Details
-
Bug
-
Status: Resolved
-
Critical
-
Resolution: Invalid
-
1.2
-
None
-
Axis2-1.2, Rampart-Head , apache tomcat 5.5.23,
Description
The "SignedSupportingTokens" assertion used in sample01 of Rampart , does not actually sign anything. Here is a sample SOAP request captured by TCPMon:
POST /axis2/services/sample01 HTTP/1.1
Content-Type: text/xml; charset=UTF-8
SOAPAction: "urn:echo"
User-Agent: Axis2
Host: localhost:8081
Transfer-Encoding: chunked
4fc
<?xml version='1.0' encoding='UTF-8'?><soapenv:Envelope xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"><soapenv:Header>
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" soapenv:mustUnderstand="1"><wsu:Timestamp xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="Timestamp-7102288"><wsu:Created>2007-05-05T18:15:35.682Z</wsu:Created><wsu:Expires>2007-05-05T18:20:35.682Z</wsu:Expires></wsu:Timestamp>
<wsse:UsernameToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="UsernameToken-997377"><wsse:Username>alice</wsse:Username><wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">bobPW</wsse:Password></wsse:UsernameToken></wsse:Security><wsa:To>http://localhost:8081/axis2/services/sample01</wsa:To><wsa:MessageID>urn:uuid:4A2B5586F0788EE9B91178388935566</wsa:MessageID><wsa:Action>urn:echo</wsa:Action></soapenv:Header><soapenv:Body><ns1:echo xmlns:ns1="http://sample01.policy.samples.rampart.apache.org/xsd"><param0>Hello world</param0></ns1:echo></soapenv:Body></soapenv:Envelope>
0