Announcement Announcement Module
Collapse
No announcement yet.
*Important* Wss4jSecurityInterceptor: bug or expected behavior? Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • *Important* Wss4jSecurityInterceptor: bug or expected behavior?

    Tareq/Arjen,

    Please help me with this.

    I was making some tests with the Wss4jSecurityInterceptor using the UsernameToken profile. Here is my simple configuration on the server side:

    Code:
    <bean id="wss4j" class="org.springframework.ws.soap.security.wss4j.Wss4jSecurityInterceptor">
    	<property name="validationActions" value="UsernameToken" />
    	<property name="validationCallbackHandler" ref="callbackHandler" />
    </bean>
    <bean id="callbackHandler"
    	 class="org.springframework.ws.soap.security.wss4j.callback.SimplePasswordValidationCallbackHandler">
       <property name="users">
          <props>
            <prop key="Ernie">Bert</prop>
          </props>
       </property>
    </bean>
    Everything works fine at the beginning...

    If my soap message doesn't have the <wsse:Security> header an error like 'No WS-Security header found' happened.

    Passing the correct username and password, the server validates correctingly. Passing wrong username or password I get an exception.

    The problem is when I send the <wsse:Security> header empty I don't get an exception like I believe I have to get.

    Puting the code above in soapUI and sending it I get a normal response, like when I pass the correct username and token.

    Code:
    ...
    <SOAP-ENV:Header>
    	<wsse:Security
    		xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
    		SOAP-ENV:mustUnderstand="1">
    	</wsse:Security>
    </SOAP-ENV:Header>
    ...
    I tried with others validationActions like Signature, and the behavior is the same. If the header is empty, the signature validation is not performed and I get no exceptions.

    Is this right?
    If I want to secure my web service with a username and password I can't because someone can just pass an empty header!

    Help, please!
    Thanks!
    Last edited by michelz; Nov 15th, 2008, 07:08 PM.

  • #2
    This certainly doesn't sound like a normal expected behavior! Could you please create a Jira issue and attach any useful code you have to help diagnosing this?

    Comment


    • #3
      OK!

      I created a sample project with JUnit tests!
      If it is something I can do, please just let me know!

      Here is the jira issue:
      http://jira.springframework.org/browse/SWS-448

      Thanks

      Comment

      Working...
      X