axis-java-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Rananjay Singh" <rananjay.si...@esteltelecom.com>
Subject [axis2] Authentication failed. Security failed.
Date Thu, 24 Feb 2011 11:25:11 GMT
Hi axis team,

 

I am facing a big security problem while using axis server to develop web
service.

My web service is hosted in axis server and using rampat module for
security.

  

I am sending soap request to get response from web service with username and
plan text password.

 

My Request is as follows------------- 

 

<?xml version='1.0' encoding='utf-8'?>

<soapenv:Envelope
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"><soapenv:Header>

<wsse:Security
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecuri
ty-secext-1.0.xsd" soapenv:mustUnderstand="1">

<wsse:UsernameToken
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurit
y-utility-1.0.xsd" wsu:Id="UsernameToken-22743805">

<wsse:Username> clientuser </wsse:Username>

<wsse:Password
Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token
-profile-1.0#PasswordText"> Common123#</</wsse:Password>

</wsse:UsernameToken>

</wsse:Security>

</soapenv:Header>

<soapenv:Body>

<ns1:echo xmlns:ns1="http://RampatSecurityTest/xsd"><param0>Hello
world</param0></ns1:echo></soapenv:Body></soapenv:Envelope>

 

It is authenticating user name and password.

But when I am changing my request as follows:------------------

 

<?xml version='1.0' encoding='utf-8'?>

<soapenv:Envelope
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"><soapenv:Header>

<wsse:Security
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecuri
ty-secext-1.0.xsd" soapenv:mustUnderstand="1">

<wsse:UsernameToken
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecuri
ty-utility-1.0.xsd" wsse:Id="UsernameToken-22743805">

<wsse:Username>clientuser</wsse:Username>

<wsse:Password
Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token
-profile-1.0#PasswordText">Common123#</wsse:Password>

</wsse:UsernameToken>

</wsse:Security>

</soapenv:Header>

<soapenv:Body>

<ns1:echo xmlns:ns1="http://RampatSecurityTest/xsd"><param0>Hello
world</param0></ns1:echo></soapenv:Body></soapenv:Envelope>

 

It is not authenticating user name and password and directly executing
operation echo.

Difference in request is highlighted.

 

Please suggest solution to secure my web service.

 

I am using following components:

 

Axis2 version is 1.5.4

rampart-1.3 with rahas-1.3

server.xml (attached)

 

Thanks and Regards,

 

____________________________________________________________________________
___

smallest_logo.jpgRananjay Singh

Asst Manager  - Technical , Estel 

phone+91 124 257 8200    mobile_1.gif+91 9868 591004

email.gif  <mailto:rananjay.singh@esteltelecom.com>
rananjay.singh@esteltelecom.com |  <http://www.esteltelecom.com>
www.esteltelecom.com 

 

DISCLAIMER:
The information contained in this message (including any attachments) is
confidential and may be privileged. If you have received it by mistake
please notify the sender by return e-mail and permanently delete this
message and any attachments from your system. 

 

cid:image005.png@01CA7F46.6C6AFE70

 


Mime
View raw message