You are viewing a plain text version of this content. The canonical link for it is here.
Posted to java-dev@axis.apache.org by Jaime Hablutzel Egoavil <ha...@gmail.com> on 2009/10/20 15:40:34 UTC
axis2 security bug?
Hi, I'm a newbie in web services and security, I'm using wso2 as an axis2
wrapper for making working with Spring easier, well
I have published a service that requires user token authentication and SSL
transport using this policy:
<wsp:Policy wsu:Id="UsernameTokenOverHTTPS"
xmlns:wsu="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
"
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
<wsp:ExactlyOne>
<wsp:All>
<sp:TransportBinding
xmlns:sp="
http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:TransportToken>
<wsp:Policy>
<sp:HttpsToken RequireClientCertificate="false"
/>
</wsp:Policy>
</sp:TransportToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic256 />
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Lax />
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp />
</wsp:Policy>
</sp:TransportBinding>
<sp:SignedSupportingTokens
xmlns:sp="
http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:UsernameToken
sp:IncludeToken="
http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient"
/>
</wsp:Policy>
</sp:SignedSupportingTokens>
<ramp:RampartConfig xmlns:ramp="
http://ws.apache.org/rampart/policy">
<ramp:passwordCallbackClass>pe.gob.hndac.ldap.PasswordCallbackHandler</ramp:passwordCallbackClass>
</ramp:RampartConfig>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
If i send this request (sniffed with TCPmon)
POST
http://172.17.0.24:8080/emrws/services/emrAuthWs.emrAuthWsHttpSoap12Endpoint/HTTP/1.1
User-Agent: Axis2C/1.5.0
Content-Type: application/soap+xml;charset=UTF-8
;action="urn:getPatientDetails"
Host: 172.17.0.24:8080
Content-Length: 310
<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope"
xmlns:ws="http://ws.hndac.gob.pe">
<soap:Header/>
<soap:Body>
<ws:getPatientDetails>
<!--Optional:-->
<ws:identificador>12</ws:identificador>
</ws:getPatientDetails>
</soap:Body>
</soap:Envelope>
I receive this answer:
<soapenv:Envelope xmlns:soapenv="http://www.w3.org/2003/05/soap-envelope">
<soapenv:Body>
<soapenv:Fault xmlns:axis2ns19="
http://www.w3.org/2003/05/soap-envelope">
<soapenv:Code>
<soapenv:Value>axis2ns19:Sender</soapenv:Value>
<soapenv:Subcode>
<soapenv:Value xmlns:wsse="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
">wsse:InvalidSecurity</soapenv:Value>
</soapenv:Subcode>
</soapenv:Code>
<soapenv:Reason>
<soapenv:Text xml:lang="en-US">Missing wsse:Security header in
request</soapenv:Text>
</soapenv:Reason>
<soapenv:Detail/>
</soapenv:Fault>
</soapenv:Body>
</soapenv:Envelope>
Ok, this is an axis fault, it is ok, but if I send:
POST
http://172.17.0.24:8080/emrws/services/emrAuthWs.emrAuthWsHttpSoap12Endpoint/HTTP/1.1
User-Agent: Axis2C/1.5.0
Content-Length: 294
Content-Type: application/soap+xml;charset=UTF-8
Host: 172.17.0.24:8080
<soapenv:Envelope
xmlns:soapenv="http://www.w3.org/2003/05/soap-envelope"><soapenv:Header/><soapenv:Body><ws:getPatientDetails
xmlns:ws="http://ws.hndac.gob.pe">
<!--Optional:-->
<ws:identificador>12</ws:identificador>
</ws:getPatientDetails></soapenv:Body></soapenv:Envelope>
Note the missing action attribute in the http content-type header, I receive
this answer:
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: application/soap+xml;
action="urn:getPatientDetailsResponse";charset=UTF-8
Transfer-Encoding: chunked
Date: Tue, 20 Oct 2009 13:30:41 GMT
641
<?xml version='1.0' encoding='UTF-8'?><soapenv:Envelope xmlns:soapenv="
http://www.w3.org/2003/05/soap-envelope"><soapenv:Header>
<wsse:Security xmlns:wsse="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
soapenv:mustUnderstand="true"><wsu:Timestamp xmlns:wsu="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
wsu:Id="Timestamp-16078681"><wsu:Created>2009-10-20T13:30:41.184Z</wsu:Created><wsu:Expires>2009-10-20T13:35:41.184Z</wsu:Expires></wsu:Timestamp></wsse:Security></soapenv:Header><soapenv:Body><ns:getPatientDetailsResponse
xmlns:ns="http://ws.hndac.gob.pe"><ns:return xmlns:ax23="http://model/xsd"
