*Important* Wss4jSecurityInterceptor: bug or expected behavior?
Tareq/Arjen,
Please help me with this.
I was making some tests with the Wss4jSecurityInterceptor using the UsernameToken profile. Here is my simple configuration on the server side:
Code:
<bean id="wss4j" class="org.springframework.ws.soap.security.wss4j.Wss4jSecurityInterceptor">
<property name="validationActions" value="UsernameToken" />
<property name="validationCallbackHandler" ref="callbackHandler" />
</bean>
<bean id="callbackHandler"
class="org.springframework.ws.soap.security.wss4j.callback.SimplePasswordValidationCallbackHandler">
<property name="users">
<props>
<prop key="Ernie">Bert</prop>
</props>
</property>
</bean>
Everything works fine at the beginning...
If my soap message doesn't have the <wsse:Security> header an error like 'No WS-Security header found' happened.
Passing the correct username and password, the server validates correctingly. Passing wrong username or password I get an exception.
The problem is when I send the <wsse:Security> header empty I don't get an exception like I believe I have to get.
Puting the code above in soapUI and sending it I get a normal response, like when I pass the correct username and token.
Code:
...
<SOAP-ENV:Header>
<wsse:Security
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
SOAP-ENV:mustUnderstand="1">
</wsse:Security>
</SOAP-ENV:Header>
...
I tried with others validationActions like Signature, and the behavior is the same. If the header is empty, the signature validation is not performed and I get no exceptions.
Is this right?
If I want to secure my web service with a username and password I can't because someone can just pass an empty header!
Help, please!
Thanks!
