I have recently upgraded to axis2 1.4.1 and rampart 1.4. and decided to
switch to using ws-policy files. I modeled my use on the
policy/sample02, but noticed that if I sent a request that was
time-stamped but did not have the body signed it was accepted by the
service.
I went back to sample02 and just modified the policy.xml file to remove
the <sp:SignedParts ...> lines and ran a standalone (server ant
service.02) and client (ant client.02) and the same thing happened.
The message that is being sent has a syntactically correct security
header containing a signed timestamp, but not a signed body. The
services file says there should be a signed body, but the service
accepts and replies to the unsigned message.
I don't see how this can be correct behavior. Is the services.xml file
missing something?
BTW, If I remove the timestamp and keep the body signed, the message is
rejected for a missing timestamp.
I'm running with Java 1.5.0_16, Mac OS X 10.4.11
Mary Thompson
---------------------------------------------------------------------
Mary R. Thompson <[EMAIL PROTECTED]>
Lawrence Berkeley National Lab http://acs.lbl.gov/~mrt
----------------------------------------------------------------------
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]