2178 2004-10-28 01:04 Any SOAP headers used for dispatching need to be secured 2005-06-02 14:04:10 1 1 1 Unclassified Java WS Security Authentication development PC Linux RESOLVED FIXED P3 blocker 4.0.1 1 meder@mcs.anl.gov bester@mcs.anl.gov gawor@mcs.anl.gov meder@mcs.anl.gov mlorch@vt.edu ranantha@mcs.anl.gov slang@mcs.anl.gov smartin@mcs.anl.gov meder@mcs.anl.gov 2004-10-28 01:04:36 The current security solution does not secure any of the SOAP headers used for dispatching to the right service/operation/resource. This opens the way for a third party intercepting the message and maliciously redirecting it to a different endpoint. ranantha@mcs.anl.gov 2004-11-04 17:04:58 Code to sign headers used for dispatch has been committed to trunk. gawor@mcs.anl.gov 2004-11-04 17:51:12 The addressing specification defines which headers should be signed. And also the signing of headers needs to happen on both sides and replies can be redirected to another place. ranantha@mcs.anl.gov 2004-11-04 23:24:20 All headers specified in "secureHeaders" message property are signed now in the case of both request and response. The feature has been added only for secure message authentication. Once rework of secure conversation is completed, signing of headers needs to added for this mechanism ranantha@mcs.anl.gov 2004-11-15 12:04:53 Dispatch headers are now secured in the case of secure conversation also. Moreover, framework to enforce that headers used in dispatch are secured has been added. A message context property with list of headers used in dispatch needs to be populated - Jarek is working on that. gawor@mcs.anl.gov 2004-11-15 15:52:46 I updated the AddressingHandler to pass the list of headers to be verified if specified. That includes the To, ReplyTo, and FaultTo headers. It does not however include the header that contains the key since this handler doesn't know which header it is. I guess we still need a way of passing the key header to that list of headers to be verified. slang@mcs.anl.gov 2004-11-15 18:13:48 This also needs to be done on the C side, so please reassign to me before closing. ranantha@mcs.anl.gov 2004-11-17 12:15:09 Added resource key header to the list of headers that need to be secured. slang@mcs.anl.gov 2004-12-16 11:45:31 *** Bug 2408 has been marked as a duplicate of this bug. *** bester@mcs.anl.gov 2005-06-02 14:04:10 The C WS-Secure Message handler has been committed to the gt 4.0 trunk. This handler adds the appropriate security attributes and headers to secure the addressing headers.