type="model.Paciente"><ax23:apellidoMaterno>ALFARO</ax23:apellidoMaterno><ax23:apellidoPaterno>SAENZ</ax23:apellidoPaterno><ax23:direccion
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:nil="true"
/><ax23:documentoIdentidad xmlns:xsi="
http://www.w3.org/2001/XMLSchema-instance" xsi:nil="true"
/><ax23:fechaAdmision xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:nil="true"
/><ax23:fechaNacimiento>1957-08-16T05:00:00.000Z</ax23:fechaNacimiento><ax23:identificador>12</ax23:identificador><ax23:nombres>CARMEN
ROSA</ax23:nombres><ax23:sexo>F</ax23:sexo><ax23:telefono xmlns:xsi="
http://www.w3.org/2001/XMLSchema-instance" xsi:nil="true"
/><ax23:ubigeoNacimiento xmlns:xsi="
http://www.w3.org/2001/XMLSchema-instance" xsi:nil="true"
/><ax23:ubigeoResidencia xmlns:xsi="
http://www.w3.org/2001/XMLSchema-instance" xsi:nil="true"
/></ns:return></ns:getPatientDetailsResponse></soapenv:Body></soapenv:Envelope>
0
Auchh, without user authentication neither SSL transport :S
--
Jaime Hablutzel
(tildes omitidas intencionalmente) 9 8964 0369
Re: axis2 security bug?
Posted by Keith Chapman <ke...@gmail.com>.
To answer your question on the action attribute, It is a optional part of
the Content-Type header (When SOAP 1.2 is used which is your case) which
gives a hint to the server to dispatch the request. If you had used SOAP 1.1
it would have been a separate HTTP header called soapaction (Which is
mandatory in SOAP 1.1).
Thanks,
Keith.
On Wed, Oct 21, 2009 at 9:24 AM, Jaime Hablutzel Egoavil <
hablutzel1@gmail.com> wrote:
> I'm using wso2 for axis2 spring support:
>
> pom.xml (extract)
>
> <dependency>
> <groupId>org.apache.rampart</groupId>
> <artifactId>rampart-core</artifactId>
> <version>1.4</version>
> </dependency>
>
>
> <dependency>
> <groupId>org.apache.axis2</groupId>
> <artifactId>axis2-kernel</artifactId>
> <version>1.4.1</version>
> </dependency>
>
> <dependency>
> <groupId>org.wso2.spring.ws</groupId>
> <artifactId>wsf-spring</artifactId>
> <version>1.5</version>
> </dependency>
>
> applicationContext.xml
>
> <!-- creamos un bean para la clase segura -->
> <bean id="emrauthws" class="pe.gob.hndac.ws.EmrServiceAuthImpl" />
>
> <bean id="emrAuthService" class="org.wso2.spring.ws.SpringWebService">
> <property name="serviceBean"
> ref="emrauthws"></property>
> <property name="serviceName"
> value="emrAuthWs"></property>
> <property name="serviceDescription"
> value="Provee de metodos para acceder a informacion
> detallada."></property>
> <property name="modules">
> <list>
> <value>rampart</value>
> </list>
> </property>
> <property name="policyFiles">
> <list>
> <!-- <value>policyNoSSL.xml</value> -->
> <value>policy.xml</value>
> </list>
> </property>
> <!--
> Si incluimos un metodo que no le pertenece al bean
> que se expondra
> este se muestra en el wsdl <property
> name="operations"> <list>
> <ref local="operation" /> </list> </property>
> -->
> </bean>
>
> </list>
> </property>
> </bean>
>
>
> policy.xml
>
>
> <wsp:Policy wsu:Id="UsernameTokenOverHTTPS"
> xmlns:wsu="
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
> "
> xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
> <wsp:ExactlyOne>
> <wsp:All>
> <sp:TransportBinding
> xmlns:sp="
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> <wsp:Policy>
> <sp:TransportToken>
> <wsp:Policy>
> <sp:HttpsToken RequireClientCertificate="false"
> />
> </wsp:Policy>
> </sp:TransportToken>
> <sp:AlgorithmSuite>
> <wsp:Policy>
> <sp:Basic256 />
> </wsp:Policy>
> </sp:AlgorithmSuite>
> <sp:Layout>
> <wsp:Policy>
> <sp:Lax />
> </wsp:Policy>
> </sp:Layout>
> <sp:IncludeTimestamp />
> </wsp:Policy>
> </sp:TransportBinding>
> <sp:SignedSupportingTokens
> xmlns:sp="
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> <wsp:Policy>
> <sp:UsernameToken
> sp:IncludeToken="
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient"
> />
> </wsp:Policy>
> </sp:SignedSupportingTokens>
> <ramp:RampartConfig xmlns:ramp="
> http://ws.apache.org/rampart/policy">
>
> <ramp:passwordCallbackClass>pe.gob.hndac.ldap.PasswordCallbackHandler</ramp:passwordCallbackClass>
> </ramp:RampartConfig>
> </wsp:All>
> </wsp:ExactlyOne>
> </wsp:Policy>
>
>
> with rampart-1.3.mar in the classpath, after all, what is content-type
> action attribute for?
