Rampart
  1. Rampart
  2. RAMPART-305

If Rampart detects a security error a HTML page is send to the client instead of a SOAP fault

    Details

    • Type: Bug Bug
    • Status: Resolved
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 1.4
    • Fix Version/s: 1.6.0
    • Component/s: rampart-core
    • Labels:
      None
    • Environment:
      Axis2-1.5..1 is installed as web app under Tomcat 5.5.28 and uses Rampart 1.4.
      Running on Windows XP

      Description

      If I call a web service with wrong security data rampart correctly detects that 'The signature or decryption was invalid'. That's fine.

      Unfortunately I get a NullPointerException when returning to the client afterwards.

      Is there a way to just send the SOAP fault back to the client instead of sending a HTML page?

      Is this related to issue RAMPART-164?

      I've attached the log file, the wsdl file and messages send between client and server.

      Thanks and regards,
      Herwig

      1. RAMPART-305.diff
        2 kB
        Amila Jayasekara
      2. services.xml
        6 kB
        Herwig David
      3. WS7X4AssortmentOrder.wsdl
        7 kB
        Herwig David
      4. response.txt
        2 kB
        Herwig David
      5. request.txt
        7 kB
        Herwig David
      6. axis2.log
        5 kB
        Herwig David

        Activity

        Herwig David created issue -
        Hide
        Herwig David added a comment -

        axis2.log , request and response

        Show
        Herwig David added a comment - axis2.log , request and response
        Herwig David made changes -
        Field Original Value New Value
        Attachment axis2.log [ 12450698 ]
        Attachment request.txt [ 12450699 ]
        Attachment response.txt [ 12450700 ]
        Hide
        Herwig David added a comment -

        wsdl file

        Show
        Herwig David added a comment - wsdl file
        Herwig David made changes -
        Attachment WS7X4AssortmentOrder.wsdl [ 12450701 ]
        Herwig David made changes -
        Summary If Rampart throws an AxisFault If Rampart detects a security error a HTML page is send to the client instead of a SOAP fault
        Description If I call a web service with wrong security data rampart correctly detects that 'The signature or decryption was invalid'.

        Unfortunately I get a NullPointerException when returning afterwards.

        Is there a way to to just send the SOAP fault back to the client instead of sending a HTML page?

        is this related to issue RAMPART-164?

        I've attached the log file, the wsdl file and messages send between client and server.

        Thanks and regards,
        Herwig
        If I call a web service with wrong security data rampart correctly detects that 'The signature or decryption was invalid'. That's fine.

        Unfortunately I get a NullPointerException when returning to the client afterwards.

        Is there a way to just send the SOAP fault back to the client instead of sending a HTML page?

        Is this related to issue RAMPART-164?

        I've attached the log file, the wsdl file and messages send between client and server.

        Thanks and regards,
        Herwig
        Hide
        Thilina Buddhika added a comment -

        Hi Herwig,

        Were you able to get this setup working for positive scenarios, i.e. sending the requests with correct security headers?

        I had a look at the stack trace. One possible reason for this behavior is that the policy at the service's end is not applied properly. Then I had a look at the WSDL, and it looks like the policy is not attached to any of the policy attachment points.

        Thanks,
        Thilina

        Show
        Thilina Buddhika added a comment - Hi Herwig, Were you able to get this setup working for positive scenarios, i.e. sending the requests with correct security headers? I had a look at the stack trace. One possible reason for this behavior is that the policy at the service's end is not applied properly. Then I had a look at the WSDL, and it looks like the policy is not attached to any of the policy attachment points. Thanks, Thilina
        Hide
        Herwig David added a comment -

        Hi Thilina,

        Yes, in a positive scenario it works perfectly.

        The policy is also included in the services.xml file.
        I've attached that too.

        Thanks and regards,
        Herwig

        Show
        Herwig David added a comment - Hi Thilina, Yes, in a positive scenario it works perfectly. The policy is also included in the services.xml file. I've attached that too. Thanks and regards, Herwig
        Herwig David made changes -
        Attachment services.xml [ 12450794 ]
        Hide
        Herwig David added a comment -

        Hi Thilina,

        I have tried to add the PolicyReference to the <binding> section in the wsdl file.

