not recognised for derived key algorithm
* [WSS-260] - WSS4J can't process a STR to a SAML Assertion that is not in the SOAP message
* [WSS-261] - Rampart failing to extract keyinfo from SAML assertion
* [WSS-262] - WSS4J accepts Timestamps that are "Created" in the future
Improvement
* [WSS-263] - Store secret key from signature processor
Release 1.5.10
=============
** Bug
* [WSS-40] - WSSecurityEngine does not support chained certificates
** Improvement
* [WSS-238] - Switch to wsse:KeyIdentifier instead of wsse:Reference for SAML references within SOAP:body EncryptedData elements.
* [WSS-239] - Need ability to handle password "equivalent" between WSPasswordCallback and UsernameToken when it's binary data
* [WSS-247] - Upgrade to XML Security 1.4.4
* [WSS-253] - UsernameTokenProcessor logs the password to the log
Release 1.5.9
=============
** Bug
* [WSS-205] - WSS4J Handler passes null to MessageContext.setProperty
* [WSS-206] - The way referncelist processing of SAML issued tokens doesn't work properly and need to extract necessary information to do algorithm validation
* [WSS-209] - NPE in AbstractCrypto.getCryptoProvider()
* [WSS-210] - NPE in CryptoBase.getAliasForX509Cert(Certificate cert) if Keystore does not contain a Certifcate entry for each alias
* [WSS-211] - WSS4J does not support ThumbprintSHA1 in DerivedKeyTokens
* [WSS-212] - Replace deprecated references to getSubject/IssuerDN
* [WSS-219] - empty/blank password not supported in username token. value read by wss4j is null instead of empty string
* [WSS-220] - WSHandler is using default configuration
* [WSS-221] - UUIDGenerator generates duplicate identifiers when used in a multi-threaded environment
* [WSS-222] - SignatureProcessor does not provide correct signature coverage results with STR Dereference Transform
* [WSS-223] - Incorrect xpath set on WSDataRef when decrypting an EncryptedHeader instance.
* [WSS-224] - SAMLTokenSignedAction and WSSecSignatureSAML do not honor signature algorithm or digest algorithm from WSSHandler configuration
* [WSS-225] - 'Unprintable' characters in Distinguished Name causing comparison failure
* [WSS-226] - Interoperability b/w Java consumer of .NET Web Service with WS-Security on WSE 2.0
* [WSS-227] - CryptoBase.getPrivateKey() unable to handle empty (null) passwords
* [WSS-234] - Comment as first element in document causes NPE
* [WSS-241] - WSS4j needs to export a version in it's Export-Package directive.
* [WSS-242] - Signing EncryptedData or EncryptedKey elements creates extraneous Id attributes
* [WSS-243] - Can't use Password Digest on Z/OS
* [WSS-244] - Loading of Signature and Encryption property files not trimming trailing whitespace - Leads to ClassNotFoundException
* [WSS-245] - WSHandlerConstants.PW_CALLBACK_REF isn't correctly searched for
** Improvement
* [WSS-180] - Support symmetric signature/encryption via configuration
* [WSS-214] - SignatureProcessor is not reusing results from BinarySecurityTokenProcessor or DerivedKeyTokenProcessor
* [WSS-215] - SignatureProcessor is not reusing results from WSDocInfo for the Reference case.
* [WSS-216] - SignatureProcessor does not support directly referencing a SecurityContextToken