>
>
> On Wed, Oct 21, 2009 at 1:33 AM, Amila Suriarachchi <
> amilasuriarachchi@gmail.com> wrote:
>
>> what is the axis2 version you use?
>>
>> thanks,
>> Amila.
>>
>>
>> On Tue, Oct 20, 2009 at 7:10 PM, Jaime Hablutzel Egoavil <
>> hablutzel1@gmail.com> wrote:
>>
>>> Hi, I'm a newbie in web services and security, I'm using wso2 as an axis2
>>> wrapper for making working with Spring easier, well
>>>
>>> I have published a service that requires user token authentication and
>>> SSL transport using this policy:
>>>
>>> <wsp:Policy wsu:Id="UsernameTokenOverHTTPS"
>>> xmlns:wsu="
>>> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
>>> "
>>> xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
>>> <wsp:ExactlyOne>
>>> <wsp:All>
>>> <sp:TransportBinding
>>> xmlns:sp="
>>> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
>>> <wsp:Policy>
>>> <sp:TransportToken>
>>> <wsp:Policy>
>>> <sp:HttpsToken
>>> RequireClientCertificate="false" />
>>> </wsp:Policy>
>>> </sp:TransportToken>
>>> <sp:AlgorithmSuite>
>>> <wsp:Policy>
>>> <sp:Basic256 />
>>> </wsp:Policy>
>>> </sp:AlgorithmSuite>
>>> <sp:Layout>
>>> <wsp:Policy>
>>> <sp:Lax />
>>> </wsp:Policy>
>>> </sp:Layout>
>>> <sp:IncludeTimestamp />
>>> </wsp:Policy>
>>> </sp:TransportBinding>
>>> <sp:SignedSupportingTokens
>>> xmlns:sp="
>>> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
>>> <wsp:Policy>
>>> <sp:UsernameToken
>>> sp:IncludeToken="
>>> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient"
>>> />
>>> </wsp:Policy>
>>> </sp:SignedSupportingTokens>
>>> <ramp:RampartConfig xmlns:ramp="
>>> http://ws.apache.org/rampart/policy">
>>>
>>> <ramp:passwordCallbackClass>pe.gob.hndac.ldap.PasswordCallbackHandler</ramp:passwordCallbackClass>
>>> </ramp:RampartConfig>
>>> </wsp:All>
>>> </wsp:ExactlyOne>
>>> </wsp:Policy>
>>>
>>> If i send this request (sniffed with TCPmon)
>>>
>>> POST
>>> http://172.17.0.24:8080/emrws/services/emrAuthWs.emrAuthWsHttpSoap12Endpoint/HTTP/1.1
>>> User-Agent: Axis2C/1.5.0
>>> Content-Type: application/soap+xml;charset=UTF-8
>>> ;action="urn:getPatientDetails"
>>> Host: 172.17.0.24:8080
>>> Content-Length: 310
>>>
>>> <soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope"
>>> xmlns:ws="http://ws.hndac.gob.pe">
>>> <soap:Header/>
>>> <soap:Body>
>>> <ws:getPatientDetails>
>>> <!--Optional:-->
>>> <ws:identificador>12</ws:identificador>
>>> </ws:getPatientDetails>
>>> </soap:Body>
>>> </soap:Envelope>
>>>
>>> I receive this answer:
>>>
>>> <soapenv:Envelope xmlns:soapenv="http://www.w3.org/2003/05/soap-envelope
>>> ">
>>> <soapenv:Body>
>>> <soapenv:Fault xmlns:axis2ns19="
>>> http://www.w3.org/2003/05/soap-envelope">
>>> <soapenv:Code>
>>> <soapenv:Value>axis2ns19:Sender</soapenv:Value>
>>> <soapenv:Subcode>
>>> <soapenv:Value xmlns:wsse="
>>> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
>>> ">wsse:InvalidSecurity</soapenv:Value>
>>> </soapenv:Subcode>
>>> </soapenv:Code>
>>> <soapenv:Reason>