        1) <wsp:PolicyReference URI="#AsymmetricBindingPolicy"/>
        ------------------------------------------------------------------------------------
        This leads to the following RuntimeException in the Web Service:

        2010-07-29 10:01:54,138 [http-8080-Processor24] ERROR org.apache.axis2.transport.http.AxisServlet - Malformed uri: AsymmetricBindingPolicy
        java.lang.RuntimeException: Malformed uri: AsymmetricBindingPolicy
        at org.apache.neethi.PolicyReference.getRemoteReferedElement(PolicyReference.java:162)
        at org.apache.neethi.PolicyReference.getRemoteReferencedPolicy(PolicyReference.java:176)
        at org.apache.neethi.PolicyReference.normalize(PolicyReference.java:112)
        at org.apache.axis2.util.PolicyUtil.getMergedPolicy(PolicyUtil.java:290)
        at org.apache.axis2.description.AxisBindingMessage.calculateEffectivePolicy(AxisBindingMessage.java:290)
        at org.apache.axis2.description.AxisBindingMessage.getEffectivePolicy(AxisBindingMessage.java:223)
        at org.apache.axis2.context.MessageContext.getEffectivePolicy(MessageContext.java:1585)
        at org.apache.rampart.RampartMessageData.<init>(RampartMessageData.java:202)

        2) <wsp:PolicyReference URI="http://edv156-wskome.medical-intern.com/policies/P1"/>
        ------------------------------------------------------------------------------------------------------
        This leads to a NullPointerException in the Web Client when calling the Web Service:

        java.lang.NullPointerException
        at org.apache.rampart.builder.BindingBuilder.getSignatureBuider(BindingBuilder.java:248)
        at org.apache.rampart.builder.AsymmetricBindingBuilder.doSignature(AsymmetricBindingBuilder.java:626)
        at org.apache.rampart.builder.AsymmetricBindingBuilder.doSignBeforeEncrypt(AsymmetricBindingBuilder.java:413)
        at org.apache.rampart.builder.AsymmetricBindingBuilder.build(AsymmetricBindingBuilder.java:93)
        at org.apache.rampart.MessageBuilder.build(MessageBuilder.java:147)
        at org.apache.rampart.handler.RampartSender.invoke(RampartSender.java:64)
        at org.apache.axis2.engine.Phase.invoke(Phase.java:318)
        at org.apache.axis2.engine.AxisEngine.invoke(AxisEngine.java:251)
        at org.apache.axis2.engine.AxisEngine.send(AxisEngine.java:416)
        at org.apache.axis2.description.OutInAxisOperationClient.send(OutInAxisOperation.java:402)
        at org.apache.axis2.description.OutInAxisOperationClient.executeImpl(OutInAxisOperation.java:229)
        at org.apache.axis2.client.OperationClient.execute(OperationClient.java:165)
        at com.kohlpharma.ws7x4.WS7X4AssortmentOrderStub.getList(WS7X4AssortmentOrderStub.java:193)
        at client.TestClient.doRequest(TestClient.java:152)

