Hello, I have been working with sample "ws_security/ut_policy" from cxf 2.7.1 and it works fine. But I wanted to test other configurations, because I want to test DigestPassword without https.
First of all, I changed policy from hello_world.wsdl to this: After, I have changed src/main/resources/ServiceConfig and I leave only this inside beans tag: Then, I executed Server (main) class and it worked fine. The problem is that I have tried, with SoapUI, to send exactly the same message several times (same Header: Timestamp, Nonce...) and I've got every time the same correct answer (Obvoiusly it should not from the second time). I've tried to fix it adding these property entries to the endpoint definition: But It doesn't work. I have to say that I have tested same solution with WSS4JInInterceptor and, in that case, application realized that you are doing a replay attack and sent you back proper fault. Finally, I have found that WSPasswordCallback (inside handle method from UTPasswordCallback) has a null value in TimestampReplayCache in policy example, but a "org.apache.cxf.ws.security.cache.EHCacheReplayCache" object was instanced using WSS4JInInterceptor. You can check it debugging or adding this: after WSPasswordCallback pc = (WSPasswordCallback)callbacks[i]; in UTPasswordCallback class. Thank you in advance. -- View this message in context: http://cxf.547215.n5.nabble.com/Web-Service-security-Replay-Attack-with-WS-Policy-tp5720642.html Sent from the cxf-user mailing list archive at Nabble.com.