>>> <soapenv:Text xml:lang="en-US">Missing wsse:Security header
>>> in request</soapenv:Text>
>>> </soapenv:Reason>
>>> <soapenv:Detail/>
>>> </soapenv:Fault>
>>> </soapenv:Body>
>>> </soapenv:Envelope>
>>>
>>>
>>> Ok, this is an axis fault, it is ok, but if I send:
>>>
>>> POST
>>> http://172.17.0.24:8080/emrws/services/emrAuthWs.emrAuthWsHttpSoap12Endpoint/HTTP/1.1
>>> User-Agent: Axis2C/1.5.0
>>> Content-Length: 294
>>> Content-Type: application/soap+xml;charset=UTF-8
>>> Host: 172.17.0.24:8080
>>>
>>> <soapenv:Envelope xmlns:soapenv="http://www.w3.org/2003/05/soap-envelope"><soapenv:Header/><soapenv:Body><ws:getPatientDetails
>>> xmlns:ws="http://ws.hndac.gob.pe">
>>> <!--Optional:-->
>>> <ws:identificador>12</ws:identificador>
>>> </ws:getPatientDetails></soapenv:Body></soapenv:Envelope>
>>>
>>> Note the missing action attribute in the http content-type header, I
>>> receive this answer:
>>>
>>> HTTP/1.1 200 OK
>>> Server: Apache-Coyote/1.1
>>> Content-Type: application/soap+xml;
>>> action="urn:getPatientDetailsResponse";charset=UTF-8
>>> Transfer-Encoding: chunked
>>> Date: Tue, 20 Oct 2009 13:30:41 GMT
>>>
>>> 641
>>> <?xml version='1.0' encoding='UTF-8'?><soapenv:Envelope xmlns:soapenv="
>>> http://www.w3.org/2003/05/soap-envelope"><soapenv:Header>
>>> <wsse:Security xmlns:wsse="
>>> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
>>> soapenv:mustUnderstand="true"><wsu:Timestamp xmlns:wsu="
>>> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
>>> wsu:Id="Timestamp-16078681"><wsu:Created>2009-10-20T13:30:41.184Z</wsu:Created><wsu:Expires>2009-10-20T13:35:41.184Z</wsu:Expires></wsu:Timestamp></wsse:Security></soapenv:Header><soapenv:Body><ns:getPatientDetailsResponse
>>> xmlns:ns="http://ws.hndac.gob.pe"><ns:return xmlns:ax23="
>>> http://model/xsd"
>>> type="model.Paciente"><ax23:apellidoMaterno>ALFARO</ax23:apellidoMaterno><ax23:apellidoPaterno>SAENZ</ax23:apellidoPaterno><ax23:direccion
>>> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:nil="true"
>>> /><ax23:documentoIdentidad xmlns:xsi="
>>> http://www.w3.org/2001/XMLSchema-instance" xsi:nil="true"
>>> /><ax23:fechaAdmision xmlns:xsi="
>>> http://www.w3.org/2001/XMLSchema-instance" xsi:nil="true"
>>> /><ax23:fechaNacimiento>1957-08-16T05:00:00.000Z</ax23:fechaNacimiento><ax23:identificador>12</ax23:identificador><ax23:nombres>CARMEN
>>> ROSA</ax23:nombres><ax23:sexo>F</ax23:sexo><ax23:telefono xmlns:xsi="
>>> http://www.w3.org/2001/XMLSchema-instance" xsi:nil="true"
>>> /><ax23:ubigeoNacimiento xmlns:xsi="
>>> http://www.w3.org/2001/XMLSchema-instance" xsi:nil="true"
>>> /><ax23:ubigeoResidencia xmlns:xsi="
>>> http://www.w3.org/2001/XMLSchema-instance" xsi:nil="true"
>>> /></ns:return></ns:getPatientDetailsResponse></soapenv:Body></soapenv:Envelope>
>>> 0
>>>
>>>
>>> Auchh, without user authentication neither SSL transport :S
>>>
>>> --
>>> Jaime Hablutzel
>>>
>>> (tildes omitidas intencionalmente) 9 8964 0369
>>>
>>
>>
>>
>> --
>> Amila Suriarachchi
>> WSO2 Inc.
