PostDispatchHandler does not check whether rampart is engaged
-------------------------------------------------------------
Key: RAMPART-204
URL: https://issues.apache.org/jira/browse/RAMPART-204
Project: Rampart
Issue Type: Bug
Components: rampart-core
Affects Versions: 1.4
Environment: Axis2 1.4.1/Rampart 1.4
Reporter: Bob Jacoby
Assignee: Ruchith Udayanga Fernando
Attachments: PostDispatchVerificationHandler.patch
Axis2 appears to automatically register the Rampart handlers even if rampart is
not explicitly engaged. This causes the handlers to run regardless of whether
or not rampart is engaged. While I would consider this a bug in Axis2, there's
a simple Rampart workaround that appears to be implemented in other rampart
handlers.
All the other handlers (RampartReceiver, RampartSender, WSDoAllHandler)
immediately check whether Rampart is engaged in the invoke method. If not, the
method immediately returns. PostDispatchVerificationHandler does not perform
this check, which causes the handler to throw an InvalidSecurity error if a
policy is attached to the service, but the response is not signed. This is
expected behavior if Rampart is engaged, but not when Rampart is not engaged.
The simple fix is to add the same check to the PostDispatchVerificationHandler
invoke method as in the other methods. The attached patch does this.
Incidentally, as an FYI since this is an Axis2 issue I think, even though axis2
registers the rampart handlers automatically, the rampart module is NOT marked
as being engaged in the service client. So calling
serviceClient.disengageModule to remove the rampart handlers will not remove
the handlers. However, if you first explicitly engage rampart, and then call
disengageModule the rampart handlers will be removed from the AxisConfiguration.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
