Here is a snippet of my services.xml file:
<serviceGroup>
<service name="nosecurity">
... not security set up
</service>
<service name="UT">
... same service as nosecurity except it has UsernameToken security
<module ref="rampart" />
<parameter name="InflowSecurity">
<action>
<items>UsernameToken</items>
<passwordCallbackClass> my.PWCallback</passwordCallbackClass>
<signaturePropFile>crypto.properties</signaturePropFile>
</action>
</parameter>
</service>
<service name="UTS">
... same service as nosecurity except it has UsernameToken and Signature
security enabled.
<module ref="rampart" />
<parameter name="InflowSecurity">
<action>
<items>UsernameToken Signature</items>
<passwordCallbackClass>my.PWCallback</passwordCallbackClass>
<signaturePropFile>crypto.properties</signaturePropFile>
</action>
</parameter>
</service>
</serviceGroup>
"nosecurity" and "UT" work as they should. But the "UTS" service allows the
client to sent the UsernameToken without the Signature and Rampart accepts
it, thus by passing the Signature. If I send both UsernameToken and the
Signature it also accepts it. If I send both with a bad signature it
rejects the request.
I tested this with an axis1 webservice and found that the "UTS" service
acted as it should, rejecting the request when only the UsernameToken is
sent.
Why is it accepting UsernameToken without the Signature? What do I need to
do so that the Signature is required?
Thanks,
Chad
