This week's book giveaway is in the Other Languages forum.
We're giving away four copies of Rust Web Development and have Bastian Gruber on-line!
See this thread for details.
Win a copy of Rust Web Development this week in the Other Languages forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Tim Cooke
  • Campbell Ritchie
  • Ron McLeod
  • Liutauras Vilda
  • Jeanne Boyarsky
Sheriffs:
  • Junilu Lacar
  • Rob Spoor
  • Paul Clapham
Saloon Keepers:
  • Tim Holloway
  • Tim Moores
  • Jesse Silverman
  • Stephan van Hulst
  • Carey Brown
Bartenders:
  • Al Hobbs
  • Piet Souris
  • Frits Walraven

doubt in web service security

 
Ranch Hand
Posts: 108
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi all,
I�ve a doubt regarding web services security. If I configure a web service to expect a security header(basically signed, encrypted soap message) and the soap message that is sent to the web service is not having any encryption or signature as expected by web service, should the web service process that soap message or flag a soap fault saying the message is not secured as expected.
In case of axis, it processes the soap message without caring for security header part of soap message although it is configured for security settings.
Is it a proper behavior or not?
 
Rancher
Posts: 43027
76
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
It's not the correct behavior. If Axis is properly configured to expect a signed or encrypted message, then it should not process a message that is not secured in that way.

What version of Axis are you using (Axis 1 and Axis 2 are configured differently with regards to WS-Security)?

Are proper WS-Security headers being sent? What do they look like?
 
gaurav abbi
Ranch Hand
Posts: 108
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
hi ulf,
i'm using axis 1.4, and headers are properly sent, my question is if axis is expecting security header and no security header is present should if fail or not(not failing in my case)and in case security header is present but not proper like certificate is wrong or some other fault, it fails, which is fine.
 
gaurav abbi
Ranch Hand
Posts: 108
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
hi,
this is my configuration for handling security header my axis client get as a part of soap response


here as you can see its is expecting the response to be encrypted, signed and having a username token,
but if i send the following response not containing any of the expected security stuff inside security header(blank security header), it works fine
thts my concern, is this behavior fine ?

 
You showed up just in time for the waffles! And this tiny ad:
Building a Better World in your Backyard by Paul Wheaton and Shawn Klassen-Koop
https://coderanch.com/wiki/718759/books/Building-World-Backyard-Paul-Wheaton
reply
    Bookmark Topic Watch Topic
  • New Topic