You are viewing a plain text version of this content. The canonical link for it is here.
Posted to java-user@axis.apache.org by Chad DeBauch <cd...@gmail.com> on 2007/07/27 20:41:00 UTC
[axis2] UsernameToken and Signature service issue
Here is a snippet of my services.xml file:
<serviceGroup>
<service name="nosecurity">
... not security set up
</service>
<service name="UT">
... same service as nosecurity except it has UsernameToken security
<module ref="rampart" />
<parameter name="InflowSecurity">
<action>
<items>UsernameToken</items>
<passwordCallbackClass> my.PWCallback</passwordCallbackClass>
<signaturePropFile>crypto.properties</signaturePropFile>
</action>
</parameter>
</service>
<service name="UTS">
... same service as nosecurity except it has UsernameToken and Signature
security enabled.
<module ref="rampart" />
<parameter name="InflowSecurity">
<action>
<items>UsernameToken Signature</items>
<passwordCallbackClass>my.PWCallback</passwordCallbackClass>
<signaturePropFile>crypto.properties</signaturePropFile>
</action>
</parameter>
</service>
</serviceGroup>
"nosecurity" and "UT" work as they should. But the "UTS" service allows the
client to sent the UsernameToken without the Signature and Rampart accepts
it, thus by passing the Signature. If I send both UsernameToken and the
Signature it also accepts it. If I send both with a bad signature it
rejects the request.
I tested this with an axis1 webservice and found that the "UTS" service
acted as it should, rejecting the request when only the UsernameToken is
sent.
Why is it accepting UsernameToken without the Signature? What do I need to
do so that the Signature is required?
Thanks,
Chad
Re: [axis2] UsernameToken and Signature service issue
Posted by Chad DeBauch <cd...@gmail.com>.
I found the cause of the issue. It is a security issue with wss4j, there is
an issue in Jira regarding this:
https://issues.apache.org/jira/browse/WSS-70
Chad
On 7/27/07, Chad DeBauch <cd...@gmail.com> wrote:
>
> Here is a snippet of my services.xml file:
>
> <serviceGroup>
> <service name="nosecurity">
> ... not security set up
> </service>
> <service name="UT">
> ... same service as nosecurity except it has UsernameToken security
> <module ref="rampart" />
> <parameter name="InflowSecurity">
> <action>
> <items>UsernameToken</items>
> <passwordCallbackClass> my.PWCallback</passwordCallbackClass>
> <signaturePropFile>crypto.properties</signaturePropFile>
> </action>
> </parameter>
> </service>
> <service name="UTS">
> ... same service as nosecurity except it has UsernameToken and
> Signature security enabled.
> <module ref="rampart" />
> <parameter name="InflowSecurity">
> <action>
> <items>UsernameToken Signature</items>
> <passwordCallbackClass>my.PWCallback</passwordCallbackClass>
> <signaturePropFile>crypto.properties</signaturePropFile>
> </action>
> </parameter>
> </service>
> </serviceGroup>
>
> "nosecurity" and "UT" work as they should. But the "UTS" service allows
> the client to sent the UsernameToken without the Signature and Rampart
> accepts it, thus by passing the Signature. If I send both UsernameToken and
> the Signature it also accepts it. If I send both with a bad signature it
> rejects the request.
>
> I tested this with an axis1 webservice and found that the "UTS" service
> acted as it should, rejecting the request when only the UsernameToken is
> sent.
>
> Why is it accepting UsernameToken without the Signature? What do I need
> to do so that the Signature is required?
>
> Thanks,
>
> Chad
>