[jira] Resolved: (RAMPART-240) incomplete SOAP header bypasses rampart security

Tue, 21 Dec 2010 05:36:41 -0800 

     [ 
https://issues.apache.org/jira/browse/RAMPART-240?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Samisa Abeysinghe resolved RAMPART-240.
---------------------------------------

    Resolution: Invalid

WSDoAllReceiver is deprecated. Please use policy based approach. 

> incomplete SOAP header bypasses rampart security
> ------------------------------------------------
>
>                 Key: RAMPART-240
>                 URL: https://issues.apache.org/jira/browse/RAMPART-240
>             Project: Rampart
>          Issue Type: Bug
>    Affects Versions: 1.4
>         Environment: eclipse ganymede, Tomcat 6.0.18 running on Windows XP
>            Reporter: Chris Dalrymple
>
> I configured a web service to use basic authentication as demonstrated in 
> basic/example3 of the rampart 1.3 examples. The security works as expected 
> when a request comes in without the necessary SOAP header and the following 
> response is returned:
> [ERROR] WSDoAllReceiver: Incoming message does not contain required Security 
> header
> The security also works as expected when the properly formed SOAP header 
> contains either the wrong username of password. The Callback Handler is 
> invoked and the following response is returned:
> [ERROR] WSDoAllReceiver: security processing failed
> The problem, which I discovered quite by accident, is that a request that is 
> lacking some of the security elements of the SOAP header seems to bypass the 
> Callback Handler completely and give access to the secured resource. Below is 
> an example of a SOAP request that behaves as described.
> <?xml version="1.0" encoding="UTF-8"?>
> <soapenv:Envelope xmlns:soapenv="http://www.w3.org/2003/05/soap-envelope";>
>       <soapenv:Header>
>             <wsse:Security
>                   
> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
>  />
>       </soapenv:Header>
>       <soapenv:Body>
>             <ns1:getUnitId xmlns:ns1="http://axis2.webservice.lsu.edu";>
>                   <ns1:unitId>b3Z76yu439156</ns1:unitId>
>             </ns1:getUnitId>
>       </soapenv:Body>
> </soapenv:Envelope>

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to