Possible Security Hole
----------------------
Key: RAMPART-127
URL: https://issues.apache.org/jira/browse/RAMPART-127
Project: Rampart
Issue Type: Bug
Components: rampart-core
Affects Versions: 1.3
Reporter: Amila Chinthaka Suriarachchi
Priority: Critical
Lets take this senario.
There is a service which has an operational policy to sign the soap headers and
has engaged security at the operational level. There is a soap action to this
operation and in normal case users supposed to send a soap action. so at the
service level operation is dispatched using the soap action and signature
verification is done.
Lets say an intruder send a soap message without signing and without a
soapaction. then the operation is not dispatched before the security phase and
hence security verification is not being done. So the message which does not
have any security headers passes through.
then this will dispatch with soapBodyBased dispatching and finally it hits the
MR.
So this is a security hole.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
