Here is a snippet of my services.xml file:
<serviceGroup>
<service name="nosecurity">
... not security set up
</service>
<service name="UT">
... same service as nosecurity except it has UsernameToken security
<module ref="rampart" />
<parameter name="InflowSecurity">
<action>
<items>UsernameToken</items>
<passwordCallbackClass>my.PWCallback</passwordCallbackClass>
<signaturePropFile>crypto.properties</signaturePropFile>
</action>
</parameter>
</service>
<service name="UTS">
... same service as nosecurity except it has UsernameToken and Signature
security enabled.
<module ref="rampart" />
<parameter name="InflowSecurity">
<action>
<items>UsernameToken Signature</items>
<passwordCallbackClass>my.PWCallback</passwordCallbackClass>
<signaturePropFile>crypto.properties</signaturePropFile>
</action>
</parameter>
</service>
</serviceGroup>
"nosecurity" and "UT" work as they should. But the "UTS" service allows the
client to sent the UsernameToken without the Signature and Rampart accepts
it, thus by passing the Signature. If I send both UsernameToken and the
Signature it also accepts it. If I send both with a bad signature it
rejects the request.
Why is it accepting UsernameToken without the Signature? What do I need to
do so that the Signature is required?
Thanks,
Chad
