Uploaded image for project: 'Rampart'
  1. Rampart
  2. RAMPART-281

Axis2/Java client throws exception with mustUnderstand=1

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Major
    • Resolution: Duplicate
    • 1.4
    • None
    • None
    • None
    • Server: Linux, Axis2/C
      Client: Windows, Axis2/Java

    Description

      We have implemented our service with the following security policy:

      <wsp:Policy wsu:Id="SyncPolicy"
      xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
      xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"
      xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">

      <wsp:ExactlyOne>
      <wsp:All>

      <sp:TransportBinding>
      <wsp:Policy>

      <sp:TransportToken>
      <wsp:Policy>
      <sp:HttpsToken/>
      </wsp:Policy>
      </sp:TransportToken>

      <sp:AlgorithmSuite>
      <wsp:Policy>
      <sp:Basic256/>
      </wsp:Policy>
      </sp:AlgorithmSuite>

      <sp:Layout>
      <wsp:Policy>
      <sp:Lax/>
      </wsp:Policy>
      </sp:Layout>

      </wsp:Policy>
      </sp:TransportBinding>

      <sp:SignedSupportingTokens>
      <wsp:Policy>
      <sp:UsernameToken sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
      <wsp:Policy>
      <sp:WssUsernameToken10/>
      </wsp:Policy>
      </sp:UsernameToken>
      </wsp:Policy>
      </sp:SignedSupportingTokens>

      </wsp:All>
      </wsp:ExactlyOne>
      </wsp:Policy>

      On the client, we are able to use Rampart to send out the correct security headers as expected by the server:

      <soapenv:Header>
      <wsse:Security xmlns:wsse='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd' soapenv:mustUnderstand='1'>
      <wsse:UsernameToken xmlns:wsu='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd' wsu:Id='UsernameToken-12864392'>
      <wsse:Username>admin</wsse:Username>
      <wsse:Password Type='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText'>admin</wsse:Password>
      </wsse:UsernameToken>
      </wsse:Security>
      </soapenv:Header>

      However, in the response, the server send back a blank security header:

      <soapenv:Header>
      <wsse:Security xmlns:wsse='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd' soapenv:mustUnderstand='1'></wsse:Security>
      </soapenv:Header>

      When the client receives this blank security header, it throws the following exception:

      Must Understand check failed for header http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd : Security

      Is the blank security header required/allowed in the response according to the WS-Security specification? If so, the Rampart implementation on the client needs to be changed to be able to accept this header. If the blank header is not allowed, the server needs to be changed to not send it.

      Note: we came up with the following workaround on the client:

      .
      .
      .
      ConfigurationContext configurationContext = ConfigurationContextFactory.createConfigurationContextFromFileSystem("C:
      Program Files\\axis2-1.5.1
      repository", null);
      AxisConfiguration ac = configurationContext.getAxisConfiguration();
      ((Phase)ac.getInFlowPhases().get(0)).addHandler(new BasicCreate.SecurityHandler());
      .
      .
      .

      public static class SecurityHandler extends AbstractHandler
      {
      @Override
      public InvocationResponse invoke(MessageContext msgContext) throws AxisFault
      {
      org.apache.axiom.soap.SOAPEnvelope envelope = msgContext.getEnvelope();

      if (envelope.getHeader() == null)

      { return InvocationResponse.CONTINUE; }

      // Get all the headers targeted to us
      Iterator headerBlocks = envelope.getHeader().getHeadersToProcess((RolePlayer)msgContext.getConfigurationContext().getAxisConfiguration().getParameterValue("rolePlayer"));

      while (headerBlocks.hasNext())
      {
      SOAPHeaderBlock headerBlock = (SOAPHeaderBlock) headerBlocks.next();
      QName headerName = headerBlock.getQName();

      if(headerName.getLocalPart().equals("Security"))

      { headerBlock.setProcessed(); }

      }
      return InvocationResponse.CONTINUE;
      }
      }

      Attachments

        Activity

          People

            thilinamb Thilina Mahesh Buddhika
            russell.tempero Russell Tempero
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Time Tracking

                Estimated:
                Original Estimate - 48h
                48h
                Remaining:
                Remaining Estimate - 48h
                48h
                Logged:
                Time Spent - Not Specified
                Not Specified