axis-java-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jaime Hablutzel Egoavil <hablutz...@gmail.com>
Subject axis2 security bug?
Date Tue, 20 Oct 2009 13:40:34 GMT
Hi, I'm a newbie in web services and security, I'm using wso2 as an axis2
wrapper for making working with Spring easier, well

I have published a service that requires user token authentication and SSL
transport using this policy:

<wsp:Policy wsu:Id="UsernameTokenOverHTTPS"
    xmlns:wsu="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
"
    xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
    <wsp:ExactlyOne>
        <wsp:All>
            <sp:TransportBinding
                xmlns:sp="
http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
                <wsp:Policy>
                    <sp:TransportToken>
                        <wsp:Policy>
                            <sp:HttpsToken RequireClientCertificate="false"
/>
                        </wsp:Policy>
                    </sp:TransportToken>
                    <sp:AlgorithmSuite>
                        <wsp:Policy>
                            <sp:Basic256 />
                        </wsp:Policy>
                    </sp:AlgorithmSuite>
                    <sp:Layout>
                        <wsp:Policy>
                            <sp:Lax />
                        </wsp:Policy>
                    </sp:Layout>
                    <sp:IncludeTimestamp />
                </wsp:Policy>
            </sp:TransportBinding>
            <sp:SignedSupportingTokens
                xmlns:sp="
http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
                <wsp:Policy>
                    <sp:UsernameToken
                        sp:IncludeToken="
http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient"
/>
                </wsp:Policy>
            </sp:SignedSupportingTokens>
            <ramp:RampartConfig xmlns:ramp="
http://ws.apache.org/rampart/policy">

<ramp:passwordCallbackClass>pe.gob.hndac.ldap.PasswordCallbackHandler</ramp:passwordCallbackClass>
            </ramp:RampartConfig>
        </wsp:All>
    </wsp:ExactlyOne>
</wsp:Policy>

If i send this request (sniffed with TCPmon)

POST
http://172.17.0.24:8080/emrws/services/emrAuthWs.emrAuthWsHttpSoap12Endpoint/HTTP/1.1
User-Agent: Axis2C/1.5.0
Content-Type: application/soap+xml;charset=UTF-8
;action="urn:getPatientDetails"
Host: 172.17.0.24:8080
Content-Length: 310

<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope"
xmlns:ws="http://ws.hndac.gob.pe">
   <soap:Header/>
   <soap:Body>
      <ws:getPatientDetails>
         <!--Optional:-->
         <ws:identificador>12</ws:identificador>
      </ws:getPatientDetails>
   </soap:Body>
</soap:Envelope>

I receive this answer:

<soapenv:Envelope xmlns:soapenv="http://www.w3.org/2003/05/soap-envelope">
   <soapenv:Body>
      <soapenv:Fault xmlns:axis2ns19="
http://www.w3.org/2003/05/soap-envelope">
         <soapenv:Code>
            <soapenv:Value>axis2ns19:Sender</soapenv:Value>
            <soapenv:Subcode>
               <soapenv:Value xmlns:wsse="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
">wsse:InvalidSecurity</soapenv:Value>
            </soapenv:Subcode>
         </soapenv:Code>
         <soapenv:Reason>
            <soapenv:Text xml:lang="en-US">Missing wsse:Security header in
request</soapenv:Text>
         </soapenv:Reason>
         <soapenv:Detail/>
      </soapenv:Fault>
   </soapenv:Body>
</soapenv:Envelope>


Ok, this is an axis fault, it is ok, but if I send:

POST
http://172.17.0.24:8080/emrws/services/emrAuthWs.emrAuthWsHttpSoap12Endpoint/HTTP/1.1
User-Agent: Axis2C/1.5.0
Content-Length: 294
Content-Type: application/soap+xml;charset=UTF-8
Host: 172.17.0.24:8080

<soapenv:Envelope
xmlns:soapenv="http://www.w3.org/2003/05/soap-envelope"><soapenv:Header/><soapenv:Body><ws:getPatientDetails
xmlns:ws="http://ws.hndac.gob.pe">
         <!--Optional:-->
         <ws:identificador>12</ws:identificador>
</ws:getPatientDetails></soapenv:Body></soapenv:Envelope>

Note the missing action attribute in the http content-type header, I receive
this answer:

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: application/soap+xml;
action="urn:getPatientDetailsResponse";charset=UTF-8
Transfer-Encoding: chunked
Date: Tue, 20 Oct 2009 13:30:41 GMT

641
<?xml version='1.0' encoding='UTF-8'?><soapenv:Envelope xmlns:soapenv="
http://www.w3.org/2003/05/soap-envelope"><soapenv:Header>
<wsse:Security xmlns:wsse="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
soapenv:mustUnderstand="true"><wsu:Timestamp xmlns:wsu="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
wsu:Id="Timestamp-16078681"><wsu:Created>2009-10-20T13:30:41.184Z</wsu:Created><wsu:Expires>2009-10-20T13:35:41.184Z</wsu:Expires></wsu:Timestamp></wsse:Security></soapenv:Header><soapenv:Body><ns:getPatientDetailsResponse
xmlns:ns="http://ws.hndac.gob.pe"><ns:return xmlns:ax23="http://model/xsd"
type="model.Paciente"><ax23:apellidoMaterno>ALFARO</ax23:apellidoMaterno><ax23:apellidoPaterno>SAENZ</ax23:apellidoPaterno><ax23:direccion
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:nil="true"
/><ax23:documentoIdentidad xmlns:xsi="
http://www.w3.org/2001/XMLSchema-instance" xsi:nil="true"
/><ax23:fechaAdmision xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:nil="true"
/><ax23:fechaNacimiento>1957-08-16T05:00:00.000Z</ax23:fechaNacimiento><ax23:identificador>12</ax23:identificador><ax23:nombres>CARMEN
ROSA</ax23:nombres><ax23:sexo>F</ax23:sexo><ax23:telefono xmlns:xsi="
http://www.w3.org/2001/XMLSchema-instance" xsi:nil="true"
/><ax23:ubigeoNacimiento xmlns:xsi="
http://www.w3.org/2001/XMLSchema-instance" xsi:nil="true"
/><ax23:ubigeoResidencia xmlns:xsi="
http://www.w3.org/2001/XMLSchema-instance" xsi:nil="true"
/></ns:return></ns:getPatientDetailsResponse></soapenv:Body></soapenv:Envelope>
0


Auchh, without user authentication neither SSL transport :S

-- 
Jaime Hablutzel

(tildes omitidas intencionalmente) 9 8964 0369

Mime
View raw message