Hi Rananjay, I tried reproducing this issue using SOAPUI with this particular Rampart/Axis2 versions. It will be helpful, if you can provide the mechanism you used in this scenario.
In the meantime, can you please attach the PasswordCallback handler of the service's end? Thanks, Thilina On Fri, Feb 25, 2011 at 11:17 AM, Rananjay Singh < rananjay.si...@esteltelecom.com> wrote: > Hi Shivendra, > > > > Thanks for help, > > > > Actually client is creating this request and he is crossing security, He is > putting wrong username and password, > > But server is unable to detect it and client directly accessing web service > operations . > > Client can write anything in code, Yes he is overriding namespace, but he > can do it for crossing security. > > > > *Note:* Difference is of *UsernameToken xmlns:wsu *and* UsernameToken > xmlns:wsse* > > > > There should be some server side solution. > > > > Pls suggest server side solution. > > > > Thanks and Regards, > > Rananjay > > > > *From:* shivendra tripathi [mailto:shivendr...@gmail.com] > *Sent:* Thursday, February 24, 2011 6:18 PM > *To:* java-dev@axis.apache.org > *Cc:* Rananjay Singh; java-u...@axis.apache.org > *Subject:* Re: [axis2] Authentication failed. Security failed. > > > > > Axis is behaving correctly. you are overriding namespace > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xs<http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd> > with * > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd > . * > > Which is not the namespace where usernametoken element is defined. > > > > On Thu, Feb 24, 2011 at 4:55 PM, Rananjay Singh < > rananjay.si...@esteltelecom.com> wrote: > > *Hi axis team,* > > * * > > *I am facing a big security problem while using axis server to develop web > service.* > > *My web service is hosted in axis server and using rampat module for > security.* > > * * > > *I am sending soap request to get response from web service with username > and plan text password.* > > * * > > *My Request is as follows------------- * > > > > <?xml version='1.0' encoding='utf-8'?> > > <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/ > "><soapenv:Header> > > <wsse:Security xmlns:wsse=" > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"; > soapenv:mustUnderstand="1"> > > <wsse:*UsernameToken xmlns:wsu=" > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; > wsu*:Id="UsernameToken-22743805"> > > <wsse:Username> clientuser </wsse:Username> > > <wsse:Password Type=" > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText";> > Common123#</</wsse:Password> > > </wsse:UsernameToken> > > </wsse:Security> > > </soapenv:Header> > > <soapenv:Body> > > <ns1:echo xmlns:ns1="http://RampatSecurityTest/xsd";><param0>Hello > world</param0></ns1:echo></soapenv:Body></soapenv:Envelope> > > > > *It is authenticating user name and password.* > > *But when I am changing my request as follows:------------------* > > > > <?xml version='1.0' encoding='utf-8'?> > > <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/ > "><soapenv:Header> > > <wsse:Security xmlns:wsse=" > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"; > soapenv:mustUnderstand="1"> > > <wsse:*UsernameToken xmlns:wsse=" > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; > wsse*:Id="UsernameToken-22743805"> > > <wsse:Username>clientuser</wsse:Username> > > <wsse:Password Type=" > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText > ">Common123#</wsse:Password> > > </wsse:UsernameToken> > > </wsse:Security> > > </soapenv:Header> > > <soapenv:Body> > > <ns1:echo xmlns:ns1="http://RampatSecurityTest/xsd";><param0>Hello > world</param0></ns1:echo></soapenv:Body></soapenv:Envelope> > > > > *It is not authenticating user name and password and directly executing > operation echo.* > > *Difference in request is highlighted.* > > * * > > *Please suggest solution to secure my web service.* > > * * > > *I am using following components:* > > * * > > *Axis2 version is 1.5.4* > > *rampart-1.3 with rahas-1.3* > > *server.xml (attached)* > > * * > > *Thanks and Regards,* > > > > > _______________________________________________________________________________ > > [image: smallest_logo.jpg]*Rananjay Singh* > > Asst Manager - Technical , Estel > > [image: phone]+91 124 *257 8200 *[image: mobile_1.gif]+91 9868 591004 > > [image: email.gif] rananjay.si...@esteltelecom.com | www.esteltelecom.com > > > > *DISCLAIMER:* > The information contained in this message (including any attachments) is > confidential and may be privileged. If you have received it by mistake > please notify the sender by return e-mail and permanently delete this > message and any attachments from your system. > > > > [image: cid:image005.png@01CA7F46.6C6AFE70] > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: java-dev-unsubscr...@axis.apache.org > For additional commands, e-mail: java-dev-h...@axis.apache.org > > > -- Thilina Mahesh Buddhika http://blog.thilinamb.com
<<image003.gif>>
<<image001.jpg>>
<<image002.gif>>
<<image005.png>>
<<image004.gif>>