>> blog: http://amilachinthaka.blogspot.com/
>>
>
>
>
> --
> Jaime Hablutzel
>
> (tildes omitidas intencionalmente) 9 8964 0369
>
--
Thanks,
Keith.
Keith Chapman
blog: http://www.keith-chapman.org
Re: axis2 security bug?
Posted by Jaime Hablutzel Egoavil <ha...@gmail.com>.
I'm using wso2 for axis2 spring support:
pom.xml (extract)
<dependency>
<groupId>org.apache.rampart</groupId>
<artifactId>rampart-core</artifactId>
<version>1.4</version>
</dependency>
<dependency>
<groupId>org.apache.axis2</groupId>
<artifactId>axis2-kernel</artifactId>
<version>1.4.1</version>
</dependency>
<dependency>
<groupId>org.wso2.spring.ws</groupId>
<artifactId>wsf-spring</artifactId>
<version>1.5</version>
</dependency>
applicationContext.xml
<!-- creamos un bean para la clase segura -->
<bean id="emrauthws" class="pe.gob.hndac.ws.EmrServiceAuthImpl" />
<bean id="emrAuthService" class="org.wso2.spring.ws.SpringWebService">
<property name="serviceBean" ref="emrauthws"></property>
<property name="serviceName"
value="emrAuthWs"></property>
<property name="serviceDescription"
value="Provee de metodos para acceder a informacion
detallada."></property>
<property name="modules">
<list>
<value>rampart</value>
</list>
</property>
<property name="policyFiles">
<list>
<!-- <value>policyNoSSL.xml</value> -->
<value>policy.xml</value>
</list>
</property>
<!--
Si incluimos un metodo que no le pertenece al bean
que se expondra
este se muestra en el wsdl <property
name="operations"> <list>
<ref local="operation" /> </list> </property>
-->
</bean>
</list>
</property>
</bean>
policy.xml
<wsp:Policy wsu:Id="UsernameTokenOverHTTPS"
xmlns:wsu="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
"
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
<wsp:ExactlyOne>
<wsp:All>
<sp:TransportBinding
xmlns:sp="
http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:TransportToken>
<wsp:Policy>
<sp:HttpsToken RequireClientCertificate="false"
/>
</wsp:Policy>
</sp:TransportToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic256 />
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Lax />
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp />
</wsp:Policy>
</sp:TransportBinding>
<sp:SignedSupportingTokens
xmlns:sp="
http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:UsernameToken
sp:IncludeToken="
http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient"
/>
</wsp:Policy>
</sp:SignedSupportingTokens>
<ramp:RampartConfig xmlns:ramp="
http://ws.apache.org/rampart/policy">
<ramp:passwordCallbackClass>pe.gob.hndac.ldap.PasswordCallbackHandler</ramp:passwordCallbackClass>
</ramp:RampartConfig>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
with rampart-1.3.mar in the classpath, after all, what is content-type
action attribute for?
On Wed, Oct 21, 2009 at 1:33 AM, Amila Suriarachchi <
amilasuriarachchi@gmail.com> wrote:
> what is the axis2 version you use?
>
> thanks,
> Amila.
