Re: web service security

[gaurav_abbi]

hi,
this is my configuration for handling security header my axis client get as
a part of soap response
<responseFlow>
                <!--  <handler 
type="java:org.apache.ws.axis.security.WSDoAllReceiver"
>
                            <parameter name="action" value="UsernameToken"/>
                            <parameter name="user" value="admin"/>
                            <parameter name="passwordCallbackClass" 
value="client.PWCallback"/>
                            <parameter name="passwordType" 
value="PasswordDigest"/>
                         </handler> -->
                         <handler 
type="java:org.apache.ws.axis.security.WSDoAllReceiver" >
                                <parameter name="enableSignatureConfirmation" 
value = "false"/>
                        <!--<parameter name="action" value="Timestamp 
UsernameToken
Encrypt Signature"/>
                        -->
                        <parameter name="action" value="UsernameToken Encrypt
Signature"/>
                        <parameter name="user" value="admin"/>
                            <parameter name="passwordCallbackClass" 
value="client.PWCallback"/>
                            <parameter name="passwordType" 
value="PasswordDigest"/>
                        <parameter name="user" value="cakeys"/>
                        <parameter name="passwordCallbackClass"
value="client.PWCallback"/>
                        <parameter name="passwordType" value="PasswordText"/>
                        <parameter name="decryptionPropFile" value =
"decryptionCrypto_ski.properties"/>
                        <parameter name="encryptionKeyIdentifier" 
value="SKIKeyIdentifier"
/>
                                <parameter name="encryptionSymAlgorithm"
value="http://www.w3.org/2001/04/xmlenc#kw-tripledes"; />
                                <parameter 
name="encryptionKeyTransportAlgorithm"
value="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/> 
                    <!-- </handler> 
                        <handler 
type="java:org.apache.ws.axis.security.WSDoAllReceiver" >              
                                <parameter name="action" value="Signature"/>-->
                                <parameter name="user" value="signverf"/>
                                <parameter name="passwordCallbackClass" 
value="client.PWCallback"/>
                                <!--<parameter name="passwordType" 
value="PasswordDigest"/>
                                -->
                                <parameter name="signatureAlgorithm" 
value="SHA1RSA" />
                                <parameter name="signatureParts"
value="{}{http://schemas.xmlsoap.org/soap/envelope/}Body;STRTransform"; />
                                <parameter name="signaturePropFile" value =
"signatureVerifyCrypto.properties"/>
                                <parameter name="signatureKeyIdentifier" 
value="SKIKeyIdentifier"/>
                        </handler>
                </responseFlow>

here as you can see its is expecting the response to be encrypted, signed
and having a username token,
but if i send the following response not containing any of the expected
security stuff inside security header(blank security header), it works fine
thts my concern, is this behavior fine ?
Content-Type: multipart/related; type="text/xml";
start="blrgislin13:117676ceeaf:2416";
boundary="_=9659225631144847Sterling9659225631144847MOKO"
Date: Mon, 14 Jan 2008 00:48:03 GMT
Content-Length: 3046
Connection: close

--_=9659225631144847Sterling9659225631144847MOKO
content-type: text/xml; charset=UTF-8
content-id: <blrgislin13:117676ceeaf:2416>

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/";
xmlns:xsd="http://www.w3.org/2001/XMLSchema";
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";>
<soapenv:Header>
<wsse:Security
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"/></soapenv:Header>
<soapenv:Body>
<mesa:processData xmlns:mesa="http://www.sterlingcommerce.com/mesa";>
<ProcessData>
    <service>HelloWorld</service>
    <b2b-protocol>http</b2b-protocol>
   
