[
https://issues.apache.org/jira/browse/RAMPART-127?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Ruchith Udayanga Fernando resolved RAMPART-127.
-----------------------------------------------
Resolution: Fixed
Fixed in revision 605516.
Added a handler at the end of the dispatch phase to check whether there is any
available policy and whether there's no security resutls.
> Possible Security Hole
> ----------------------
>
> Key: RAMPART-127
> URL: https://issues.apache.org/jira/browse/RAMPART-127
> Project: Rampart
> Issue Type: Bug
> Components: rampart-core
> Affects Versions: 1.3
> Reporter: Amila Chinthaka Suriarachchi
> Priority: Critical
>
> Lets take this senario.
> There is a service which has an operational policy to sign the soap headers
> and has engaged security at the operational level. There is a soap action to
> this operation and in normal case users supposed to send a soap action. so at
> the service level operation is dispatched using the soap action and signature
> verification is done.
> Lets say an intruder send a soap message without signing and without a
> soapaction. then the operation is not dispatched before the security phase
> and hence security verification is not being done. So the message which does
> not have any security headers passes through.
> then this will dispatch with soapBodyBased dispatching and finally it hits
> the MR.
> So this is a security hole.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
