incomplete SOAP header bypasses rampart security
------------------------------------------------
Key: AXIS2-4132
URL: https://issues.apache.org/jira/browse/AXIS2-4132
Project: Axis 2.0 (Axis2)
Issue Type: Bug
Components: modules
Affects Versions: 1.4.1
Environment: eclipse ganymede, Tomcat 6.0.18 running on Windows NT
Reporter: Chris Dalrymple
Fix For: 1.4.1
I configured a web service to use basic authentication as demonstrated in
basic/example3 of the rampart 1.3 examples. The security works as expected when
a request comes in without the necessary SOAP header and the following response
is returned:
[ERROR] WSDoAllReceiver: Incoming message does not contain required Security
header
The security also works as expected when the properly formed SOAP header
contains either the wrong username of password. The Callback Handler is invoked
and the following response is returned:
[ERROR] WSDoAllReceiver: security processing failed
The problem, which I discovered quite by accident, is that a request that is
lacking some of the security elements of the SOAP header seems to bypass the
Callback Handler completely and give access to the secured resource. Below is
an example of a SOAP request that behaves as described.
<?xml version="1.0" encoding="UTF-8"?>
<soapenv:Envelope xmlns:soapenv="http://www.w3.org/2003/05/soap-envelope";>
<soapenv:Header>
<wsse:Security
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
/>
</soapenv:Header>
<soapenv:Body>
<ns1:getUnitId xmlns:ns1="http://axis2.webservice.lsu.edu";>
<ns1:unitId>b3Z76yu439156</ns1:unitId>
</ns1:getUnitId>
</soapenv:Body>
</soapenv:Envelope>
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
