Hi Antonio, It's a bug that will be fixed in the next release:
https://issues.apache.org/jira/browse/CXF-4718 Thanks, Colm. On Fri, Dec 21, 2012 at 8:23 AM, Antonio Lopez <[email protected]>wrote: > Hello, > > I have been working with sample "ws_security/ut_policy" from cxf 2.7.1 and > it works fine. But I wanted to test other configurations, because I want to > test DigestPassword without https. > > First of all, I changed policy from hello_world.wsdl to this: > > After, I have changed src/main/resources/ServiceConfig and I leave only > this > inside beans tag: > > > Then, I executed Server (main) class and it worked fine. The problem is > that > I have tried, with SoapUI, to send exactly the same message several times > (same Header: Timestamp, Nonce...) and I've got every time the same correct > answer (Obvoiusly it should not from the second time). > > I've tried to fix it adding these property entries to the endpoint > definition: > > But It doesn't work. > > I have to say that I have tested same solution with WSS4JInInterceptor and, > in that case, application realized that you are doing a replay attack and > sent you back proper fault. > > Finally, I have found that WSPasswordCallback (inside handle method from > UTPasswordCallback) has a null value in TimestampReplayCache in policy > example, but a "org.apache.cxf.ws.security.cache.EHCacheReplayCache" object > was instanced using WSS4JInInterceptor. > > You can check it debugging or adding this: > after > WSPasswordCallback pc = (WSPasswordCallback)callbacks[i]; in > UTPasswordCallback class. > > Thank you in advance. > > > > -- > View this message in context: > http://cxf.547215.n5.nabble.com/Web-Service-security-Replay-Attack-with-WS-Policy-tp5720642.html > Sent from the cxf-user mailing list archive at Nabble.com. > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
