Return-Path: Delivered-To: apmail-axis-java-dev-archive@www.apache.org Received: (qmail 13551 invoked from network); 22 Dec 2010 08:56:37 -0000 Received: from unknown (HELO mail.apache.org) (140.211.11.3) by 140.211.11.9 with SMTP; 22 Dec 2010 08:56:37 -0000 Received: (qmail 13309 invoked by uid 500); 22 Dec 2010 08:56:36 -0000 Delivered-To: apmail-axis-java-dev-archive@axis.apache.org Received: (qmail 13223 invoked by uid 500); 22 Dec 2010 08:56:36 -0000 Mailing-List: contact java-dev-help@axis.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: java-dev@axis.apache.org Delivered-To: mailing list java-dev@axis.apache.org Received: (qmail 13213 invoked by uid 99); 22 Dec 2010 08:56:35 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 22 Dec 2010 08:56:35 +0000 X-ASF-Spam-Status: No, hits=-2000.0 required=10.0 tests=ALL_TRUSTED X-Spam-Check-By: apache.org Received: from [140.211.11.22] (HELO thor.apache.org) (140.211.11.22) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 22 Dec 2010 08:56:33 +0000 Received: from thor (localhost [127.0.0.1]) by thor.apache.org (8.13.8+Sun/8.13.8) with ESMTP id oBM8uBS4009514 for ; Wed, 22 Dec 2010 08:56:11 GMT Message-ID: <19620167.262631293008171091.JavaMail.jira@thor> Date: Wed, 22 Dec 2010 03:56:11 -0500 (EST) From: "Chris Dalrymple (JIRA)" To: java-dev@axis.apache.org Subject: [jira] Commented: (RAMPART-240) incomplete SOAP header bypasses rampart security MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 X-Virus-Checked: Checked by ClamAV on apache.org [ https://issues.apache.org/jira/browse/RAMPART-240?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12974115#action_12974115 ] Chris Dalrymple commented on RAMPART-240: ----------------------------------------- You have got to be kidding, right? This issue was posted 17/Nov/08. That was over two years ago. Now your answer is that the method is deprecated? With a turnaround like that, this could be your stock answer for everything. Thanks for getting back to me, Rip Van Winkle > incomplete SOAP header bypasses rampart security > ------------------------------------------------ > > Key: RAMPART-240 > URL: https://issues.apache.org/jira/browse/RAMPART-240 > Project: Rampart > Issue Type: Bug > Affects Versions: 1.4 > Environment: eclipse ganymede, Tomcat 6.0.18 running on Windows XP > Reporter: Chris Dalrymple > > I configured a web service to use basic authentication as demonstrated in basic/example3 of the rampart 1.3 examples. The security works as expected when a request comes in without the necessary SOAP header and the following response is returned: > [ERROR] WSDoAllReceiver: Incoming message does not contain required Security header > The security also works as expected when the properly formed SOAP header contains either the wrong username of password. The Callback Handler is invoked and the following response is returned: > [ERROR] WSDoAllReceiver: security processing failed > The problem, which I discovered quite by accident, is that a request that is lacking some of the security elements of the SOAP header seems to bypass the Callback Handler completely and give access to the secured resource. Below is an example of a SOAP request that behaves as described. > > > > xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" /> > > > > b3Z76yu439156 > > > -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online. --------------------------------------------------------------------- To unsubscribe, e-mail: java-dev-unsubscribe@axis.apache.org For additional commands, e-mail: java-dev-help@axis.apache.org