*Important* Wss4jSecurityInterceptor: bug or expected behavior?
Please help me with this.
I was making some tests with the Wss4jSecurityInterceptor using the UsernameToken profile. Here is my simple configuration on the server side:
Everything works fine at the beginning...
<bean id="wss4j" class="org.springframework.ws.soap.security.wss4j.Wss4jSecurityInterceptor">
<property name="validationActions" value="UsernameToken" />
<property name="validationCallbackHandler" ref="callbackHandler" />
If my soap message doesn't have the <wsse:Security> header an error like 'No WS-Security header found' happened.
Passing the correct username and password, the server validates correctingly. Passing wrong username or password I get an exception.
The problem is when I send the <wsse:Security> header empty I don't get an exception like I believe I have to get.
Puting the code above in soapUI and sending it I get a normal response, like when I pass the correct username and token.
I tried with others validationActions like Signature, and the behavior is the same. If the header is empty, the signature validation is not performed and I get no exceptions.
Is this right?
If I want to secure my web service with a username and password I can't because someone can just pass an empty header!