axis-java-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Chris Dalrymple (JIRA)" <>
Subject [jira] Commented: (RAMPART-240) incomplete SOAP header bypasses rampart security
Date Wed, 22 Dec 2010 08:56:11 GMT


Chris Dalrymple commented on RAMPART-240:

You have got to be kidding, right? This issue was posted 17/Nov/08. That was over two years
ago. Now your answer is that the method is deprecated? With a turnaround like that, this could
be your stock answer for everything.

Thanks for getting back to me,
Rip Van Winkle

> incomplete SOAP header bypasses rampart security
> ------------------------------------------------
>                 Key: RAMPART-240
>                 URL:
>             Project: Rampart
>          Issue Type: Bug
>    Affects Versions: 1.4
>         Environment: eclipse ganymede, Tomcat 6.0.18 running on Windows XP
>            Reporter: Chris Dalrymple
> I configured a web service to use basic authentication as demonstrated in basic/example3
of the rampart 1.3 examples. The security works as expected when a request comes in without
the necessary SOAP header and the following response is returned:
> [ERROR] WSDoAllReceiver: Incoming message does not contain required Security header
> The security also works as expected when the properly formed SOAP header contains either
the wrong username of password. The Callback Handler is invoked and the following response
is returned:
> [ERROR] WSDoAllReceiver: security processing failed
> The problem, which I discovered quite by accident, is that a request that is lacking
some of the security elements of the SOAP header seems to bypass the Callback Handler completely
and give access to the secured resource. Below is an example of a SOAP request that behaves
as described.
> <?xml version="1.0" encoding="UTF-8"?>
> <soapenv:Envelope xmlns:soapenv="">
>       <soapenv:Header>
>             <wsse:Security
>                   xmlns:wsse=""
>       </soapenv:Header>
>       <soapenv:Body>
>             <ns1:getUnitId xmlns:ns1="">
>                   <ns1:unitId>b3Z76yu439156</ns1:unitId>
>             </ns1:getUnitId>
>       </soapenv:Body>
> </soapenv:Envelope>

This message is automatically generated by JIRA.
You can reply to this email to add a comment to the issue online.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message