>
>
> On Tue, Oct 20, 2009 at 7:10 PM, Jaime Hablutzel Egoavil <
> hablutzel1@gmail.com> wrote:
>
>> Hi, I'm a newbie in web services and security, I'm using wso2 as an axis2
>> wrapper for making working with Spring easier, well
>>
>> I have published a service that requires user token authentication and SSL
>> transport using this policy:
>>
>> <wsp:Policy wsu:Id="UsernameTokenOverHTTPS"
>> xmlns:wsu="
>> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
>> "
>> xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
>> <wsp:ExactlyOne>
>> <wsp:All>
>> <sp:TransportBinding
>> xmlns:sp="
>> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
>> <wsp:Policy>
>> <sp:TransportToken>
>> <wsp:Policy>
>> <sp:HttpsToken
>> RequireClientCertificate="false" />
>> </wsp:Policy>
>> </sp:TransportToken>
>> <sp:AlgorithmSuite>
>> <wsp:Policy>
>> <sp:Basic256 />
>> </wsp:Policy>
>> </sp:AlgorithmSuite>
>> <sp:Layout>
>> <wsp:Policy>
>> <sp:Lax />
>> </wsp:Policy>
>> </sp:Layout>
>> <sp:IncludeTimestamp />
>> </wsp:Policy>
>> </sp:TransportBinding>
>> <sp:SignedSupportingTokens
>> xmlns:sp="
>> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
>> <wsp:Policy>
>> <sp:UsernameToken
>> sp:IncludeToken="
>> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient"
>> />
>> </wsp:Policy>
>> </sp:SignedSupportingTokens>
>> <ramp:RampartConfig xmlns:ramp="
>> http://ws.apache.org/rampart/policy">
>>
>> <ramp:passwordCallbackClass>pe.gob.hndac.ldap.PasswordCallbackHandler</ramp:passwordCallbackClass>
>> </ramp:RampartConfig>
>> </wsp:All>
>> </wsp:ExactlyOne>
>> </wsp:Policy>
>>
>> If i send this request (sniffed with TCPmon)
>>
>> POST
>> http://172.17.0.24:8080/emrws/services/emrAuthWs.emrAuthWsHttpSoap12Endpoint/HTTP/1.1
>> User-Agent: Axis2C/1.5.0
>> Content-Type: application/soap+xml;charset=UTF-8
>> ;action="urn:getPatientDetails"
>> Host: 172.17.0.24:8080
>> Content-Length: 310
>>
>> <soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope"
>> xmlns:ws="http://ws.hndac.gob.pe">
>> <soap:Header/>
>> <soap:Body>
>> <ws:getPatientDetails>
>> <!--Optional:-->
>> <ws:identificador>12</ws:identificador>
>> </ws:getPatientDetails>
>> </soap:Body>
>> </soap:Envelope>
>>
>> I receive this answer:
>>
>> <soapenv:Envelope xmlns:soapenv="http://www.w3.org/2003/05/soap-envelope
>> ">
>> <soapenv:Body>
>> <soapenv:Fault xmlns:axis2ns19="
>> http://www.w3.org/2003/05/soap-envelope">
>> <soapenv:Code>
>> <soapenv:Value>axis2ns19:Sender</soapenv:Value>
>> <soapenv:Subcode>
>> <soapenv:Value xmlns:wsse="
>> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
>> ">wsse:InvalidSecurity</soapenv:Value>
>> </soapenv:Subcode>
>> </soapenv:Code>
>> <soapenv:Reason>
>> <soapenv:Text xml:lang="en-US">Missing wsse:Security header
>> in request</soapenv:Text>
>> </soapenv:Reason>
>> <soapenv:Detail/>
>> </soapenv:Fault>
>> </soapenv:Body>
>> </soapenv:Envelope>
>>
>>
>> Ok, this is an axis fault, it is ok, but if I send:
>>
>> POST
>> http://172.17.0.24:8080/emrws/services/emrAuthWs.emrAuthWsHttpSoap12Endpoint/HTTP/1.1
>> User-Agent: Axis2C/1.5.0
>> Content-Length: 294
>> Content-Type: application/soap+xml;charset=UTF-8
>> Host: 172.17.0.24:8080
>>
>> <soapenv:Envelope xmlns:soapenv="http://www.w3.org/2003/05/soap-envelope"><soapenv:Header/><soapenv:Body><ws:getPatientDetails
>> xmlns:ws="http://ws.hndac.gob.pe">
>> <!--Optional:-->
>> <ws:identificador>12</ws:identificador>
>> </ws:getPatientDetails></soapenv:Body></soapenv:Envelope>
>>
>> Note the missing action attribute in the http content-type header, I
>> receive this answer:
>>
>> HTTP/1.1 200 OK
>> Server: Apache-Coyote/1.1
>> Content-Type: application/soap+xml;
>> action="urn:getPatientDetailsResponse";charset=UTF-8
>> Transfer-Encoding: chunked
>> Date: Tue, 20 Oct 2009 13:30:41 GMT
