Disabling WS-Security for IN or OUT messages in Axis2

This is another blog post on WS-Security with Apache Rampart.  Usually, when we are securing a web service with WS-Security, both web service request and response messages are secured. But there are scenarios where you want to configured WS-Security only for web service request or either service response messages.  Say, you may providing some secret data to web server, but web server responses just saying “yes” or “no”.  Here you do not want to worry on securing response message.  So like that,  there are several use cases with this. 

Lets see how we can configure this with Apache Rampart; security module of Axis2 

There are two approaches for this. 

Approach 1 : Apache Rampart is an axis2 module where it encapsulates several axis2 handlers.  Configuration file called “module.xml” can be used for configuring this module. If we want to remove security processing for response messages,  we can just remove the defined axis2 handlers from the OutFlow selection. 

But there is a drawback with this.  If we remove axis2 handlers from the OutFlow selection,  Then this would effect for all the services that are deployed in the axis2 engine. Therefore,  there are must be a way to configure this in service level. 

Approach 2 :  As suggest in here,  We can write a new simple module (say “NoSecurity” module) and plug it with axis2 handler chain where this module can ask to skip the rampart module (handlers).  Therefore we can engage “NoSecurity” module only for desired services 

However it is not easy to write a module to skip rampart. Therefore i have used the concept of IN and OUT policies in Rampart. Here we are configuring OUT policy that has no security assertion  to skip the security processing. 

“NoSecurity” Project contains  handler called “NoSecurityHandler” that inject the IN or OUT policy to rampart.  This handler must be placed in the “NoSecurity” phase of axis2 message flows.  Handler has been enclosed with the “NoSecyrityModule” module.

Let see how we can configure this module in a practical use case.  

User case 1

WSO2AS as our web service engine and let try to apply this module for echo service that has been hosted there. 

Step1.  Please do desired changes in to the module and build it with maven.  You would find the .mar module in target directory

Step2. Copy .mar module in to   /repository/deployment/server/axis2modules  directory. 

Step3. Configure new  “NoSecurity” phase in axis2.xml file which can be found at /repository/conf/axis2 directory.

Here you can select the desired flow.   i.e.  InFlow, OutFlow InFaultFlow and OutFaultFlow.  Here i am configuring it OutFlow  before the “Security” Phase. 

Step4. Restart the server

Step5  Login to management console of Carbon Server and Go to Service dashboard page of echo service 

Step6. Go to module configuration and select your “NoSecurity” module to engage.

Step7. Now you are done, you can engage and disengage this module for each services using Carbon management console.

User case 2

WSO2 ESB as proxy service engine for your message meditation.  Here we are going to engage this module to disable the security check of incoming message from BE service.  Therefore it is little bit different on writing the module.  Because WSO2 ESB deals with two InFlows  i.e   Messages coming to proxy service and Response messages from BE service.

If we want to only enable this module for messages coming from BE services. We can have a simple check  of a property called “synapse.send”



Please find the module project for this for here.   Configuration steps would be same as in WSO2AS, only thing is,  we need to select the correct axis2 phase.

Discuss this article on Stack Overflow


    1. You need to configure the new phase called “NoSecurity” in the “inflow” of the ESB. This “NoSecurity” phase must be before the “Security” phase of the “inflow”

Leave a Reply

Your email address will not be published. Required fields are marked *