*Important* Wss4jSecurityInterceptor: bug or expected behavior?
Tareq/Arjen,
Please help me with this.
I was making some tests with the Wss4jSecurityInterceptor using the UsernameToken profile. Here is my simple configuration on the server side:
Everything works fine at the beginning...Code:<bean id="wss4j" class="org.springframework.ws.soap.security.wss4j.Wss4jSecurityInterceptor"> <property name="validationActions" value="UsernameToken" /> <property name="validationCallbackHandler" ref="callbackHandler" /> </bean> <bean id="callbackHandler" class="org.springframework.ws.soap.security.wss4j.callback.SimplePasswordValidationCallbackHandler"> <property name="users"> <props> <prop key="Ernie">Bert</prop> </props> </property> </bean>
If my soap message doesn't have the <wsse:Security> header an error like 'No WS-Security header found' happened.
Passing the correct username and password, the server validates correctingly. Passing wrong username or password I get an exception.
The problem is when I send the <wsse:Security> header empty I don't get an exception like I believe I have to get.
Puting the code above in soapUI and sending it I get a normal response, like when I pass the correct username and token.
I tried with others validationActions like Signature, and the behavior is the same. If the header is empty, the signature validation is not performed and I get no exceptions.Code:... <SOAP-ENV:Header> <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" SOAP-ENV:mustUnderstand="1"> </wsse:Security> </SOAP-ENV:Header> ...
Is this right?
If I want to secure my web service with a username and password I can't because someone can just pass an empty header!
Help, please!
Thanks!
Reply With Quote