On Jan 8, 2008 3:55 PM, Niu <[EMAIL PROTECTED]> wrote: > Hi Ruchith, > > Thanks for the prompt response. I will explore on the policy based model. > However, you will still post the patch solution rite? :)
Yep ... will send a patch ... got to test the patch module on Aixs2/Rampart 1.1(.1). Thanks, Ruchith > > Thanks & Best Rgds, > Niu > > -----Original Message----- > From: Ruchith Fernando [mailto:[EMAIL PROTECTED] > Sent: Tuesday, January 08, 2008 9:17 AM > To: [email protected] > > Subject: Re: [Axis2 1.1.1] Security policy not enforced > > Yes ... you can move your configuration to policy based model to > overcome this issue as well. > > Thanks, > Ruchith > > On Jan 7, 2008 4:47 PM, Paul Fremantle <[EMAIL PROTECTED]> wrote: > > Ruchith > > > > Is it another fix to use the Policy-based model instead? > > > > Paul > > > > > > On Jan 7, 2008 8:54 AM, Ruchith Fernando <[EMAIL PROTECTED]> > wrote: > > > Hi, > > > > > > This is a bug in the wss4j library and it occurs when you use the > > > parameter based configuration. > > > This can be patched by using another handler to check the > > > configuration and for security results. > > > Will post this solution shortly! > > > > > > Thanks, > > > Ruchith > > > > > > > > > On Jan 7, 2008 12:35 PM, Niu <[EMAIL PROTECTED]> wrote: > > > > > > > > > > > > > > > > > > > > Hi, > > > > > > > > > > > > > > > > I am using axis2 version 1.1.1 and rampart version 1.1.1. > > > > > > > > > > > > > > > > I have a web services configured to require all incoming messages to > include > > > > a Timestamp and a Signature. The implementation has been working fine > for > > > > months. However, lately, I just discovered that the configuration did > not > > > > actually enforce the security policy as I could just invoke the web > services > > > > by sending a SOAP message with an empty Security tag in the SOAP > header > > > > (like the attached SOAP message). Is this a bug or wrong > configuration?? > > > > Appreciate if somebody can offer a solution. > > > > > > > > > > > > > > > > > > > > > > > > <?xml version='1.0' encoding='utf-8'?> > > > > > > > > <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"; > > > > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; > > > > xmlns:xsd="http://www.w3.org/2001/XMLSchema"; > > > > > xmlns:ns2="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurit > y-secext-1.0.xsd"> > > > > > > > > <soap:Header> > > > > > > > > <ns2:Security soap:mustUnderstand="1"/> > > > > > > > > </soap:Header> > > > > > > > > <soap:Body> > > > > > > > > <ValidateCredentialRequest xmlns="http://example.org/partnerapi/";> > > > > > > > > <endUserIdentifier xmlns="">${NAME}</endUserIdentifier> > > > > > > > > <endUserPin xmlns="">${PASSWORD}</endUserPin> > > > > > > > > </ValidateCredentialRequest> > > > > > > > > </soap:Body> > > > > > > > > </soap:Envelope> > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > The following is a snapshot of my Services.xml file: > > > > > > > > > > > > > > > > <serviceGroup> > > > > > > > > <service name="partnerapi"> > > > > > > > > <messageReceivers> > > > > > > > > <messageReceiver mep="http://www.w3.org/2004/08/wsdl/in-out"; > > > > class="org.example.partnerapi.PartnerapiMessageReceiverInOut"/> > > > > > > > > </messageReceivers> > > > > > > > > <parameter name="ServiceClass" > > > > locked="false">org.example.partnerapi.PartnerapiSkeleton</parameter> > > > > > > > > <parameter name="InflowSecurity"> > > > > > > > > <action> > > > > > > > > <items>Signature Timestamp</items> > > > > > > > > <passwordCallbackClass>PWCallback</passwordCallbackClass> > > > > > > > > <signaturePropFile>security.properties</signaturePropFile> > > > > > > > > </action> > > > > > > > > </parameter> > > > > > > > > <operation name="validateCredential" > > > > mep="http://www.w3.org/2004/08/wsdl/in-out";> > > > > > > > > <actionMapping>urn:validateCredential</actionMapping> > > > > > > > > > <outputActionMapping>http://example.org/partnerapi/partnerapiPortType/valida > teCredentialResponse</outputActionMapping> > > > > > > > > </operation> > > > > > > > > </service> > > > > > > > > </serviceGroup> > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Thanks & Best Rgds, > > > > > > > > Niu > > > > > > > > > > > > > /--------------------------------------------------------------------------- > \ > > > > > > > > Confidential and/ or privileged information may be contained in this > > > > e-mail and any attachments transmitted with it ('Message'). If you are > > > > not the addressee indicated in this Message (or responsible for > > > > delivery of this Message to such person),you are hereby notified that > > > > any dissemination, distribution, printing or copying of this Message > or > > > > any part thereof is prohibited. Please delete this Message if received > > > > in error and advise the sender by return e-mail. Opinions, > conclusions > > > > and other information in this Message that do not relate to the > > > > official business of this company shall be understood as neither given > > > > nor endorsed by this company. > > > > > > > > This mail is certified Virus Free by *ProtectNow! (InternetNow Sdn > Bhd) > > > > *Scanner Engine powered by Norman Virus Control > > > > > > > > > \--------------------------------------------------------------------------/ > > > > > > > > > > > > --------------------------------------------------------------------- > > > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > > > > > > > > > > -- > > > http://blog.ruchith.org > > > http://wso2.org > > > > > > > > > --------------------------------------------------------------------- > > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > > > > > > > > -- > > Paul Fremantle > > Co-Founder and VP of Technical Sales, WSO2 > > OASIS WS-RX TC Co-chair > > > > blog: http://pzf.fremantle.org > > [EMAIL PROTECTED] > > > > "Oxygenating the Web Service Platform", www.wso2.com > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > > -- > http://blog.ruchith.org > http://wso2.org > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > /---------------------------------------------------------------------------\ > > Confidential and/ or privileged information may be contained in this > e-mail and any attachments transmitted with it ('Message'). If you are > not the addressee indicated in this Message (or responsible for > delivery of this Message to such person),you are hereby notified that > any dissemination, distribution, printing or copying of this Message or > any part thereof is prohibited. Please delete this Message if received > in error and advise the sender by return e-mail. Opinions, conclusions > and other information in this Message that do not relate to the > official business of this company shall be understood as neither given > nor endorsed by this company. > > This mail is certified Virus Free by *ProtectNow! (InternetNow Sdn Bhd) > *Scanner Engine powered by Norman Virus Control > > \--------------------------------------------------------------------------/ > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > -- http://blog.ruchith.org http://wso2.org --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
