axis-java-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Chris Dalrymple (JIRA)" <j...@apache.org>
Subject [jira] Updated: (AXIS2-4132) incomplete SOAP header bypasses rampart security
Date Mon, 17 Nov 2008 18:11:44 GMT

     [ https://issues.apache.org/jira/browse/AXIS2-4132?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Chris Dalrymple updated AXIS2-4132:
-----------------------------------

    Environment: eclipse ganymede, Tomcat 6.0.18 running on Windows 2000  (was: eclipse ganymede,
Tomcat 6.0.18 running on Windows NT)

> incomplete SOAP header bypasses rampart security
> ------------------------------------------------
>
>                 Key: AXIS2-4132
>                 URL: https://issues.apache.org/jira/browse/AXIS2-4132
>             Project: Axis 2.0 (Axis2)
>          Issue Type: Bug
>          Components: modules
>    Affects Versions: 1.4.1
>         Environment: eclipse ganymede, Tomcat 6.0.18 running on Windows 2000
>            Reporter: Chris Dalrymple
>             Fix For: 1.4.1
>
>
> I configured a web service to use basic authentication as demonstrated in basic/example3
of the rampart 1.3 examples. The security works as expected when a request comes in without
the necessary SOAP header and the following response is returned:
> [ERROR] WSDoAllReceiver: Incoming message does not contain required Security header
> The security also works as expected when the properly formed SOAP header contains either
the wrong username of password. The Callback Handler is invoked and the following response
is returned:
> [ERROR] WSDoAllReceiver: security processing failed
> The problem, which I discovered quite by accident, is that a request that is lacking
some of the security elements of the SOAP header seems to bypass the Callback Handler completely
and give access to the secured resource. Below is an example of a SOAP request that behaves
as described.
> <?xml version="1.0" encoding="UTF-8"?>
> <soapenv:Envelope xmlns:soapenv="http://www.w3.org/2003/05/soap-envelope">
>       <soapenv:Header>
>             <wsse:Security
>                   xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
/>
>       </soapenv:Header>
>       <soapenv:Body>
>             <ns1:getUnitId xmlns:ns1="http://axis2.webservice.lsu.edu">
>                   <ns1:unitId>b3Z76yu439156</ns1:unitId>
>             </ns1:getUnitId>
>       </soapenv:Body>
> </soapenv:Envelope>

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


---------------------------------------------------------------------
To unsubscribe, e-mail: axis-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: axis-dev-help@ws.apache.org


Mime
View raw message