axis-java-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Chad DeBauch" <cdeba...@gmail.com>
Subject Re: [axis2] UsernameToken and Signature service issue
Date Mon, 30 Jul 2007 14:59:58 GMT
I found the cause of the issue.  It is a security issue with wss4j, there is
an issue in Jira regarding this:
https://issues.apache.org/jira/browse/WSS-70

Chad

On 7/27/07, Chad DeBauch <cdebauch@gmail.com> wrote:
>
> Here is a snippet of my services.xml file:
>
> <serviceGroup>
> <service name="nosecurity">
>     ... not security set up
> </service>
> <service name="UT">
>     ... same service as nosecurity except it has UsernameToken security
>     <module ref="rampart" />
>     <parameter name="InflowSecurity">
>       <action>
>         <items>UsernameToken</items>
>            <passwordCallbackClass> my.PWCallback</passwordCallbackClass>
>            <signaturePropFile>crypto.properties</signaturePropFile>
>         </action>
>     </parameter>
> </service>
> <service name="UTS">
>     ... same service as nosecurity except it has UsernameToken and
> Signature security enabled.
>     <module ref="rampart" />
>     <parameter name="InflowSecurity">
>       <action>
>         <items>UsernameToken Signature</items>
>            <passwordCallbackClass>my.PWCallback</passwordCallbackClass>
>            <signaturePropFile>crypto.properties</signaturePropFile>
>         </action>
>     </parameter>
> </service>
> </serviceGroup>
>
> "nosecurity" and "UT" work as they should.  But the "UTS" service allows
> the client to sent the UsernameToken without the Signature and Rampart
> accepts it, thus by passing the Signature.  If I send both UsernameToken and
> the Signature it also accepts it.  If I send both with a bad signature it
> rejects the request.
>
> I tested this with an axis1 webservice and found that the "UTS" service
> acted as it should, rejecting the request when only the UsernameToken is
> sent.
>
> Why is it accepting UsernameToken without the Signature?  What do I need
> to do so that the Signature is required?
>
> Thanks,
>
> Chad
>

Mime
View raw message