You are viewing a plain text version of this content. The canonical link for it is here.

Posted to rampart-dev@ws.apache.org by "Nandana Mihindukulasooriya (JIRA)" <ji...@apache.org> on 2009/06/16 13:05:07 UTC

[jira] Resolved: (RAMPART-204) PostDispatchHandler does not check whether rampart is engaged

     [ https://issues.apache.org/jira/browse/RAMPART-204?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Nandana Mihindukulasooriya resolved RAMPART-204.
------------------------------------------------

    Resolution: Fixed

Applied the patch in revision 785158. 

thanks,
Nandana

> PostDispatchHandler does not check whether rampart is engaged
> -------------------------------------------------------------
>
>                 Key: RAMPART-204
>                 URL: https://issues.apache.org/jira/browse/RAMPART-204
>             Project: Rampart
>          Issue Type: Bug
>          Components: rampart-core
>    Affects Versions: 1.4
>         Environment: Axis2 1.4.1/Rampart 1.4
>            Reporter: Bob Jacoby
>            Assignee: Ruchith Udayanga Fernando
>         Attachments: PostDispatchVerificationHandler.patch
>
>
> Axis2 appears to automatically register the Rampart handlers even if rampart is not explicitly engaged. This causes the handlers to run regardless of whether or not rampart is engaged. While I would consider this a bug in Axis2, there's a simple Rampart workaround that appears to be implemented in other rampart handlers.
> All the other handlers (RampartReceiver, RampartSender, WSDoAllHandler) immediately check whether Rampart is engaged in the invoke method. If not, the method immediately returns. PostDispatchVerificationHandler does not perform this check, which causes the handler to throw an InvalidSecurity error if a policy is attached to the service, but the response is not signed. This is expected behavior if Rampart is engaged, but not when Rampart is not engaged.
> The simple fix is to add the same check to the PostDispatchVerificationHandler invoke method as in the other methods. The attached patch does this.
> Incidentally, as an FYI since this is an Axis2 issue I think, even though axis2 registers the rampart handlers automatically, the rampart module is NOT marked as being engaged in the service client. So calling serviceClient.disengageModule to remove the rampart handlers will not remove the handlers. However, if you first explicitly engage rampart, and then call disengageModule the rampart handlers will be removed from the AxisConfiguration.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.