This Bugzilla instance is a read-only archive of historic NetBeans bug reports. To report a bug in NetBeans please follow the project's instructions for reporting issues.
As far as I understand the 'Anonymous' security profile was added to allow a WSP to be accessed by both secured and unsecured WSCs. In this case it should be possible to enable message level security for WS with this profile and not possible for WSC. Now it's quite the contrary. So, with current implementation this profile can not be used at all.
Will address this for beta1.
Here is an email discussion I had with the AM team with regard to the Anonymous profile: Peter Liu wrote: > Hi Malla, > > Thanks for the response. So what you are saying is the wsp configured with Anonymous profile will have to hand the security > header itself and indicates that it understood the header. In other words, the MustUnderstand header exception I > am seeing is the expected behaviour since my wsp is not handling the security header. Am I right? That's correct. > > One more thing, does it make sense to configure the WSC to use the Anonymous profile? Well ideally it really does'nt make sense at WSC, however, that could be just to testing out things with no security but with security providers configured:-) thanks Malla > > > Thanks. > > Peter > > Malla Simhachalam wrote: >> Peter Liu wrote: >>> Hi Malla, Mrudul, >>> >>> Could you please explain the usage and purpose of the Anonymous profile? If the wsp is set to use the Anonymous profile, does the wsc also have to be set to >>> use Anonymous profile? >> When a WSP is configured for only "Anonymous profile", then it would just return the SOAPMessage from the WSC to application. The usage of this profile configuration at WSP is only that if the application wants to process for the security/read the security headers for whatever reason and the application would have to say it understood these headers. However, the anonymous profile at WSP could be one of the several supported security mechanisms, so this would allow not only anonymous authentications but also any supported security profiles. Stripping of the headers would be done only if it understands these security headers and configured for the corresponding profiles. >> >> thanks >> Malla >> >>> So far, this is the only scenario where I can >>> get this profile to work. If I use any other profile on the wsc, I get the following >>> exception: >>> >>> javax.xml.ws.soap.SOAPFaultException: MustUnderstand headers:[{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security] are not understood >>> >>> Looking at the log, it appears that the wsp is simply letting the secured request message >>> through without stripping the security headers. This causes the MustUnderstand header >>> fault. >>> >>> Peter >>> So, in short, the purpose of the Anonymous profile is to allow application to process the security header for whatever reason. In order for this profile to work, the wsp has to register a handler and handle the security header itself. Otherwise, you'll get a MustUnderstandHeader fault. As for whether to allow Anonymous profile on the wsc, since it is alot of work to try to filter out this profile for the wsc and it doesn't hurt to have this profile for wsc, I am going to leave things the way it is. I am closing this issue as wontfix.