[esb-issues] [JBoss JIRA] Closed: (JBESB-2000) Service secured by certificate allows processing of non-secured message

Service secured by certificate allows processing of non-secured message ----------------------------------------------------------------------- Key: JBESB-2000 URL: https://jira.jboss.org/jira/browse/JBESB-2000 Project: JBoss ESB Issue Type: Bug Security Level: Public(Everyone can see) Components: Rosetta, Security, Web Services Affects Versions: 4.4 Reporter: Jiri Pechanec Assignee: Daniel Bevenius Priority: Critical Fix For: 4.4 CP1 I took webservice_producer_secure test and removed the binary token from the message to be delivered <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:good="http://webservice_producer/goodbyeworld"> <soapenv:Body> <good:sayGoodbye> <message>Goodbye!!</message> </good:sayGoodbye> </soapenv:Body> </soapenv:Envelope> I sent the message and I received the following log output 2008-09-08 15:57:47,404 INFO [STDOUT] Subject : Subject: Principal: CN=Daniel Bevenius, OU=JBoss, O=Red Hat, L=Stockholm, ST=Stockholm, C=SE Principal: [groupName=Roles, members=[[roleName=adminRole]]] Public Credential: X.509 Cert Path: length = 1. [ =========================================================Certificate 1 start. [ [ Version: V1 Subject: CN=Daniel Bevenius, OU=JBoss, O=Red Hat, L=Stockholm, ST=Stockholm, C=SE Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4 Key: Sun RSA public key, 1024 bits modulus: 96394299007685713994561177305073714490667979701493101401287029609141406861260879512426765285612012165595912063457551494088923115022429026678765488144518428272539742307006497380494458284715504722740091896431880919504876830696069111637705579321597763064103918824087523754146266813912176353706311845945277748163 public exponent: 65537 Validity: [From: Wed Aug 13 15:25:44 CEST 2008, To: Sat Dec 29 14:25:44 CET 2035] Issuer: CN=Daniel Bevenius, OU=JBoss, O=Red Hat, L=Stockholm, ST=Stockholm, C=SE SerialNumber: [ 48a2e0d8] ] Algorithm: [MD5withRSA] Signature: 0000: 30 B3 97 48 17 01 8D 31 CA C7 47 90 A3 5D C1 A0 0..H...1..G..].. 0010: 43 CE 58 9B 2C FC F6 CE 66 87 72 2B 7C E3 5A 95 C.X.,...f.r+..Z. 0020: 9F 4E 69 FC 8D 60 B1 B5 15 BC 43 E1 EA 2F C3 8F .Ni..`....C../.. 0030: 9E EF 74 4F 97 EB AB 0F 6C 8D FA B9 98 AA C9 6A ..tO....l......j 0040: 84 AF AC 2F 08 90 ED 69 36 E1 48 B9 9C 92 4E E2 .../...i6.H...N. 0050: A1 7C 0B BD D2 84 43 5E 74 30 F0 6C 8D 64 51 9C ......C^t0.l.dQ. 0060: 51 8D B5 98 6B 41 F8 E8 D2 AF 2C 78 B8 74 92 07 Q...kA....,x.t.. 0070: 28 9D B7 CD E2 91 E5 95 F3 64 24 F7 1D 48 1B E2 (........d$..H.. ] =========================================================Certificate 1 end. ] Private Credential: javax.security.auth.x500.X500PrivateCredential@137c653 2008-09-08 15:57:47,429 INFO [STDOUT] **** SOAPRequest perhaps mediated by ESB: <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:good="http://webservice_producer/goodbyeworld"> <soapenv:Body> <good:sayGoodbye> <message>Goodbye!!</message> </good:sayGoodbye> </soapenv:Body> </soapenv:Envelope> 2008-09-08 15:57:47,429 INFO [STDOUT] Web Service Parameter - message=Goodbye!! I expect that the message should be rejected because it is not authenticated.