You are viewing a plain text version of this content. The canonical link for it is here.
Posted to rampart-dev@ws.apache.org by "Nandana Mihindukulasooriya (JIRA)" <ji...@apache.org> on 2008/02/12 08:24:07 UTC
[jira] Resolved: (RAMPART-140) Processing of response fails if a
security policy is set
[ https://issues.apache.org/jira/browse/RAMPART-140?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Nandana Mihindukulasooriya resolved RAMPART-140.
------------------------------------------------
Resolution: Fixed
Fixed revision 620714.
> Processing of response fails if a security policy is set
> --------------------------------------------------------
>
> Key: RAMPART-140
> URL: https://issues.apache.org/jira/browse/RAMPART-140
> Project: Rampart
> Issue Type: Bug
> Components: rampart-core
> Affects Versions: 1.3
> Environment: winxp, wso2 wsas 2.2 (axis2 1.35, rampart 1.35)
> Reporter: Matt Voysey
> Assignee: Nandana Mihindukulasooriya
>
> We have an (axis2 powered) webservice secured using UsernameToken over SSL Transport Security. The service returns checks InflowSecurity but has no OutflowSecurity configured - therefore it returns a soap response with no <wsse:Security> header.
> I've created a client program to consume this service and tried to use a security policy to set its security options. This basically configures the rampart module with a simple UTOverTransport policy (exactly as used in the rampart sample program (policy sample 01)). At runtime the receive path fails with an AxisFault: InvalidSecurity exception. I've tracked this down to the org.apache.rampart.handler.PostDispatchVerification class, which at the end of the invoke() method has some code as follows:
> //Now check for security processing results if security policy is available
> if(securityPolicyPresent && msgContext.getProperty(WSHandlerConstants.RECV_RESULTS) == null) {
> throw new AxisFault("InvalidSecurity");
> }
>
> This effectively says if a security policy of any kind has been enabled and there is no security header in the message then it's an error. I don't think this is the case according to the ws-securitypolicy spec, in which the presence of even a Timestamp element is optional.
> Configuring rampart using the "deprecated" parameter-based approach (creating a specific OutflowConfiguration programmatically for the client stub) works fine with this same service.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.