[SWS-448] Wss4jSecurityInterceptor accept messages when <wsse:header> is empty Created: 16/Nov/08  Updated: 04/May/12  Resolved: 17/Nov/08

Status: Closed
Project: Spring Web Services
Component/s: Security
Affects Version/s: 1.5.5
Fix Version/s: 1.5.6

Type: Bug Priority: Critical
Reporter: Michel Zanini Assignee: Tareq Abedrabbo
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

UsernameToken profile
X.509 Token Profile


Attachments: Text File SWS-448.patch     Zip Archive StudentWS.zip     Zip Archive wss4j-test.zip    

 Description   

http://forum.springframework.org/showthread.php?t=63553

The problem is when Wss4jSecurityInterceptor is used in the server side, to validate username token (or signature).

Everything looks fine except when a <wsse:header> empty is sent. The Interceptor lets the messsage goes and don't
throw any exceptions.

As an attachment, I'm sending a maven project with JUnit tests to prove the case. The project is a very simple web service
based on the tutorial sample. I just configure the wss4j interceptor for validate username token.

The only test thats doesn't pass is the last 'testSendMessageWithEmptyWsseHeader'

Sorry for my english... it isn't my native language.



 Comments   
Comment by Tareq Abedrabbo [ 16/Nov/08 ]

Strangely enough, WSHandler.checkReceiverResults doesn't check for this.
Michel, thanks a lot for pointing this out.

Comment by Peter Arockiaraj [ 06/May/09 ]

Even I'm facing same problem. I am using sping-ws-secuirty-1.5.6.jar only for this. Can you please check and update me?

Comment by Michel Zanini [ 06/May/09 ]

Peter,

Check if you're using wss4j 1.5.4+ ... this bug was originally from wss4j:
http://issues.apache.org/jira/browse/WSS-70

Comment by Tareq Abedrabbo [ 06/May/09 ]

Hi Peter,

The sample you attached uses 2 endpoint mappings and I'm not sure your security interceptor is attached to the right one. Could you clean up your sample and try again?

Thanks,

Comment by Arjen Poutsma [ 04/May/12 ]

Closing old issues

Generated at Tue Dec 12 17:59:16 UTC 2017 using JIRA 6.4.14#64029-sha1:ae256fe0fbb912241490ff1cecfb323ea0905ca5.