You are viewing a plain text version of this content. The canonical link for it is here.
Posted to wss4j-dev@ws.apache.org by Bakul Kumar <ba...@gmail.com> on 2009/02/03 21:55:47 UTC
Any harm to pass WSConstants.TS action?
Hi,
I have a secure web service exposed using xfire and wss4j. Some of the
clients are using xfire and some are from Microsoft . net either ASP.net,
VB.net or C#.
Service security works fine for xfire client. But it has a problem while
there is a call from .net clients saying that action mismatch, as .net
client passes the TimeStamp and its being rejected
by WSHandler.checkReceiverResults().
So I have added the WSConstants.TS is a pass list (which has
already WSConstants.SC and WSConstants.BST) and it works fine for both xfire
client and .net client.
I have searched forum and found some threads regarding it like:
http://www.nabble.com/Fwd:-"action-mismatch"-and-WSConstants.SC-meaning---td11356763.html#a11696350<http://www.nabble.com/Fwd:-%22action-mismatch%22-and-WSConstants.SC-meaning---td11356763.html#a11696350>
but, it doesn't says that its secure or not. And if yes, then I am curious
about why its not in code?
I thought I will get some feedback from community.
Thanks in advance.
Bakul Kumar.
Any harm to pass WSConstants.TS action?
Posted by Bakul Kumar <ba...@gmail.com>.
Hi,
I have a secure web service exposed using xfire and wss4j. Some of the
clients are using xfire and some are from Microsoft . net either ASP.net,
VB.net or C#.
Service security works fine for xfire client. But it has a problem while
there is a call from .net clients saying that action mismatch, as .net
client passes the TimeStamp and its being rejected
by WSHandler.checkReceiverResults().
So I have added the WSConstants.TS is a pass list (which has
already WSConstants.SC and WSConstants.BST) and it works fine for both xfire
client and .net client.
I have searched forum and found some threads regarding it like:
http://www.nabble.com/Fwd:-"action-mismatch"-and-WSConstants.SC-meaning---td11356763.html#a11696350<http://www.nabble.com/Fwd:-%22action-mismatch%22-and-WSConstants.SC-meaning---td11356763.html#a11696350>
but, it doesn't says that its secure or not. And if yes, then I am curious
about why its not in code?
I thought I will get some feedback from community.
Thanks in advance.
Bakul Kumar.
Any harm to pass WSConstants.TS action?
Posted by Bakul Kumar <ba...@gmail.com>.
Hi,
I have a secure web service exposed using xfire and wss4j. Some of the
clients are using xfire and some are from Microsoft . net either ASP.net,
VB.net or C#.
Service security works fine for xfire client. But it has a problem while
there is a call from .net clients saying that action mismatch, as .net
client passes the TimeStamp and its being rejected
by WSHandler.checkReceiverResults().
So I have added the WSConstants.TS is a pass list (which has
already WSConstants.SC and WSConstants.BST) and it works fine for both xfire
client and .net client.
I have searched forum and found some threads regarding it like:
http://www.nabble.com/Fwd:-"action-mismatch"-and-WSConstants.SC-meaning---td11356763.html#a11696350<http://www.nabble.com/Fwd:-%22action-mismatch%22-and-WSConstants.SC-meaning---td11356763.html#a11696350>
but, it doesn't says that its secure or not. And if yes, then I am curious
about why its not in code?
I thought I will get some feedback from community.
Thanks in advance.
Bakul Kumar.
RE: Any harm to pass WSConstants.TS action?
Posted by Colm O hEigeartaigh <co...@progress.com>.
The problem is that the action list enforces that the actions be performed in a certain order. For example, if an incoming message has a username token and then a Timestamp in the security header, in that exact order, the action list must be:
<entry key="action" value="UsernameToken Timestamp" />
This is debated in the comments of WSS-147:
https://issues.apache.org/jira/browse/WSS-147
The reason the action list appears to be "reversed" is for backwards compatibility reasons. This code could do with some work, but the real solution is to use WS-SecurityPolicy to configure WSS4J, i.e. the forthcoming CXF 2.2 or Rampart.
Colm.
________________________________________
From: Bakul Kumar [mailto:bakul.kumar@gmail.com]
Sent: 03 February 2009 20:56
To: wss4j-dev@ws.apache.org
Subject: Any harm to pass WSConstants.TS action?
Hi,
I have a secure web service exposed using xfire and wss4j. Some of the clients are using xfire and some are from Microsoft . net either ASP.net, VB.net or C#.
Service security works fine for xfire client. But it has a problem while there is a call from .net clients saying that action mismatch, as .net client passes the TimeStamp and its being rejected by WSHandler.checkReceiverResults().
So I have added the WSConstants.TS is a pass list (which has already WSConstants.SC and WSConstants.BST) and it works fine for both xfire client and .net client.
I have searched forum and found some threads regarding it like:
http://www.nabble.com/Fwd:-"action-mismatch"-and-WSConstants.SC-meaning---td11356763.html#a11696350
but, it doesn't says that its secure or not. And if yes, then I am curious about why its not in code?
I thought I will get some feedback from community.
Thanks in advance.
Bakul Kumar.
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org