Hi Shivendra,
Thanks for help, Actually client is creating this request and he is crossing security, He is putting wrong username and password, But server is unable to detect it and client directly accessing web service operations . Client can write anything in code, Yes he is overriding namespace, but he can do it for crossing security. Note: Difference is of UsernameToken xmlns:wsu and UsernameToken xmlns:wsse There should be some server side solution. Pls suggest server side solution. Thanks and Regards, Rananjay From: shivendra tripathi [mailto:shivendr...@gmail.com] Sent: Thursday, February 24, 2011 6:18 PM To: java-dev@axis.apache.org Cc: Rananjay Singh; java-u...@axis.apache.org Subject: Re: [axis2] Authentication failed. Security failed. Axis is behaving correctly. you are overriding namespace http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1. 0.xs <http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1 .0.xsd> with http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1 .0.xsd. Which is not the namespace where usernametoken element is defined. On Thu, Feb 24, 2011 at 4:55 PM, Rananjay Singh <rananjay.si...@esteltelecom.com> wrote: Hi axis team, I am facing a big security problem while using axis server to develop web service. My web service is hosted in axis server and using rampat module for security. I am sending soap request to get response from web service with username and plan text password. My Request is as follows------------- <?xml version='1.0' encoding='utf-8'?> <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/";><soapenv:Header> <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecuri ty-secext-1.0.xsd" soapenv:mustUnderstand="1"> <wsse:UsernameToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurit y-utility-1.0.xsd" wsu:Id="UsernameToken-22743805"> <wsse:Username> clientuser </wsse:Username> <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token -profile-1.0#PasswordText"> Common123#</</wsse:Password> </wsse:UsernameToken> </wsse:Security> </soapenv:Header> <soapenv:Body> <ns1:echo xmlns:ns1="http://RampatSecurityTest/xsd";><param0>Hello world</param0></ns1:echo></soapenv:Body></soapenv:Envelope> It is authenticating user name and password. But when I am changing my request as follows:------------------ <?xml version='1.0' encoding='utf-8'?> <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/";><soapenv:Header> <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecuri ty-secext-1.0.xsd" soapenv:mustUnderstand="1"> <wsse:UsernameToken xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecuri ty-utility-1.0.xsd" wsse:Id="UsernameToken-22743805"> <wsse:Username>clientuser</wsse:Username> <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token -profile-1.0#PasswordText">Common123#</wsse:Password> </wsse:UsernameToken> </wsse:Security> </soapenv:Header> <soapenv:Body> <ns1:echo xmlns:ns1="http://RampatSecurityTest/xsd";><param0>Hello world</param0></ns1:echo></soapenv:Body></soapenv:Envelope> It is not authenticating user name and password and directly executing operation echo. Difference in request is highlighted. Please suggest solution to secure my web service. I am using following components: Axis2 version is 1.5.4 rampart-1.3 with rahas-1.3 server.xml (attached) Thanks and Regards, ____________________________________________________________________________ ___ smallest_logo.jpgRananjay Singh Asst Manager - Technical , Estel phone+91 124 257 8200 mobile_1.gif+91 9868 591004 email.gif <mailto:rananjay.si...@esteltelecom.com> rananjay.si...@esteltelecom.com | www.esteltelecom.com DISCLAIMER: The information contained in this message (including any attachments) is confidential and may be privileged. If you have received it by mistake please notify the sender by return e-mail and permanently delete this message and any attachments from your system. cid:image005.png@01CA7F46.6C6AFE70 --------------------------------------------------------------------- To unsubscribe, e-mail: java-dev-unsubscr...@axis.apache.org For additional commands, e-mail: java-dev-h...@axis.apache.org
<<image001.jpg>>
<<image002.gif>>
<<image003.gif>>
<<image004.gif>>
<<image005.png>>
