I found the cause of the issue. It is a security issue with wss4j, there is an issue in Jira regarding this: https://issues.apache.org/jira/browse/WSS-70
On 7/27/07, Chad DeBauch <[EMAIL PROTECTED]> wrote: > > Here is a snippet of my services.xml file: > > <serviceGroup> > <service name="nosecurity"> > ... not security set up > </service> > <service name="UT"> > ... same service as nosecurity except it has UsernameToken security > <module ref="rampart" /> > <parameter name="InflowSecurity"> > <action> > <items>UsernameToken</items> > <passwordCallbackClass> my.PWCallback</passwordCallbackClass> > <signaturePropFile>crypto.properties</signaturePropFile> > </action> > </parameter> > </service> > <service name="UTS"> > ... same service as nosecurity except it has UsernameToken and > Signature security enabled. > <module ref="rampart" /> > <parameter name="InflowSecurity"> > <action> > <items>UsernameToken Signature</items> > <passwordCallbackClass>my.PWCallback</passwordCallbackClass> > <signaturePropFile>crypto.properties</signaturePropFile> > </action> > </parameter> > </service> > </serviceGroup> > > "nosecurity" and "UT" work as they should. But the "UTS" service allows > the client to sent the UsernameToken without the Signature and Rampart > accepts it, thus by passing the Signature. If I send both UsernameToken and > the Signature it also accepts it. If I send both with a bad signature it > rejects the request. > > Why is it accepting UsernameToken without the Signature? What do I need > to do so that the Signature is required? > > Thanks, > > Chad >
