File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
http://aspose.com/file-tools
The moose likes Web Services and the fly likes doubt in web service security Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Android Security Essentials Live Lessons this week in the Android forum!
JavaRanch » Java Forums » Java » Web Services
Bookmark "doubt in web service security" Watch "doubt in web service security" New topic
Author

doubt in web service security

gaurav abbi
Ranch Hand

Joined: Jan 05, 2007
Posts: 108
Hi all,
I�ve a doubt regarding web services security. If I configure a web service to expect a security header(basically signed, encrypted soap message) and the soap message that is sent to the web service is not having any encryption or signature as expected by web service, should the web service process that soap message or flag a soap fault saying the message is not secured as expected.
In case of axis, it processes the soap message without caring for security header part of soap message although it is configured for security settings.
Is it a proper behavior or not?


thanks,<br />gaurav abbi
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 41124
    
  45
It's not the correct behavior. If Axis is properly configured to expect a signed or encrypted message, then it should not process a message that is not secured in that way.

What version of Axis are you using (Axis 1 and Axis 2 are configured differently with regards to WS-Security)?

Are proper WS-Security headers being sent? What do they look like?


Ping & DNS - my free Android networking tools app
gaurav abbi
Ranch Hand

Joined: Jan 05, 2007
Posts: 108
hi ulf,
i'm using axis 1.4, and headers are properly sent, my question is if axis is expecting security header and no security header is present should if fail or not(not failing in my case)and in case security header is present but not proper like certificate is wrong or some other fault, it fails, which is fine.
gaurav abbi
Ranch Hand

Joined: Jan 05, 2007
Posts: 108
hi,
this is my configuration for handling security header my axis client get as a part of soap response


here as you can see its is expecting the response to be encrypted, signed and having a username token,
but if i send the following response not containing any of the expected security stuff inside security header(blank security header), it works fine
thts my concern, is this behavior fine ?

 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: doubt in web service security
 
Similar Threads
This weeks book giveaway
Doubt
Doubt about SOAP HEADER
SOAP intermediaries
Help regarding web service security