[jira] Updated: (AXIS2-4132) incomplete SOAP header bypasses rampart security

Mon, 17 Nov 2008 10:12:53 -0800 

     [ 
https://issues.apache.org/jira/browse/AXIS2-4132?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Chris Dalrymple updated AXIS2-4132:
-----------------------------------

    Environment: eclipse ganymede, Tomcat 6.0.18 running on Windows 2000  (was: 
eclipse ganymede, Tomcat 6.0.18 running on Windows NT)

> incomplete SOAP header bypasses rampart security
> ------------------------------------------------
>
>                 Key: AXIS2-4132
>                 URL: https://issues.apache.org/jira/browse/AXIS2-4132
>             Project: Axis 2.0 (Axis2)
>          Issue Type: Bug
>          Components: modules
>    Affects Versions: 1.4.1
>         Environment: eclipse ganymede, Tomcat 6.0.18 running on Windows 2000
>            Reporter: Chris Dalrymple
>             Fix For: 1.4.1
>
>
> I configured a web service to use basic authentication as demonstrated in 
> basic/example3 of the rampart 1.3 examples. The security works as expected 
> when a request comes in without the necessary SOAP header and the following 
> response is returned:
> [ERROR] WSDoAllReceiver: Incoming message does not contain required Security 
> header
> The security also works as expected when the properly formed SOAP header 
> contains either the wrong username of password. The Callback Handler is 
> invoked and the following response is returned:
> [ERROR] WSDoAllReceiver: security processing failed
> The problem, which I discovered quite by accident, is that a request that is 
> lacking some of the security elements of the SOAP header seems to bypass the 
> Callback Handler completely and give access to the secured resource. Below is 
> an example of a SOAP request that behaves as described.
> <?xml version="1.0" encoding="UTF-8"?>
> <soapenv:Envelope xmlns:soapenv="http://www.w3.org/2003/05/soap-envelope";>
>       <soapenv:Header>
>             <wsse:Security
>                   
> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
>  />
>       </soapenv:Header>
>       <soapenv:Body>
>             <ns1:getUnitId xmlns:ns1="http://axis2.webservice.lsu.edu";>
>                   <ns1:unitId>b3Z76yu439156</ns1:unitId>
>             </ns1:getUnitId>
>       </soapenv:Body>
> </soapenv:Envelope>

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to