axis-java-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ali Sadik Kumlali (JIRA)" <j...@apache.org>
Subject [jira] Created: (AXIS2-1858) Security validation is made only if security header is found
Date Mon, 11 Dec 2006 09:37:21 GMT
Security validation is made only if security header is found
------------------------------------------------------------

                 Key: AXIS2-1858
                 URL: http://issues.apache.org/jira/browse/AXIS2-1858
             Project: Apache Axis 2.0 (Axis2)
          Issue Type: Bug
          Components: modules
    Affects Versions: 1.1
         Environment: Not important.
            Reporter: Ali Sadik Kumlali


Hi,

Although service is expecting a signed message, I don't get any exception if no WS-Security
header has been added to the message. 

Here are the use cases and how Rampart behaves:

Common:
  - Service requires a signed message[1]
  
Case1: Client adds <module ref="rampart"/> but doesn't add <parameter name="OutflowSecurity">
to the axis2.xml
  - Client sends message
  - Message doesn't have necessary WS-Security headers but only a single one[2]

  Result
  - Rampart doesn't log or throw any exception and the message passes to the message receiver
(Unexpected(?) behaviour)
  
Case2: Client doesn't add either <module ref="rampart"/> or <parameter name="OutflowSecurity">...
  - Client sends message
  - Message doesn't have any WS-Security header.

  Result
  - Rampart doesn't log or throw any exception and the message passes to the message receiver
(Unexpected(?) behaviour)
  

Regards,

Ali Sadik Kumlali
  

[1]
    <module ref="rampart"/>

    <parameter name="InflowSecurity">
        <action>
            <items>Signature</items>
            <signaturePropFile>server_security.properties</signaturePropFile>
        </action>
    </parameter>
  
[2] <wsse:Security soapenv:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"/>

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

---------------------------------------------------------------------
To unsubscribe, e-mail: axis-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: axis-dev-help@ws.apache.org


Mime
View raw message