Hello, I'm not sure if this is an issue or lack of correct configuration on my part.
I found that it is real easy to bypass the security checks (UsernameToken, Timestamp, and/or Signature) for the WS Security settings. All you have to do is setup the client request to pass a <wsse:Security> tag as empty or with garbage in it and the service side will ignore the fact that any of those actions are required. Here is an example request that my service method will answer even though it is suppose to require a Timestamp and a Signature action in the WS Security setup. <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/";> <soap:Header> <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"; soap:mustUnderstand="1"> leave blank or pass garbage and security is bypassed </wsse:Security> </soap:Header> <soap:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; wsu:Id="id-23632030"> <ns1:sayHi xmlns:ns1="http://spring.demo/";> <arg0>Joe</arg0> </ns1:sayHi> </soap:Body> </soap:Envelope> Below is my CXF Servlet Spring beans configuration. Am I missing something to tell WS Security that the actions are mandatory? <?xml version="1.0" encoding="UTF-8"?> <beans xmlns="http://www.springframework.org/schema/beans"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xmlns:jaxws="http://cxf.apache.org/jaxws"; xsi:schemaLocation=" http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd http://cxf.apache.org/jaxws http://cxf.apache.org/schemas/jaxws.xsd";> <import resource="classpath:META-INF/cxf/cxf.xml" /> <import resource="classpath:META-INF/cxf/cxf-extension-soap.xml" /> <import resource="classpath:META-INF/cxf/cxf-servlet.xml" /> <jaxws:endpoint id="helloWorld" implementor="demo.spring.HelloWorldImpl" address="/HelloWorld"> <jaxws:features> <bean class="org.apache.cxf.feature.LoggingFeature"/> </jaxws:features> <jaxws:inInterceptors> <bean class="org.apache.cxf.binding.soap.saaj.SAAJInInterceptor"/> <ref bean="wss4jInConfiguration"/> </jaxws:inInterceptors> </jaxws:endpoint> <bean id="wss4jInConfiguration" class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor"> <property name="properties"> <map> <entry key="action" value="Timestamp Signature"/> <entry key="passwordType" value="PasswordDigest" /> <entry> <key> <value>passwordCallbackRef</value> </key> <ref bean="passwordCallback"/> </entry> <entry key="signaturePropFile" value="server_sign.properties"></entry> </map> </property> </bean> <bean id="passwordCallback" class="demo.spring.handlers.PasswordCallbackHandler"/> <bean id="serviceMethodAuthorizer" class="demo.spring.handlers.ServiceMethodAuthorizer"/> </beans>
