Axis is behaving correctly. you are overriding namespace http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xs<http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd> with * http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd . * Which is not the namespace where usernametoken element is defined.
On Thu, Feb 24, 2011 at 4:55 PM, Rananjay Singh < rananjay.si...@esteltelecom.com> wrote: > *Hi axis team,* > > * * > > *I am facing a big security problem while using axis server to develop web > service.* > > *My web service is hosted in axis server and using rampat module for > security.* > > * * > > *I am sending soap request to get response from web service with username > and plan text password.* > > * * > > *My Request is as follows------------- * > > > > <?xml version='1.0' encoding='utf-8'?> > > <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/ > "><soapenv:Header> > > <wsse:Security xmlns:wsse=" > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"; > soapenv:mustUnderstand="1"> > > <wsse:*UsernameToken xmlns:wsu=" > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; > wsu*:Id="UsernameToken-22743805"> > > <wsse:Username> clientuser </wsse:Username> > > <wsse:Password Type=" > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText";> > Common123#</</wsse:Password> > > </wsse:UsernameToken> > > </wsse:Security> > > </soapenv:Header> > > <soapenv:Body> > > <ns1:echo xmlns:ns1="http://RampatSecurityTest/xsd";><param0>Hello > world</param0></ns1:echo></soapenv:Body></soapenv:Envelope> > > > > *It is authenticating user name and password.* > > *But when I am changing my request as follows:------------------* > > > > <?xml version='1.0' encoding='utf-8'?> > > <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/ > "><soapenv:Header> > > <wsse:Security xmlns:wsse=" > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"; > soapenv:mustUnderstand="1"> > > <wsse:*UsernameToken xmlns:wsse=" > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; > wsse*:Id="UsernameToken-22743805"> > > <wsse:Username>clientuser</wsse:Username> > > <wsse:Password Type=" > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText > ">Common123#</wsse:Password> > > </wsse:UsernameToken> > > </wsse:Security> > > </soapenv:Header> > > <soapenv:Body> > > <ns1:echo xmlns:ns1="http://RampatSecurityTest/xsd";><param0>Hello > world</param0></ns1:echo></soapenv:Body></soapenv:Envelope> > > > > *It is not authenticating user name and password and directly executing > operation echo.* > > *Difference in request is highlighted.* > > * * > > *Please suggest solution to secure my web service.* > > * * > > *I am using following components:* > > * * > > *Axis2 version is 1.5.4* > > *rampart-1.3 with rahas-1.3* > > *server.xml (attached)* > > * * > > *Thanks and Regards,* > > > > > _______________________________________________________________________________ > > [image: smallest_logo.jpg]*Rananjay Singh* > > Asst Manager - Technical , Estel ** > > [image: phone]+91 124 *257 8200 *[image: mobile_1.gif]+91 9868 591004 > > [image: email.gif] rananjay.si...@esteltelecom.com | www.esteltelecom.com > > > > *DISCLAIMER:* > The information contained in this message (including any attachments) is > confidential and may be privileged. If you have received it by mistake > please notify the sender by return e-mail and permanently delete this > message and any attachments from your system. > > > > [image: cid:image005.png@01CA7F46.6C6AFE70] > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: java-dev-unsubscr...@axis.apache.org > For additional commands, e-mail: java-dev-h...@axis.apache.org >
<<image002.jpg>>
<<image004.gif>>
<<image005.gif>>
<<image006.png>>
<<image003.gif>>