>>
>> 641
>> <?xml version='1.0' encoding='UTF-8'?><soapenv:Envelope xmlns:soapenv="
>> http://www.w3.org/2003/05/soap-envelope"><soapenv:Header>
>> <wsse:Security xmlns:wsse="
>> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
>> soapenv:mustUnderstand="true"><wsu:Timestamp xmlns:wsu="
>> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
>> wsu:Id="Timestamp-16078681"><wsu:Created>2009-10-20T13:30:41.184Z</wsu:Created><wsu:Expires>2009-10-20T13:35:41.184Z</wsu:Expires></wsu:Timestamp></wsse:Security></soapenv:Header><soapenv:Body><ns:getPatientDetailsResponse
>> xmlns:ns="http://ws.hndac.gob.pe"><ns:return xmlns:ax23="http://model/xsd"
>> type="model.Paciente"><ax23:apellidoMaterno>ALFARO</ax23:apellidoMaterno><ax23:apellidoPaterno>SAENZ</ax23:apellidoPaterno><ax23:direccion
>> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:nil="true"
>> /><ax23:documentoIdentidad xmlns:xsi="
>> http://www.w3.org/2001/XMLSchema-instance" xsi:nil="true"
>> /><ax23:fechaAdmision xmlns:xsi="
>> http://www.w3.org/2001/XMLSchema-instance" xsi:nil="true"
>> /><ax23:fechaNacimiento>1957-08-16T05:00:00.000Z</ax23:fechaNacimiento><ax23:identificador>12</ax23:identificador><ax23:nombres>CARMEN
>> ROSA</ax23:nombres><ax23:sexo>F</ax23:sexo><ax23:telefono xmlns:xsi="
>> http://www.w3.org/2001/XMLSchema-instance" xsi:nil="true"
>> /><ax23:ubigeoNacimiento xmlns:xsi="
>> http://www.w3.org/2001/XMLSchema-instance" xsi:nil="true"
>> /><ax23:ubigeoResidencia xmlns:xsi="
>> http://www.w3.org/2001/XMLSchema-instance" xsi:nil="true"
>> /></ns:return></ns:getPatientDetailsResponse></soapenv:Body></soapenv:Envelope>
>> 0
>>
>>
>> Auchh, without user authentication neither SSL transport :S
>>
>> --
>> Jaime Hablutzel
>>
>> (tildes omitidas intencionalmente) 9 8964 0369
>>
>
>
>
> --
> Amila Suriarachchi
> WSO2 Inc.
> blog: http://amilachinthaka.blogspot.com/
>
--
Jaime Hablutzel
(tildes omitidas intencionalmente) 9 8964 0369
Re: axis2 security bug?
Posted by Amila Suriarachchi <am...@gmail.com>.
what is the axis2 version you use?
thanks,
Amila.
On Tue, Oct 20, 2009 at 7:10 PM, Jaime Hablutzel Egoavil <
hablutzel1@gmail.com> wrote:
> Hi, I'm a newbie in web services and security, I'm using wso2 as an axis2
> wrapper for making working with Spring easier, well
>
> I have published a service that requires user token authentication and SSL
> transport using this policy:
>
> <wsp:Policy wsu:Id="UsernameTokenOverHTTPS"
> xmlns:wsu="
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
> "
> xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
> <wsp:ExactlyOne>
> <wsp:All>
> <sp:TransportBinding
> xmlns:sp="
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> <wsp:Policy>
> <sp:TransportToken>
> <wsp:Policy>
> <sp:HttpsToken RequireClientCertificate="false"
> />
> </wsp:Policy>
> </sp:TransportToken>
> <sp:AlgorithmSuite>
> <wsp:Policy>
> <sp:Basic256 />
> </wsp:Policy>
> </sp:AlgorithmSuite>
> <sp:Layout>
> <wsp:Policy>
> <sp:Lax />
> </wsp:Policy>
> </sp:Layout>
> <sp:IncludeTimestamp />
> </wsp:Policy>
> </sp:TransportBinding>
> <sp:SignedSupportingTokens
> xmlns:sp="
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> <wsp:Policy>
> <sp:UsernameToken
> sp:IncludeToken="
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient"
> />
> </wsp:Policy>
> </sp:SignedSupportingTokens>
> <ramp:RampartConfig xmlns:ramp="
> http://ws.apache.org/rampart/policy">
>
> <ramp:passwordCallbackClass>pe.gob.hndac.ldap.PasswordCallbackHandler</ramp:passwordCallbackClass>
> </ramp:RampartConfig>
> </wsp:All>
> </wsp:ExactlyOne>
> </wsp:Policy>
>
> If i send this request (sniffed with TCPmon)
>
> POST
> http://172.17.0.24:8080/emrws/services/emrAuthWs.emrAuthWsHttpSoap12Endpoint/HTTP/1.1
> User-Agent: Axis2C/1.5.0
