This Bugzilla instance is a read-only archive of historic NetBeans bug reports. To report a bug in NetBeans please follow the project's instructions for reporting issues.

Bug 101557 - Verification of unsigned response is passed
Summary: Verification of unsigned response is passed
Alias: None
Product: serverplugins
Classification: Unclassified
Component: Identity (show other bugs)
Version: 6.x
Hardware: PC Windows XP
: P2 blocker (vote)
Assignee: Peter Liu
Keywords: RELNOTE
Depends on:
Reported: 2007-04-18 13:01 UTC by Andrey Yamkovoy
Modified: 2007-06-22 22:41 UTC (History)
2 users (show)

See Also:
Issue Type: DEFECT
Exception Reporter:


Note You need to log in before you can comment on or make changes to this bug.
Description Andrey Yamkovoy 2007-04-18 13:01:12 UTC
Resonse not verified independent of enabled or disabled checkbox "Verify
response" for WSC. 

Steps to reproduce:
- Create 2 Web Application projects.
- Create WS in 1st application and enable message level seurity for this WS (for
ex. set X509Token).
- Deploy 1st Web Application.
- Create WSC and servlet in 2nd Web Application.
- Add code to servlet to invoke WS from 1st Web App.
- Enable message level security for WSC and set the same security toke as for
WS. Enable "verify response" option.
- Edit profile which you use for WS and WSC and disable option "Sign Response".
- Deploy the 2nd Web App and run servlet.
- Notice that servlet passed without exception.
- In AS log we can see that response was not signed and verification passed!
Comment 1 Srividhya Narayanan 2007-04-18 17:26:13 UTC
This is an issue with AM runtime. Pls create an issue on AM in bugtrak
Comment 2 Peter Liu 2007-04-20 17:36:14 UTC
Here is the corresponding bug in bugtraq:
Comment 3 astashkova 2007-04-27 12:47:15 UTC
Added to NB IDE 6.0 Preview RNs as follows:

Issue 101557: Access Manager always signs up a response.
Comment 4 Bob May 2007-05-02 00:05:23 UTC
RN Summary: The Web Service Client's "verify response" configuration doesn't
have any effect.

The web service client is expected to reject the response from the provider if
the client is configured to verify the signature and the provide doesn't send
one. But irrespective of the "verify response" setting on the client side, it
always accepts the message from the provider.
Comment 5 Peter Liu 2007-06-21 02:58:36 UTC
This issue should be fixed in the latest AM bits. We just need to verify it.

Comment 6 Peter Liu 2007-06-22 22:41:15 UTC
This issue is fixed in the latest AM bits in SDK b18.