Re: WS-Security - UsernameToken doesnt work, is this a Rampart BUG?

Mon, 18 Jun 2007 06:15:27 -0700 

2007/6/18, Ruchith Fernando <[EMAIL PROTECTED]>:


My guess is there's some missing config. Remember just engaging
rampart is not sufficient! One MUST provide the policy/configuration
for Rampart to enforce.

Thanks,
Ruchith

On 6/16/07, Glen Mazza <[EMAIL PROTECTED]> wrote:
> That would appear, indeed, to be an alarmingly big security hole.  We
> are most probably misunderstanding something though.  But as for
> forgetting some configuration, one would guess what you have done should
> fail by default anyway (i.e., no special configuration should be
> necessary to *enable* security if the tags are missing, only perhaps to
> *disable*).
>
> Glen
>
> Am Freitag, den 15.06.2007, 17:45 -0300 schrieb Eduardo Muller:
> >      With this configuration (see
> > http://www-usr.inf.ufsm.br/~muller/rampart.jpg ),
> >
> > where the tag <UsernameToken> is replaced with
> > <incorrectTagUsernameToken>,
> >
> > the web service will be call without pass through the class
> > ServerPWCBHandler.
> >
> >      That means, authentication doesnt work. Is this a rampart BUG?
> >
> > I know how to fix this in
> > the org.apache.rampart.handler.WSDoAllReceiver class.
> > But i want to know if this is necessary (means there is a BUG) or i
> > forgot some configuration??
> >
> > Atenciosamente Eduardo!!
> >
> >
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>


--
www.ruchith.org
www.wso2.org

---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



Hi,
my services.xml file is http://www.inf.ufsm.br/~muller/services.xml
The spring-we.xml http://www-usr.inf.ufsm.br/~muller/spring-web.xml
and the web.xml
http://www-usr.inf.ufsm.br/~muller/web.xml

Should have a policy file? This sample doesnt specify one.
http://wso2.org/library/240#comment-2657


Thanks

<?xml version="1.0" encoding="ISO-8859-1"?>
<beans xmlns="http://www.springframework.org/schema/beans";
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
       xmlns:jee="http://www.springframework.org/schema/jee";
       xsi:schemaLocation="
       http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
       http://www.springframework.org/schema/jee http://www.springframework.org/schema/jee/spring-jee-2.0.xsd";
       default-lazy-init="false">



    <bean name="WebServiceAuthentication" class="may.package.webservice.WebServiceMoodleSA">
    </bean>

</beans>
<service name="moodlesa"  scope="application" targetNamespace="http://webservice.package.my";>
    <description>WebService description.</description>


    <parameter name="ServiceObjectSupplier" locked="false">
        org.apache.axis2.extensions.spring.receivers.SpringServletContextObjectSupplier
    </parameter>


    <parameter name="SpringBeanName" locked="false">WebServiceAuthentication</parameter>


    <schema schemaNamespace="http://webservice.package.my/xsd"/>

    <messageReceivers>
        <messageReceiver mep="http://www.w3.org/2004/08/wsdl/in-only";
                         class="org.apache.axis2.rpc.receivers.RPCInOnlyMessageReceiver"/>
        <messageReceiver mep="http://www.w3.org/2004/08/wsdl/in-out";
                         class="org.apache.axis2.rpc.receivers.RPCMessageReceiver"/>
    </messageReceivers>


    <operation name="integracao">
        <messageReceiver class="org.apache.axis2.rpc.receivers.RPCMessageReceiver"/>
    </operation>

    
    <module ref="rampart" />

    <parameter name="InflowSecurity">
         <action>
              <items>UsernameToken</items>
              <passwordCallbackClass>my.package.webservice.authentication.ServerHandler</passwordCallbackClass>
         </action>
    </parameter>

</service>

<?xml version="1.0" encoding="UTF-8"?>
<web-app version="2.4"
		 xmlns="http://java.sun.com/xml/ns/j2ee";
		 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
		 xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd";>


	<context-param>
		<description>description</description>
		<param-name>contextConfigLocation</param-name>
		<param-value>
			<!--/WEB-INF/securityContext.xml,-->
			<!--/WEB-INF/daoContext.xml,-->
			<!--/WEB-INF/serviceContext.xml,-->
			/WEB-INF/spring-web.xml
		</param-value>
	</context-param>


	<listener>
		<description>Description.</description>
		<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
	</listener>

	<!-- ================= AXIS ================= -->
	<servlet>
		<description>
			description.
		</description>
		<display-name>Apache-Axis Servlet</display-name>
		<servlet-name>AxisServlet</servlet-name>
		<servlet-class>org.apache.axis2.transport.http.AxisServlet</servlet-class>
		<!--<init-param>-->
		<!--<param-name>axis2.xml.path</param-name>-->
		<!--<param-value>WEB-INF/axis2.xml</param-value>-->
		<!--<param-name>axis2.xml.url</param-name>-->
		<!--<param-value>WEB-INF/axis2.xml</param-value>-->
		<!--<param-value>http://localhot/myrepo/axis2.xml</param-value>-->
		<!--</init-param>-->
		<!--<init-param>-->
		<!--<param-name>axis2.repository.path</param-name>-->
		<!--<param-value>WEB-INF/services</param-value>-->
		<!--<param-name>axis2.repository.url</param-name>-->
		<!--<param-value>http://localhot/myrepo</param-value>-->
		<!--</init-param>-->
		<load-on-startup>1</load-on-startup>
	</servlet>

	<!-- ================= AXIS ================= -->
	<servlet>
		<display-name>Apache-Axis AxisAdmin Servlet (Web Admin)</display-name>
		<servlet-name>AxisAdminServlet</servlet-name>
		<servlet-class>
			org.apache.axis2.transport.http.AxisAdminServlet
		</servlet-class>
	</servlet>

	<!-- ================= AXIS ================= -->
	<servlet-mapping>
		<servlet-name>AxisServlet</servlet-name>
		<url-pattern>/servlet/AxisServlet</url-pattern>
	</servlet-mapping>

	<!-- ================= AXIS ================= -->
	<servlet-mapping>
		<servlet-name>AxisServlet</servlet-name>
		<url-pattern>*.jws</url-pattern>
	</servlet-mapping>

	<!-- ================= AXIS ================= -->
	<servlet-mapping>
		<servlet-name>AxisServlet</servlet-name>
		<url-pattern>/services/*</url-pattern>
	</servlet-mapping>

	<!-- ================= AXIS ================= -->
	<servlet-mapping>
		<servlet-name>AxisAdminServlet</servlet-name>
		<url-pattern>/axis2-admin/*</url-pattern>
	</servlet-mapping>

</web-app>

---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]





















					Reply via email to