[ 
http://issues.apache.org/jira/browse/AXIS2-1858?page=comments#action_12457574 ] 
            
Dimuthu Leelarathne commented on AXIS2-1858:
--------------------------------------------

Hi Ali,

I tried re-creating the issue, and here are the results.

I downloaded rampart from the axis2-1.1 branch and followed the following steps.

Case1:
====

steps
I created a client.service.xml according to your information, i.e. added 
a<module ref="rampart"/> but didn't add <parameter name="OutflowSecurity"> to 
the axis2.xml. The client.service.xml had the following format[1]

Result:
The message went without a security header[2].

Case2:
====

steps
When the service is expecting a signed message I sent a message without a 
security header.

Result:
It returned the following fault in the soap body[3]

It seems these problems are not in the new rampart release. Please check the 
version, and if the  problem exist let me know.

[1] in client.service.xml
        <module ref="rampart" />

    <parameter name="InflowSecurity">
      <action>
        <items>Timestamp Signature</items>
        <signaturePropFile>client.properties</signaturePropFile>
     </action>
    </parameter>

in  service.xml the following was present.
<service>

        <operation name="echo">

                <messageReceiver 
class="org.apache.axis2.rpc.receivers.RPCMessageReceiver"/>

        </operation>    

        <parameter name="ServiceClass" 
locked="false">org.apache.rampart.samples.sample04.SimpleService</parameter>



        <module ref="rampart" />



    <parameter name="InflowSecurity">

      <action>

        <items>Timestamp Signature</items>

        <signaturePropFile>service.properties</signaturePropFile>

      </action>

    </parameter>

        

        <parameter name="OutflowSecurity">

      <action>

        <items>Timestamp Signature</items>

        <user>service</user>

        
<passwordCallbackClass>org.apache.rampart.samples.sample04.PWCBHandler</passwordCallbackClass>

        <signaturePropFile>service.properties</signaturePropFile>

        <signatureKeyIdentifier>DirectReference</signatureKeyIdentifier>

      </action>

    </parameter>

    

</service>


[2]The resulted message had no single security header - not even a empty root 
element
<?xml version='1.0' encoding='UTF-8'?>
   <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/";>
      <soapenv:Header />
      <soapenv:Body>
         <ns1:echo xmlns:ns1="http://sample04.samples.rampart.apache.org/xsd";>
            <param0>Hello world</param0>
         </ns1:echo>
      </soapenv:Body>
   </soapenv:Envelope>0


[3]The recieved message from the server

<?xml version='1.0' encoding='UTF-8'?>
   <soapenv:Envelope xmlns:wsa="http://www.w3.org/2005/08/addressing"; 
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/";>
      <soapenv:Header>
         <wsa:ReplyTo>
            <wsa:Address>http://www.w3.org/2005/08/addressing/none</wsa:Address>
         </wsa:ReplyTo>
         
<wsa:MessageID>urn:uuid:2F1C3A28CD38D49CCC116589743011346</wsa:MessageID>
         
<wsa:Action>http://www.w3.org/2005/08/addressing/soap/fault</wsa:Action>
      </soapenv:Header>
      <soapenv:Body>
         <soapenv:Fault>
            <faultcode>soapenv:Client</faultcode>
            <faultstring>WSDoAllReceiver: Incoming message does not contain 
required Security header</faultstring>
            <detail />
         </soapenv:Fault>
      </soapenv:Body>
   </soapenv:Envelope>


> Security validation is made only if security header is found
> ------------------------------------------------------------
>
>                 Key: AXIS2-1858
>                 URL: http://issues.apache.org/jira/browse/AXIS2-1858
>             Project: Apache Axis 2.0 (Axis2)
>          Issue Type: Bug
>          Components: modules
>    Affects Versions: 1.1
>         Environment: Not important.
>            Reporter: Ali Sadik Kumlali
>         Assigned To: Dimuthu Leelarathne
>
> Hi,
> Although service is expecting a signed message, I don't get any exception if 
> no WS-Security header has been added to the message. 
> Here are the use cases and how Rampart behaves:
> Common:
>   - Service requires a signed message[1]
>   
> Case1: Client adds <module ref="rampart"/> but doesn't add <parameter 
> name="OutflowSecurity"> to the axis2.xml
>   - Client sends message
>   - Message doesn't have necessary WS-Security headers but only a single 
> one[2]
>   Result
>   - Rampart doesn't log or throw any exception and the message passes to the 
> message receiver (Unexpected(?) behaviour)
>   
> Case2: Client doesn't add either <module ref="rampart"/> or <parameter 
> name="OutflowSecurity">...
>   - Client sends message
>   - Message doesn't have any WS-Security header.
>   Result
>   - Rampart doesn't log or throw any exception and the message passes to the 
> message receiver (Unexpected(?) behaviour)
>   
> Regards,
> Ali Sadik Kumlali
>   
> [1]
>     <module ref="rampart"/>
>     <parameter name="InflowSecurity">
>         <action>
>             <items>Signature</items>
>             <signaturePropFile>server_security.properties</signaturePropFile>
>         </action>
>     </parameter>
>   
> [2] <wsse:Security soapenv:mustUnderstand="1" 
> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"/>

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: 
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to