You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tuscany.apache.org by "Phil Housley (JIRA)" <de...@tuscany.apache.org> on 2009/02/09 15:11:02 UTC

[jira] Created: (TUSCANY-2824) Cannot engage web service security

Cannot engage web service security
----------------------------------

                 Key: TUSCANY-2824
                 URL: https://issues.apache.org/jira/browse/TUSCANY-2824
             Project: Tuscany
          Issue Type: Bug
          Components: Java SCA Axis Binding Extension
    Affects Versions: Java-SCA-1.4
         Environment: At least linux, windows with jetty, tomcat.
            Reporter: Phil Housley
            Priority: Critical


Web services exposed with Tuscany do not apply the wss rules assigned to them, and therefore give full access to any caller.

Example: helloworld-ws-service-secure - appears to run fine, but actually does not require authentication/integrity as is declared in the composite.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Assigned: (TUSCANY-2824) Cannot engage web service security

Posted by "Simon Laws (JIRA)" <de...@tuscany.apache.org>.

     [ https://issues.apache.org/jira/browse/TUSCANY-2824?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Simon Laws reassigned TUSCANY-2824:
-----------------------------------

    Assignee: Simon Laws

> Cannot engage web service security
> ----------------------------------
>
>                 Key: TUSCANY-2824
>                 URL: https://issues.apache.org/jira/browse/TUSCANY-2824
>             Project: Tuscany
>          Issue Type: Bug
>          Components: Java SCA Axis Binding Extension
>    Affects Versions: Java-SCA-1.4
>         Environment: At least linux, windows with jetty, tomcat.
>            Reporter: Phil Housley
>            Assignee: Simon Laws
>            Priority: Critical
>
> Web services exposed with Tuscany do not apply the wss rules assigned to them, and therefore give full access to any caller.
> Example: helloworld-ws-service-secure - appears to run fine, but actually does not require authentication/integrity as is declared in the composite.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Commented: (TUSCANY-2824) Cannot engage web service security

Posted by "Simon Laws (JIRA)" <de...@tuscany.apache.org>.

    [ https://issues.apache.org/jira/browse/TUSCANY-2824?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12672970#action_12672970 ] 

Simon Laws commented on TUSCANY-2824:
-------------------------------------

I committed a change at  revision: 743732   that re-enables the rest of WSPolicy. 

Two not so great fixes here...

Firstly WSSecurityPolicyHandler pushes a property into the Axis configuration context to force Rampart to recognize the policy. I haven't discovered what part of our configuration is required to do this properly. More investigation required.

Secondly I fixed the helloworld-ws-service-secure test case to reference the wsdl on binding.ws. Without this you get a NPE in axis/rampart as it fails to map binding operations to port type operation using QNames (don't know why it thinks these are QNames). Our generated WSDL has the generated binding in a different namespace to the port type. Associating the wsdl binding with binding.ws means that the binding is not generated at the made up QNames match. This issues has two areas of further investigate. We need to raise a JIRA with Axis (I'll do that and post here). We need to review the mechanism by which we genetate WSDL with different namespaces and also with imports. The latter is probably a 2.x piece of work. 

Some discussion of this last issue on our ML here http://www.mail-archive.com/dev%40tuscany.apache.org/msg05225.html


> Cannot engage web service security
> ----------------------------------
>
>                 Key: TUSCANY-2824
>                 URL: https://issues.apache.org/jira/browse/TUSCANY-2824
>             Project: Tuscany
>          Issue Type: Bug
>          Components: Java SCA Axis Binding Extension
>    Affects Versions: Java-SCA-1.4
>         Environment: At least linux, windows with jetty, tomcat.
>            Reporter: Phil Housley
>            Assignee: Simon Laws
>            Priority: Critical
>
> Web services exposed with Tuscany do not apply the wss rules assigned to them, and therefore give full access to any caller.
> Example: helloworld-ws-service-secure - appears to run fine, but actually does not require authentication/integrity as is declared in the composite.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.