Ruchith Is it another fix to use the Policy-based model instead?
Paul On Jan 7, 2008 8:54 AM, Ruchith Fernando <[EMAIL PROTECTED]> wrote: > Hi, > > This is a bug in the wss4j library and it occurs when you use the > parameter based configuration. > This can be patched by using another handler to check the > configuration and for security results. > Will post this solution shortly! > > Thanks, > Ruchith > > > On Jan 7, 2008 12:35 PM, Niu <[EMAIL PROTECTED]> wrote: > > > > > > > > > > Hi, > > > > > > > > I am using axis2 version 1.1.1 and rampart version 1.1.1. > > > > > > > > I have a web services configured to require all incoming messages to include > > a Timestamp and a Signature. The implementation has been working fine for > > months. However, lately, I just discovered that the configuration did not > > actually enforce the security policy as I could just invoke the web services > > by sending a SOAP message with an empty Security tag in the SOAP header > > (like the attached SOAP message). Is this a bug or wrong configuration?? > > Appreciate if somebody can offer a solution. > > > > > > > > > > > > <?xml version='1.0' encoding='utf-8'?> > > > > <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"; > > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; > > xmlns:xsd="http://www.w3.org/2001/XMLSchema"; > > xmlns:ns2="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";> > > > > <soap:Header> > > > > <ns2:Security soap:mustUnderstand="1"/> > > > > </soap:Header> > > > > <soap:Body> > > > > <ValidateCredentialRequest xmlns="http://example.org/partnerapi/";> > > > > <endUserIdentifier xmlns="">${NAME}</endUserIdentifier> > > > > <endUserPin xmlns="">${PASSWORD}</endUserPin> > > > > </ValidateCredentialRequest> > > > > </soap:Body> > > > > </soap:Envelope> > > > > > > > > > > > > > > > > The following is a snapshot of my Services.xml file: > > > > > > > > <serviceGroup> > > > > <service name="partnerapi"> > > > > <messageReceivers> > > > > <messageReceiver mep="http://www.w3.org/2004/08/wsdl/in-out"; > > class="org.example.partnerapi.PartnerapiMessageReceiverInOut"/> > > > > </messageReceivers> > > > > <parameter name="ServiceClass" > > locked="false">org.example.partnerapi.PartnerapiSkeleton</parameter> > > > > <parameter name="InflowSecurity"> > > > > <action> > > > > <items>Signature Timestamp</items> > > > > <passwordCallbackClass>PWCallback</passwordCallbackClass> > > > > <signaturePropFile>security.properties</signaturePropFile> > > > > </action> > > > > </parameter> > > > > <operation name="validateCredential" > > mep="http://www.w3.org/2004/08/wsdl/in-out";> > > > > <actionMapping>urn:validateCredential</actionMapping> > > > > <outputActionMapping>http://example.org/partnerapi/partnerapiPortType/validateCredentialResponse</outputActionMapping> > > > > </operation> > > > > </service> > > > > </serviceGroup> > > > > > > > > > > > > > > > > > > > > Thanks & Best Rgds, > > > > Niu > > > > > > /---------------------------------------------------------------------------\ > > > > Confidential and/ or privileged information may be contained in this > > e-mail and any attachments transmitted with it ('Message'). If you are > > not the addressee indicated in this Message (or responsible for > > delivery of this Message to such person),you are hereby notified that > > any dissemination, distribution, printing or copying of this Message or > > any part thereof is prohibited. Please delete this Message if received > > in error and advise the sender by return e-mail. Opinions, conclusions > > and other information in this Message that do not relate to the > > official business of this company shall be understood as neither given > > nor endorsed by this company. > > > > This mail is certified Virus Free by *ProtectNow! (InternetNow Sdn Bhd) > > *Scanner Engine powered by Norman Virus Control > > > > \--------------------------------------------------------------------------/ > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > -- > http://blog.ruchith.org > http://wso2.org > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > -- Paul Fremantle Co-Founder and VP of Technical Sales, WSO2 OASIS WS-RX TC Co-chair blog: http://pzf.fremantle.org [EMAIL PROTECTED] "Oxygenating the Web Service Platform", www.wso2.com --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
