I am trying to make sure that Rampart is failing my spoofed SOAP messages legitimately.
I configure my client dynamically to use Signature for OutflowSecurity action; I run the test app, and via TCPMON I see the SOAP message was correctly set for the service. All runs fine. I then copy and paste the SOAP message from TCPMON and resend it to the service from another method in test app. I expect it to fail, to verify security is working correctly. My question, in order to make sure my process is legit, is: How does the security engine fail it? The signature value in the SOAP security header is exactly the same everytime I send the message, whether I send it normally from the client or I copy and paste and resend to create a failure condition. Again, it does fail it as desired but I am not sure it is failing for the right reason. There is no timestamp, all data going across in the SOAP header (actual or spoofed) is exactly the same. So how does it know that the copied/pasted/spoofed SOAP is false message? Thanks, Alan J --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
