Hello, Together with my colleague we used WSS4J (1.5.1) in our latest project. Everything worked fine, but we found very strange behaviour and we have serious doubts if WSS4J should really behave this way.
Here is the description of our scenario: We send requests using UsernameToken authentication method. The namespace for security header is: <wsse:Security soapenv:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wsse curity-secext-1.0.xsd"> and so far it is OK, but when we set the following namespace for the UsernameToken: <wsse:UsernameToken xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wsse curity-utility-1.0.xsd"> ALL THE REQUESTS ARE ALLOWED, WITHOUT EVEN CALLING PASSWORD CALLBACK CLASS. The same behaviour is when the namespace for UsernameToken is not set at all. We expected that all the requests that cannot be parsed correctly should be rejected, but never allowed. We checked the WSS4J code (1.5.1 and 1.5.2), and it looks that in class WSSConfig method getProcessor() returns NULL if the UsernameToken action doesn't use proper namespace. Then the following information is logged: DEBUG org.apache.ws.security.WSSecurityEngine - Unknown Element: UsernameToken http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utili ty-1.0.xsd and the flow goes forward without checking security credentials. We also found the following code in the class org.apache.ws.security.handler.WSHandler protected boolean checkReceiverResults(Vector wsResult, Vector actions) { int resultActions = wsResult.size(); int size = actions.size(); // if (size != resultActions) { // throw new AxisFault( // "WSDoAllReceiver: security processing failed (actions number // mismatch)"); // } int ai = 0; for (int i = 0; i < resultActions; i++) { int act = ((WSSecurityEngineResult) wsResult.get(i)).getAction(); if (act == WSConstants.SC) { continue; } if (ai >= size || ((Integer) actions.get(ai++)).intValue() != act) { return false; } } return true; } As you can see there are a few lines commented out. If the comments were removed we wouldn't have the problem I described above. What was the purpose for commenting out this piece of code ? Could you please take a look at this issue and give me your opinion on this. Best regards, Pawel Jozwik