> Content-Type: application/soap+xml;charset=UTF-8
> ;action="urn:getPatientDetails"
> Host: 172.17.0.24:8080
> Content-Length: 310
>
> <soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope"
> xmlns:ws="http://ws.hndac.gob.pe">
> <soap:Header/>
> <soap:Body>
> <ws:getPatientDetails>
> <!--Optional:-->
> <ws:identificador>12</ws:identificador>
> </ws:getPatientDetails>
> </soap:Body>
> </soap:Envelope>
>
> I receive this answer:
>
> <soapenv:Envelope xmlns:soapenv="http://www.w3.org/2003/05/soap-envelope">
> <soapenv:Body>
> <soapenv:Fault xmlns:axis2ns19="
> http://www.w3.org/2003/05/soap-envelope">
> <soapenv:Code>
> <soapenv:Value>axis2ns19:Sender</soapenv:Value>
> <soapenv:Subcode>
> <soapenv:Value xmlns:wsse="
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
> ">wsse:InvalidSecurity</soapenv:Value>
> </soapenv:Subcode>
> </soapenv:Code>
> <soapenv:Reason>
> <soapenv:Text xml:lang="en-US">Missing wsse:Security header in
> request</soapenv:Text>
> </soapenv:Reason>
> <soapenv:Detail/>
> </soapenv:Fault>
> </soapenv:Body>
> </soapenv:Envelope>
>
>
> Ok, this is an axis fault, it is ok, but if I send:
>
> POST
> http://172.17.0.24:8080/emrws/services/emrAuthWs.emrAuthWsHttpSoap12Endpoint/HTTP/1.1
> User-Agent: Axis2C/1.5.0
> Content-Length: 294
> Content-Type: application/soap+xml;charset=UTF-8
> Host: 172.17.0.24:8080
>
> <soapenv:Envelope xmlns:soapenv="http://www.w3.org/2003/05/soap-envelope"><soapenv:Header/><soapenv:Body><ws:getPatientDetails
> xmlns:ws="http://ws.hndac.gob.pe">
> <!--Optional:-->
> <ws:identificador>12</ws:identificador>
> </ws:getPatientDetails></soapenv:Body></soapenv:Envelope>
>
> Note the missing action attribute in the http content-type header, I
> receive this answer:
>
> HTTP/1.1 200 OK
> Server: Apache-Coyote/1.1
> Content-Type: application/soap+xml;
> action="urn:getPatientDetailsResponse";charset=UTF-8
> Transfer-Encoding: chunked
> Date: Tue, 20 Oct 2009 13:30:41 GMT
>
> 641
> <?xml version='1.0' encoding='UTF-8'?><soapenv:Envelope xmlns:soapenv="
> http://www.w3.org/2003/05/soap-envelope"><soapenv:Header>
> <wsse:Security xmlns:wsse="
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
> soapenv:mustUnderstand="true"><wsu:Timestamp xmlns:wsu="
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
> wsu:Id="Timestamp-16078681"><wsu:Created>2009-10-20T13:30:41.184Z</wsu:Created><wsu:Expires>2009-10-20T13:35:41.184Z</wsu:Expires></wsu:Timestamp></wsse:Security></soapenv:Header><soapenv:Body><ns:getPatientDetailsResponse
> xmlns:ns="http://ws.hndac.gob.pe"><ns:return xmlns:ax23="http://model/xsd"
> type="model.Paciente"><ax23:apellidoMaterno>ALFARO</ax23:apellidoMaterno><ax23:apellidoPaterno>SAENZ</ax23:apellidoPaterno><ax23:direccion
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:nil="true"
> /><ax23:documentoIdentidad xmlns:xsi="
> http://www.w3.org/2001/XMLSchema-instance" xsi:nil="true"
> /><ax23:fechaAdmision xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> xsi:nil="true"
> /><ax23:fechaNacimiento>1957-08-16T05:00:00.000Z</ax23:fechaNacimiento><ax23:identificador>12</ax23:identificador><ax23:nombres>CARMEN
> ROSA</ax23:nombres><ax23:sexo>F</ax23:sexo><ax23:telefono xmlns:xsi="
> http://www.w3.org/2001/XMLSchema-instance" xsi:nil="true"
> /><ax23:ubigeoNacimiento xmlns:xsi="
> http://www.w3.org/2001/XMLSchema-instance" xsi:nil="true"
> /><ax23:ubigeoResidencia xmlns:xsi="
> http://www.w3.org/2001/XMLSchema-instance" xsi:nil="true"
> /></ns:return></ns:getPatientDetailsResponse></soapenv:Body></soapenv:Envelope>
> 0
>
>
> Auchh, without user authentication neither SSL transport :S
>
> --
> Jaime Hablutzel
>
> (tildes omitidas intencionalmente) 9 8964 0369
>
--
Amila Suriarachchi
WSO2 Inc.
blog: http://amilachinthaka.blogspot.com/