        Thanks and regards,
        Herwig

        Show
        Herwig David added a comment - Hi Thilina, I have tried to add the PolicyReference to the <binding> section in the wsdl file. 1) <wsp:PolicyReference URI="#AsymmetricBindingPolicy"/> ------------------------------------------------------------------------------------ This leads to the following RuntimeException in the Web Service: 2010-07-29 10:01:54,138 [http-8080-Processor24] ERROR org.apache.axis2.transport.http.AxisServlet - Malformed uri: AsymmetricBindingPolicy java.lang.RuntimeException: Malformed uri: AsymmetricBindingPolicy at org.apache.neethi.PolicyReference.getRemoteReferedElement(PolicyReference.java:162) at org.apache.neethi.PolicyReference.getRemoteReferencedPolicy(PolicyReference.java:176) at org.apache.neethi.PolicyReference.normalize(PolicyReference.java:112) at org.apache.axis2.util.PolicyUtil.getMergedPolicy(PolicyUtil.java:290) at org.apache.axis2.description.AxisBindingMessage.calculateEffectivePolicy(AxisBindingMessage.java:290) at org.apache.axis2.description.AxisBindingMessage.getEffectivePolicy(AxisBindingMessage.java:223) at org.apache.axis2.context.MessageContext.getEffectivePolicy(MessageContext.java:1585) at org.apache.rampart.RampartMessageData.<init>(RampartMessageData.java:202) 2) <wsp:PolicyReference URI="http://edv156-wskome.medical-intern.com/policies/P1"/> ------------------------------------------------------------------------------------------------------ This leads to a NullPointerException in the Web Client when calling the Web Service: java.lang.NullPointerException at org.apache.rampart.builder.BindingBuilder.getSignatureBuider(BindingBuilder.java:248) at org.apache.rampart.builder.AsymmetricBindingBuilder.doSignature(AsymmetricBindingBuilder.java:626) at org.apache.rampart.builder.AsymmetricBindingBuilder.doSignBeforeEncrypt(AsymmetricBindingBuilder.java:413) at org.apache.rampart.builder.AsymmetricBindingBuilder.build(AsymmetricBindingBuilder.java:93) at org.apache.rampart.MessageBuilder.build(MessageBuilder.java:147) at org.apache.rampart.handler.RampartSender.invoke(RampartSender.java:64) at org.apache.axis2.engine.Phase.invoke(Phase.java:318) at org.apache.axis2.engine.AxisEngine.invoke(AxisEngine.java:251) at org.apache.axis2.engine.AxisEngine.send(AxisEngine.java:416) at org.apache.axis2.description.OutInAxisOperationClient.send(OutInAxisOperation.java:402) at org.apache.axis2.description.OutInAxisOperationClient.executeImpl(OutInAxisOperation.java:229) at org.apache.axis2.client.OperationClient.execute(OperationClient.java:165) at com.kohlpharma.ws7x4.WS7X4AssortmentOrderStub.getList(WS7X4AssortmentOrderStub.java:193) at client.TestClient.doRequest(TestClient.java:152) Thanks and regards, Herwig
        Hide
        Herwig David added a comment -

        Hi Thilina,

        In a further try I have tried to load the policy from an external link:

        3) <wsp:PolicyReference URI="http://edv156-wskome.medical-intern.com:8080/7X4WebServices/AsymmetricBindingPolicy.xml"/>

        With method 'getRemoteRefrencedPolicy(key)' the policy is found and loaded.
        In method 'normalize' the call of reg.register(key, policy) leads to an 'UnsupportedOperationException'.

        PolicyReference: line 118
        -----------------------------------
        public PolicyComponent normalize(PolicyRegistry reg, boolean deep) {
        String key = getURI();
        int pos = key.indexOf("#");
        if (pos == 0)

        { key = key.substring(1); }

        else if(pos > 0)

        { key = key.substring(0, pos); }

        Policy policy = reg.lookup(key);

        if (policy == null) {
        policy = getRemoteReferencedPolicy(key);

        if(policy == null)

        { throw new RuntimeException(key + " can't be resolved" ); }

        reg.register(key, policy);

        }

        return policy.normalize(reg, deep);
        }

        PolicyLocator: line 76
        ------------------------------
        public void register(String identifier, Policy policy)

        { throw new UnsupportedOperationException(); }

        Thanks and regards,
        Herwig

        Show
        Herwig David added a comment - Hi Thilina, In a further try I have tried to load the policy from an external link: 3) <wsp:PolicyReference URI="http://edv156-wskome.medical-intern.com:8080/7X4WebServices/AsymmetricBindingPolicy.xml"/> With method 'getRemoteRefrencedPolicy(key)' the policy is found and loaded. In method 'normalize' the call of reg.register(key, policy) leads to an 'UnsupportedOperationException'. PolicyReference: line 118 ----------------------------------- public PolicyComponent normalize(PolicyRegistry reg, boolean deep) { String key = getURI(); int pos = key.indexOf("#"); if (pos == 0) { key = key.substring(1); } else if(pos > 0) { key = key.substring(0, pos); } Policy policy = reg.lookup(key); if (policy == null) { policy = getRemoteReferencedPolicy(key); if(policy == null) { throw new RuntimeException(key + " can't be resolved" ); } reg.register(key, policy); } return policy.normalize(reg, deep); } PolicyLocator: line 76 ------------------------------ public void register(String identifier, Policy policy) { throw new UnsupportedOperationException(); } Thanks and regards, Herwig
        Hide
        Herwig David added a comment -

        Hi Thilina,

        In org.apache.axis2.util.MessageContextBuilder I've changed the method createFaultMessageContext in the way that also the axisService is copied from processingContext to faultContext.

        After that change the rampart configuration was recognized correctly and the described runtime error in the fault case was solved. See change below.

        Do you see a problem to copy the AxisService to the faultContext ?

