Hi Ruchith, Thanks for the prompt response. I will explore on the policy based model. However, you will still post the patch solution rite? :)
Thanks & Best Rgds, Niu -----Original Message----- From: Ruchith Fernando [mailto:[EMAIL PROTECTED] Sent: Tuesday, January 08, 2008 9:17 AM To: [email protected] Subject: Re: [Axis2 1.1.1] Security policy not enforced Yes ... you can move your configuration to policy based model to overcome this issue as well. Thanks, Ruchith On Jan 7, 2008 4:47 PM, Paul Fremantle <[EMAIL PROTECTED]> wrote: > Ruchith > > Is it another fix to use the Policy-based model instead? > > Paul > > > On Jan 7, 2008 8:54 AM, Ruchith Fernando <[EMAIL PROTECTED]> wrote: > > Hi, > > > > This is a bug in the wss4j library and it occurs when you use the > > parameter based configuration. > > This can be patched by using another handler to check the > > configuration and for security results. > > Will post this solution shortly! > > > > Thanks, > > Ruchith > > > > > > On Jan 7, 2008 12:35 PM, Niu <[EMAIL PROTECTED]> wrote: > > > > > > > > > > > > > > > Hi, > > > > > > > > > > > > I am using axis2 version 1.1.1 and rampart version 1.1.1. > > > > > > > > > > > > I have a web services configured to require all incoming messages to include > > > a Timestamp and a Signature. The implementation has been working fine for > > > months. However, lately, I just discovered that the configuration did not > > > actually enforce the security policy as I could just invoke the web services > > > by sending a SOAP message with an empty Security tag in the SOAP header > > > (like the attached SOAP message). Is this a bug or wrong configuration?? > > > Appreciate if somebody can offer a solution. > > > > > > > > > > > > > > > > > > <?xml version='1.0' encoding='utf-8'?> > > > > > > <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"; > > > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; > > > xmlns:xsd="http://www.w3.org/2001/XMLSchema"; > > > xmlns:ns2="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurit y-secext-1.0.xsd"> > > > > > > <soap:Header> > > > > > > <ns2:Security soap:mustUnderstand="1"/> > > > > > > </soap:Header> > > > > > > <soap:Body> > > > > > > <ValidateCredentialRequest xmlns="http://example.org/partnerapi/";> > > > > > > <endUserIdentifier xmlns="">${NAME}</endUserIdentifier> > > > > > > <endUserPin xmlns="">${PASSWORD}</endUserPin> > > > > > > </ValidateCredentialRequest> > > > > > > </soap:Body> > > > > > > </soap:Envelope> > > > > > > > > > > > > > > > > > > > > > > > > The following is a snapshot of my Services.xml file: > > > > > > > > > > > > <serviceGroup> > > > > > > <service name="partnerapi"> > > > > > > <messageReceivers> > > > > > > <messageReceiver mep="http://www.w3.org/2004/08/wsdl/in-out"; > > > class="org.example.partnerapi.PartnerapiMessageReceiverInOut"/> > > > > > > </messageReceivers> > > > > > > <parameter name="ServiceClass" > > > locked="false">org.example.partnerapi.PartnerapiSkeleton</parameter> > > > > > > <parameter name="InflowSecurity"> > > > > > > <action> > > > > > > <items>Signature Timestamp</items> > > > > > > <passwordCallbackClass>PWCallback</passwordCallbackClass> > > > > > > <signaturePropFile>security.properties</signaturePropFile> > > > > > > </action> > > > > > > </parameter> > > > > > > <operation name="validateCredential" > > > mep="http://www.w3.org/2004/08/wsdl/in-out";> > > > > > > <actionMapping>urn:validateCredential</actionMapping> > > > > > > <outputActionMapping>http://example.org/partnerapi/partnerapiPortType/valida teCredentialResponse</outputActionMapping> > > > > > > </operation> > > > > > > </service> > > > > > > </serviceGroup> > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Thanks & Best Rgds, > > > > > > Niu > > > > > > > > > /--------------------------------------------------------------------------- \ > > > > > > Confidential and/ or privileged information may be contained in this > > > e-mail and any attachments transmitted with it ('Message'). If you are > > > not the addressee indicated in this Message (or responsible for > > > delivery of this Message to such person),you are hereby notified that > > > any dissemination, distribution, printing or copying of this Message or > > > any part thereof is prohibited. Please delete this Message if received > > > in error and advise the sender by return e-mail. Opinions, conclusions > > > and other information in this Message that do not relate to the > > > official business of this company shall be understood as neither given > > > nor endorsed by this company. > > > > > > This mail is certified Virus Free by *ProtectNow! (InternetNow Sdn Bhd) > > > *Scanner Engine powered by Norman Virus Control > > > > > > \--------------------------------------------------------------------------/ > > > > > > > > > --------------------------------------------------------------------- > > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > > > > > -- > > http://blog.ruchith.org > > http://wso2.org > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > > -- > Paul Fremantle > Co-Founder and VP of Technical Sales, WSO2 > OASIS WS-RX TC Co-chair > > blog: http://pzf.fremantle.org > [EMAIL PROTECTED] > > "Oxygenating the Web Service Platform", www.wso2.com > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > -- http://blog.ruchith.org http://wso2.org --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] /---------------------------------------------------------------------------\ Confidential and/ or privileged information may be contained in this e-mail and any attachments transmitted with it ('Message'). If you are not the addressee indicated in this Message (or responsible for delivery of this Message to such person),you are hereby notified that any dissemination, distribution, printing or copying of this Message or any part thereof is prohibited. Please delete this Message if received in error and advise the sender by return e-mail. Opinions, conclusions and other information in this Message that do not relate to the official business of this company shall be understood as neither given nor endorsed by this company. This mail is certified Virus Free by *ProtectNow! (InternetNow Sdn Bhd) *Scanner Engine powered by Norman Virus Control \--------------------------------------------------------------------------/ --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
