[
https://issues.apache.org/jira/browse/RAMPART-127?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12917628#action_12917628
]
Bridget Almas commented on RAMPART-127:
---------------------------------------
I think this change creates problem when WS-Security is used without
WS-Addressing. See
http://mail-archives.apache.org/mod_mbox/ws-rampart-dev/201010.mbox/%3cec2d78596c2649f48a6bd0bc26a94...@lenovox300%3e
for details
When the operation is resolved from the SOAP message body, rather than from a
SOAP action, the PostDispatchVerificationHandler is invoked before the Policy
has been added to the MessageContext. The only way I was able to work around
this was to disable the PostDispatchVerificationHandler in modules.xml, rebuild
the rampart.mar and move the Security phase to post dispatch in the axis2.xml.
> Possible Security Hole
> ----------------------
>
> Key: RAMPART-127
> URL: https://issues.apache.org/jira/browse/RAMPART-127
> Project: Rampart
> Issue Type: Bug
> Components: rampart-core
> Affects Versions: 1.3
> Reporter: Amila Chinthaka Suriarachchi
> Priority: Critical
> Fix For: 1.4
>
>
> Lets take this senario.
> There is a service which has an operational policy to sign the soap headers
> and has engaged security at the operational level. There is a soap action to
> this operation and in normal case users supposed to send a soap action. so at
> the service level operation is dispatched using the soap action and signature
> verification is done.
> Lets say an intruder send a soap message without signing and without a
> soapaction. then the operation is not dispatched before the security phase
> and hence security verification is not being done. So the message which does
> not have any security headers passes through.
> then this will dispatch with soapBodyBased dispatching and finally it hits
> the MR.
> So this is a security hole.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
