Details
-
Bug
-
Status: Open
-
Critical
-
Resolution: Unresolved
-
Java-SCA-1.4
-
None
Description
Sample helloworld-ws-service-secure, web service /HelloWorldService. With correct SOAP all fine, for example
POST http://192.168.9.64:8085/HelloWorldService HTTP/1.1
Content-Type: text/xml;charset=UTF-8
SOAPAction: "urn:getGreetings"
User-Agent: Jakarta Commons-HttpClient/3.1
Host: 192.168.9.64:8085
Content-Length: 1017
<soapenv:Envelope xmlns:hel="http://helloworld" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
<wsse:Security soapenv:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<wsse:UsernameToken wsu:Id="UsernameToken-1186583" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsse:Username>TuscanyWsUser</wsse:Username>
<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">TuscanyWsUserPasswd</wsse:Password>
<wsse:Nonce>0RkNrWgskQNCqGp1PMqwmw==</wsse:Nonce>
<wsu:Created>2009-03-27T13:00:24.548Z</wsu:Created>
</wsse:UsernameToken>
</wsse:Security>
</soapenv:Header>
<soapenv:Body>
<hel:getGreetings>
<hel:name>good security</hel:name>
</hel:getGreetings>
</soapenv:Body>
</soapenv:Envelope>
but with handwrited SOAP (below) Tuscany dont call ServerPWCBHandler but successfully call getGreetings. How to prevent call getGreetings without authentication?
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<SOAP-ENV:Header>
<ns1:Security xmlns:ns1="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<Username>SOA</Username>
<Password>SOA</Password>
</ns1:Security>
</SOAP-ENV:Header>
<SOAP-ENV:Body>
<ns0:getGreetings xmlns:ns0="http://helloworld">
<ns0:name>bad security</ns0:name>
</ns0:getGreetings>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>