You are viewing a plain text version of this content. The canonical link for it is here.

Posted to java-user@axis.apache.org by Mary Thompson <mr...@lbl.gov> on 2008/09/29 21:56:41 UTC

Unsigned messages not rejected in rampart/policy/sample02

I have recently upgraded to axis2 1.4.1 and rampart 1.4. and decided to 
switch to using ws-policy files. I modeled my use on the 
policy/sample02, but noticed that if I sent a request that was 
time-stamped but did not have the body signed it was accepted by the 
service.

I went back to sample02 and just modified the policy.xml file to remove 
the <sp:SignedParts ...> lines and ran a standalone (server ant 
service.02) and client (ant client.02) and the same thing happened.

The message that is being sent has a syntactically correct security 
header containing a signed timestamp, but not a signed body. The 
services file says there should be a signed body, but the service 
accepts and replies to the  unsigned message.

I don't see how this can be correct behavior. Is the services.xml file 
missing something?

BTW, If I remove the timestamp and keep the body signed, the message is 
rejected for a missing timestamp.

I'm running with Java 1.5.0_16, Mac OS X 10.4.11

Mary Thompson

---------------------------------------------------------------------
Mary R. Thompson                                <MR...@lbl.gov>
Lawrence Berkeley National Lab                  http://acs.lbl.gov/~mrt
----------------------------------------------------------------------

---------------------------------------------------------------------
To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
For additional commands, e-mail: axis-user-help@ws.apache.org