[
http://issues.apache.org/jira/browse/AXIS2-1858?page=comments#action_12457574 ]
Dimuthu Leelarathne commented on AXIS2-1858:
--------------------------------------------
Hi Ali,
I tried re-creating the issue, and here are the results.
I downloaded rampart from the axis2-1.1 branch and followed the following steps.
Case1:
====
steps
I created a client.service.xml according to your information, i.e. added
a<module ref="rampart"/> but didn't add <parameter name="OutflowSecurity"> to
the axis2.xml. The client.service.xml had the following format[1]
Result:
The message went without a security header[2].
Case2:
====
steps
When the service is expecting a signed message I sent a message without a
security header.
Result:
It returned the following fault in the soap body[3]
It seems these problems are not in the new rampart release. Please check the
version, and if the problem exist let me know.
[1] in client.service.xml
<module ref="rampart" />
<parameter name="InflowSecurity">
<action>
<items>Timestamp Signature</items>
<signaturePropFile>client.properties</signaturePropFile>
</action>
</parameter>
in service.xml the following was present.
<service>
<operation name="echo">
<messageReceiver
class="org.apache.axis2.rpc.receivers.RPCMessageReceiver"/>
</operation>
<parameter name="ServiceClass"
locked="false">org.apache.rampart.samples.sample04.SimpleService</parameter>
<module ref="rampart" />
<parameter name="InflowSecurity">
<action>
<items>Timestamp Signature</items>
<signaturePropFile>service.properties</signaturePropFile>
</action>
</parameter>
<parameter name="OutflowSecurity">
<action>
<items>Timestamp Signature</items>
<user>service</user>
<passwordCallbackClass>org.apache.rampart.samples.sample04.PWCBHandler</passwordCallbackClass>
<signaturePropFile>service.properties</signaturePropFile>
<signatureKeyIdentifier>DirectReference</signatureKeyIdentifier>
</action>
</parameter>
</service>
[2]The resulted message had no single security header - not even a empty root
element
<?xml version='1.0' encoding='UTF-8'?>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header />
<soapenv:Body>
<ns1:echo xmlns:ns1="http://sample04.samples.rampart.apache.org/xsd">
<param0>Hello world</param0>
</ns1:echo>
</soapenv:Body>
</soapenv:Envelope>0
[3]The recieved message from the server
<?xml version='1.0' encoding='UTF-8'?>
<soapenv:Envelope xmlns:wsa="http://www.w3.org/2005/08/addressing"
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
<wsa:ReplyTo>
<wsa:Address>http://www.w3.org/2005/08/addressing/none</wsa:Address>
</wsa:ReplyTo>
<wsa:MessageID>urn:uuid:2F1C3A28CD38D49CCC116589743011346</wsa:MessageID>
<wsa:Action>http://www.w3.org/2005/08/addressing/soap/fault</wsa:Action>
</soapenv:Header>
<soapenv:Body>
<soapenv:Fault>
<faultcode>soapenv:Client</faultcode>
<faultstring>WSDoAllReceiver: Incoming message does not contain
required Security header</faultstring>
<detail />
</soapenv:Fault>
</soapenv:Body>
</soapenv:Envelope>
> Security validation is made only if security header is found
> ------------------------------------------------------------
>
> Key: AXIS2-1858
> URL: http://issues.apache.org/jira/browse/AXIS2-1858
> Project: Apache Axis 2.0 (Axis2)
> Issue Type: Bug
> Components: modules
> Affects Versions: 1.1
> Environment: Not important.
> Reporter: Ali Sadik Kumlali
> Assigned To: Dimuthu Leelarathne
>
> Hi,
> Although service is expecting a signed message, I don't get any exception if
> no WS-Security header has been added to the message.
> Here are the use cases and how Rampart behaves:
> Common:
> - Service requires a signed message[1]
>
> Case1: Client adds <module ref="rampart"/> but doesn't add <parameter
> name="OutflowSecurity"> to the axis2.xml
> - Client sends message
> - Message doesn't have necessary WS-Security headers but only a single
> one[2]
> Result
> - Rampart doesn't log or throw any exception and the message passes to the
> message receiver (Unexpected(?) behaviour)
>
> Case2: Client doesn't add either <module ref="rampart"/> or <parameter
> name="OutflowSecurity">...
> - Client sends message
> - Message doesn't have any WS-Security header.
> Result
> - Rampart doesn't log or throw any exception and the message passes to the
> message receiver (Unexpected(?) behaviour)
>
> Regards,
> Ali Sadik Kumlali
>
> [1]
> <module ref="rampart"/>
> <parameter name="InflowSecurity">
> <action>
> <items>Signature</items>
> <signaturePropFile>server_security.properties</signaturePropFile>
> </action>
> </parameter>
>
> [2] <wsse:Security soapenv:mustUnderstand="1"
> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"/>
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]