[
https://issues.apache.org/jira/browse/RAMPART-127?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12553691
]
Amila Chinthaka Suriarachchi commented on RAMPART-127:
------------------------------------------------------
hi ruchith,
Think about this scenario as well.
Lets say we have a service and it has an operation.
service has a security policy to encrypt the body and the operation has
security policy to sign the headers. So when we get the effective policy from
the service it gives only the encrypt policy and when getting the effective
policy from the operation it gives both sign and encrypt.
As in earlier case correct scenario is to send the soap action and headers are
expected to sign and body is expected to encrypt. since there is soap action
operation has been dispatched when it comes to security phase and every thing
works fine.
Let's say some one send message without signing and without soap action. Here
we have to note the anyone can encrypt the message since it requires the public
key and the possible problem for the intruders is to find the private key to
sign.
So he send the message without signing.
When it comes to security phase, it only has dispatch the service and hence
only the encryption policy applied and message is decrypted correctly. Then the
message is dispatched with body based dispatching and hence message would
proceed to the MR.
ruchith,
Is this scenario is also covered by your fix?
When considering both these scenarios what I can say is that the putting the
security phase before the dispatches are any way risky.
Any thoughts?
> Possible Security Hole
> ----------------------
>
> Key: RAMPART-127
> URL: https://issues.apache.org/jira/browse/RAMPART-127
> Project: Rampart
> Issue Type: Bug
> Components: rampart-core
> Affects Versions: 1.3
> Reporter: Amila Chinthaka Suriarachchi
> Priority: Critical
>
> Lets take this senario.
> There is a service which has an operational policy to sign the soap headers
> and has engaged security at the operational level. There is a soap action to
> this operation and in normal case users supposed to send a soap action. so at
> the service level operation is dispatched using the soap action and signature
> verification is done.
> Lets say an intruder send a soap message without signing and without a
> soapaction. then the operation is not dispatched before the security phase
> and hence security verification is not being done. So the message which does
> not have any security headers passes through.
> then this will dispatch with soapBodyBased dispatching and finally it hits
> the MR.
> So this is a security hole.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
