Sorry, [2] should have been as follows:
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"/>
----- Original Message ----
From: Ali Sadik Kumlali <[EMAIL PROTECTED]>
To: axis-user@ws.apache.org
Sent: Friday, December 8, 2006 5:14:11 PM
Subject: [Axis2][1_1] Security validation is made only if security header is
found...
Hi folks,
Is it normal that I don't get any exception if no WS-Security header added to
the message while service expecting a signed message?
If not, please let me know so that I can file a JIRA.
Here are the use cases and how Rampart behaves:
Common:
- Service requires a signed message[1]
Case1: Client adds <module ref="rampart"/> but doesn't add <parameter
name="OutflowSecurity"> to the axis2.xml
- Client sends message
- Message doesn't have necessary WS-Security headers but only a single one[2]
Result
- Rampart doesn't log or throw any exception and the message passes to the
message receiver (Unexpected(?) behaviour)
Case2: Client doesn't add either <module ref="rampart"/> or <parameter
name="OutflowSecurity">...
- Client sends message
- Message doesn't have any WS-Security header.
Result
- Rampart doesn't log or throw any exception and the message passes to the
message receiver (Unexpected(?) behaviour)
Regards,
Ali Sadik Kumlali
[1]
<module ref="rampart"/>
<parameter name="InflowSecurity">
<action>
<items>Signature</items>
<signaturePropFile>server_security.properties</signaturePropFile>
</action>
</parameter>
[2]
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"/>
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
