[jira] Created: (CXF-2244) Server accepts an unsigned message when the policy requires a signed message.

Thu, 28 May 2009 23:35:19 -0700 

Server accepts an unsigned message when the policy requires a signed message.
-----------------------------------------------------------------------------

                 Key: CXF-2244
                 URL: https://issues.apache.org/jira/browse/CXF-2244
             Project: CXF
          Issue Type: Bug
          Components: WS-* Components
    Affects Versions: 2.2.1
         Environment: java 1.5, MacOS 10.5.7 CXF 2.2.2-SNAPSHOT
            Reporter: Mary Thompson


A policy is attached to the request message that requires the message body to 
be signed and timestamped.
Due to an error on the client side, a message is sent with a security header 
and time stamp but is not signed.
The server accepts the message anyway.

The inbound message is:
INFO: Inbound Message
----------------------------
ID: 1
Address: /AuthN
Encoding: UTF-8
Content-Type: application/soap+xml; 
action="http://oscars.es.net/OSCARS/AuthN/verifyUser";; charset=UTF-8
Headers: {Content-Length=[908], Host=[localhost:9090], User-Agent=[Apache CXF 
2.2.2-SNAPSHOT], connection=[keep-alive], Pragma=[no-cache], 
Content-Type=[application/soap+xml; 
action="http://oscars.es.net/OSCARS/AuthN/verifyUser";; charset=UTF-8], 
content-type=[application/soap+xml; 
action="http://oscars.es.net/OSCARS/AuthN/verifyUser";; charset=UTF-8], 
Cache-Control=[no-cache], Accept=[*/*]}
Payload: <soap:Envelope 
xmlns:soap="http://www.w3.org/2003/05/soap-envelope";><soap:Header><wsse:Security
 
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
 soap:mustUnderstand="true"><wsu:Timestamp 
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
 
wsu:Id="Timestamp-1"><wsu:Created>2009-05-29T06:09:44.894Z</wsu:Created><wsu:Expires>2009-05-29T06:14:44.894Z</wsu:Expires></wsu:Timestamp></wsse:Security></soap:Header><soap:Body
 
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
 wsu:Id="Id-1692283"><verifyUserReq 
xmlns="http://oscars.es.net/OSCARS/AuthN";><login><LoginName>mrthompson</LoginName><Password>foobar</Password></login><DN><SubjectDN>CN=Mary
 Thompson, DC=net, DC=es</SubjectDN><IssuerDN>CN=esnetCA, DC=net, 
DC=es</IssuerDN></DN></verifyUserReq></soap:Body></soap:Envelope>


-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

Reply via email to