<transport-instance-id>MESAHttpServerAdapter_HttpServerAdapter_node1</transport-instance-id>
    <SyncModeBP>false</SyncModeBP>
    <http-request-uri>/soap-new</http-request-uri>
    <transport-session-id>Fri Jan 11 11:27:20 IST
2008:11</transport-session-id>
    <incomingSOAPTransportMode>http</incomingSOAPTransportMode>
    <VERIFICATION_KEY>blrgislin13:116d17a1ffa:3615</VERIFICATION_KEY>
    <DECRYPTION_KEY>blrgislin13:116d17a1ffa:3216</DECRYPTION_KEY>
    <SECURITY_TOKEN_NAME>admin</SECURITY_TOKEN_NAME>
    <SIGNATURE_ENCRYPTION_ORDER>-1</SIGNATURE_ENCRYPTION_ORDER>
    <SOAP_URI>/soap-new</SOAP_URI>
    <SOAPEnvNSPrefix>soapenv</SOAPEnvNSPrefix>
    <SOAPEnvNSURI>http://schemas.xmlsoap.org/soap/envelope/</SOAPEnvNSURI>
    <SOAPRequestAttachments>
        <SOAPAttachment1 Content-ID="cid:694F216C7FB7CE2FE74316CB5B310099"
SCIObjectID="blrgislin13:117676ceeaf:2291"/>
        <SOAPAttachment2 Content-ID="cid:15FC5F08EE4EF3D7C73E331DF0A6E55D"
SCIObjectID="blrgislin13:117676ceeaf:2292"/>
        <SOAPAttachment3 Content-ID="cid:E52D7E57127930E42A4A4B1ED13D289B"
SCIObjectID="blrgislin13:117676ceeaf:2293"/>
    </SOAPRequestAttachments>
    <messageMode>1</messageMode>
    <Envelope xmlns="http://schemas.xmlsoap.org/soap/envelope/";>
        <Body>
            <HelloWorld_mod xmlns="http://www.sterlingcommerce.com/mesa"/>
        </Body>
    </Envelope>
    <serviceMode>0</serviceMode>
    <typeName>HelloWorld_mod</typeName>
    <data>Hello World!</data>
    <PrimaryDocument SCIObjectID="blrgislin13:117676ceeaf:2382"/>
    <ADD_SOAP_ENVELOPING>false</ADD_SOAP_ENVELOPING>
    <SOAPOutboundAttachments>
        <SOAPAttachment1
Content-ID="cid:attachment=19530383_1200271683873@sterlingcommerce.com"
SCIObjectID="blrgislin13:117676ceeaf:2382"/>
    </SOAPOutboundAttachments>
   
<attachmentCID>cid:attachment=19530383_1200271683873@sterlingcommerce.com</attachmentCID>
    <INSERT_SECURITY_HEADER>false</INSERT_SECURITY_HEADER>
</ProcessData>
</mesa:processData>
<mesa:attachment
href="cid:attachment=19530383_1200271683873@sterlingcommerce.com"
xmlns:mesa="http://www.sterlingcommerce.com/mesa"/>
</soapenv:Body>
</soapenv:Envelope>
--_=9659225631144847Sterling9659225631144847MOKO
content-type: application/octet-stream
content-id: <[EMAIL PROTECTED]>

<HTML>
<BODY>Hello World!</BODY>
</HTML>

--_=9659225631144847Sterling9659225631144847MOKO--



Nunny wrote:
> 
> Hi Gaurav,
> 
>> If I configure a web service
>> to expect a security header(basically signed, encrypted soap message) and
>> the soap message that is sent to the web service is not having any
>> encryption or signature as expected by web service, should the web
>> service
>> process that soap message or flag a soap fault saying the message is not
>> secured as expected.
> 
> It MUST flag a soap fault.
> 
>> In case of axis, it processes the soap message without caring for
>> security
>> header part of soap message although it is configured for security
>> settings.
>> Is it a proper behavior or not?
> 
> No. This is not the proper behavior. Can you be more specific about the
> Rampart
> configuration you have. There is an issue [1] if you use the parameter
> based Rampart
> configuration which will be fixed soon.
> 
> Thanks,
> Nandana
> 
> 
> [1] - http://marc.info/?l=axis-user&m=119984032825336&w=2
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
> 
> 
> 

-- 
View this message in context: 
http://www.nabble.com/web-service-security-tp14753901p14795964.html
Sent from the Axis - User mailing list archive at Nabble.com.


---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]