Hi,
I am using axis2 version 1.1.1 and rampart version 1.1.1.
I have a web services configured to require all incoming messages to include
a Timestamp and a Signature. The implementation has been working fine for
months. However, lately, I just discovered that the configuration did not
actually enforce the security policy as I could just invoke the web services
by sending a SOAP message with an empty Security tag in the SOAP header
(like the attached SOAP message). Is this a bug or wrong configuration??
Appreciate if somebody can offer a solution.
<?xml version='1.0' encoding='utf-8'?>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/";
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xmlns:xsd="http://www.w3.org/2001/XMLSchema";
xmlns:ns2="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurit
y-secext-1.0.xsd">
<soap:Header>
<ns2:Security soap:mustUnderstand="1"/>
</soap:Header>
<soap:Body>
<ValidateCredentialRequest xmlns="http://example.org/partnerapi/";>
<endUserIdentifier xmlns="">${NAME}</endUserIdentifier>
<endUserPin xmlns="">${PASSWORD}</endUserPin>
</ValidateCredentialRequest>
</soap:Body>
</soap:Envelope>
The following is a snapshot of my Services.xml file:
<serviceGroup>
<service name="partnerapi">
<messageReceivers>
<messageReceiver mep="http://www.w3.org/2004/08/wsdl/in-out";
class="org.example.partnerapi.PartnerapiMessageReceiverInOut"/>
</messageReceivers>
<parameter name="ServiceClass"
locked="false">org.example.partnerapi.PartnerapiSkeleton</parameter>
<parameter name="InflowSecurity">
<action>
<items>Signature Timestamp</items>
<passwordCallbackClass>PWCallback</passwordCallbackClass>
<signaturePropFile>security.properties</signaturePropFile>
</action>
</parameter>
<operation name="validateCredential"
mep="http://www.w3.org/2004/08/wsdl/in-out";>
<actionMapping>urn:validateCredential</actionMapping>
<outputActionMapping>http://example.org/partnerapi/partnerapiPortType/valida
teCredentialResponse</outputActionMapping>
</operation>
</service>
</serviceGroup>
Thanks & Best Rgds,
Niu
/---------------------------------------------------------------------------\
Confidential and/ or privileged information may be contained in this
e-mail and any attachments transmitted with it ('Message'). If you are
not the addressee indicated in this Message (or responsible for
delivery of this Message to such person),you are hereby notified that
any dissemination, distribution, printing or copying of this Message or
any part thereof is prohibited. Please delete this Message if received
in error and advise the sender by return e-mail. Opinions, conclusions
and other information in this Message that do not relate to the
official business of this company shall be understood as neither given
nor endorsed by this company.
This mail is certified Virus Free by *ProtectNow! (InternetNow Sdn Bhd)
*Scanner Engine powered by Norman Virus Control
\--------------------------------------------------------------------------/
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
