[jira] Updated: (RAMPART-204) PostDispatchHandler does not check whether rampart is engaged

Fri, 31 Oct 2008 10:20:54 -0700 

     [ 
https://issues.apache.org/jira/browse/RAMPART-204?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Bob Jacoby updated RAMPART-204:
-------------------------------

    Attachment: PostDispatchVerificationHandler.patch

Patch to PostDispatchVerification handler to check if rampart is engaged, and 
immediately return if not.

> PostDispatchHandler does not check whether rampart is engaged
> -------------------------------------------------------------
>
>                 Key: RAMPART-204
>                 URL: https://issues.apache.org/jira/browse/RAMPART-204
>             Project: Rampart
>          Issue Type: Bug
>          Components: rampart-core
>    Affects Versions: 1.4
>         Environment: Axis2 1.4.1/Rampart 1.4
>            Reporter: Bob Jacoby
>            Assignee: Ruchith Udayanga Fernando
>         Attachments: PostDispatchVerificationHandler.patch
>
>
> Axis2 appears to automatically register the Rampart handlers even if rampart 
> is not explicitly engaged. This causes the handlers to run regardless of 
> whether or not rampart is engaged. While I would consider this a bug in 
> Axis2, there's a simple Rampart workaround that appears to be implemented in 
> other rampart handlers.
> All the other handlers (RampartReceiver, RampartSender, WSDoAllHandler) 
> immediately check whether Rampart is engaged in the invoke method. If not, 
> the method immediately returns. PostDispatchVerificationHandler does not 
> perform this check, which causes the handler to throw an InvalidSecurity 
> error if a policy is attached to the service, but the response is not signed. 
> This is expected behavior if Rampart is engaged, but not when Rampart is not 
> engaged.
> The simple fix is to add the same check to the 
> PostDispatchVerificationHandler invoke method as in the other methods. The 
> attached patch does this.
> Incidentally, as an FYI since this is an Axis2 issue I think, even though 
> axis2 registers the rampart handlers automatically, the rampart module is NOT 
> marked as being engaged in the service client. So calling 
> serviceClient.disengageModule to remove the rampart handlers will not remove 
> the handlers. However, if you first explicitly engage rampart, and then call 
> disengageModule the rampart handlers will be removed from the 
> AxisConfiguration.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

Reply via email to