        Regards,
        Herwig

        -------------------------------------------------
        /**

        • This method is called to handle any error that occurs at inflow or outflow. But if the
        • method is called twice, it implies that sending the error handling has failed, in which case
        • the method logs the error and exits.
          */
          public static MessageContext createFaultMessageContext(MessageContext processingContext,
          Throwable e)
          throws AxisFault {
          if (processingContext.isProcessingFault()) { // We get the error file processing the fault. nothing we can do throw new AxisFault(Messages.getMessage("errorwhileProcessingFault")); }

        // See if the throwable is an AxisFault and if it already contains the
        // fault MessageContext
        if (e instanceof AxisFault) {
        MessageContext faultMessageContext = ((AxisFault) e).getFaultMessageContext();
        if (faultMessageContext != null)

        { // These may not have been set correctly when the original context // was created -- an example of this is with the SimpleHTTPServer. // I'm not sure if this is the correct thing to do, or if the // code that created this context in the first place should // expect that the transport out info was set correctly, as // it may need to use that info at some point before we get to // this code. faultMessageContext.setProperty(MessageContext.TRANSPORT_OUT, processingContext.getProperty( MessageContext.TRANSPORT_OUT)); faultMessageContext.setProperty(Constants.OUT_TRANSPORT_INFO, processingContext.getProperty( Constants.OUT_TRANSPORT_INFO)); faultMessageContext.setProcessingFault(true); return faultMessageContext; }

        }

        // Create a basic response MessageContext with basic fields copied
        MessageContext faultContext = createResponseMessageContext(processingContext);

        // Register the fault message context
        OperationContext operationContext = processingContext.getOperationContext();
        if (operationContext != null)

        { processingContext.getAxisOperation().addFaultMessageContext(faultContext, operationContext); }

        /* INSERT Herwig BEGIN */
        AxisService axisService = processingContext.getAxisService();
        if (axisService != null)

        { faultContext.setAxisService(axisService); }

        /* INSERT Herwig END */

        faultContext.setProcessingFault(true);

        Show
        Herwig David added a comment - Hi Thilina, In org.apache.axis2.util.MessageContextBuilder I've changed the method createFaultMessageContext in the way that also the axisService is copied from processingContext to faultContext. After that change the rampart configuration was recognized correctly and the described runtime error in the fault case was solved. See change below. Do you see a problem to copy the AxisService to the faultContext ? Regards, Herwig ------------------------------------------------- /** This method is called to handle any error that occurs at inflow or outflow. But if the method is called twice, it implies that sending the error handling has failed, in which case the method logs the error and exits. */ public static MessageContext createFaultMessageContext(MessageContext processingContext, Throwable e) throws AxisFault { if (processingContext.isProcessingFault()) { // We get the error file processing the fault. nothing we can do throw new AxisFault(Messages.getMessage("errorwhileProcessingFault")); } // See if the throwable is an AxisFault and if it already contains the // fault MessageContext if (e instanceof AxisFault) { MessageContext faultMessageContext = ((AxisFault) e).getFaultMessageContext(); if (faultMessageContext != null) { // These may not have been set correctly when the original context // was created -- an example of this is with the SimpleHTTPServer. // I'm not sure if this is the correct thing to do, or if the // code that created this context in the first place should // expect that the transport out info was set correctly, as // it may need to use that info at some point before we get to // this code. faultMessageContext.setProperty(MessageContext.TRANSPORT_OUT, processingContext.getProperty( MessageContext.TRANSPORT_OUT)); faultMessageContext.setProperty(Constants.OUT_TRANSPORT_INFO, processingContext.getProperty( Constants.OUT_TRANSPORT_INFO)); faultMessageContext.setProcessingFault(true); return faultMessageContext; } } // Create a basic response MessageContext with basic fields copied MessageContext faultContext = createResponseMessageContext(processingContext); // Register the fault message context OperationContext operationContext = processingContext.getOperationContext(); if (operationContext != null) { processingContext.getAxisOperation().addFaultMessageContext(faultContext, operationContext); } /* INSERT Herwig BEGIN */ AxisService axisService = processingContext.getAxisService(); if (axisService != null) { faultContext.setAxisService(axisService); } /* INSERT Herwig END */ faultContext.setProcessingFault(true);
        Samisa Abeysinghe made changes -
        Assignee Ruchith Udayanga Fernando [ ruchith ]
        Hide
        Amila Jayasekara added a comment -

        Hi,
        This issue is easily reproducible by giving a wrong keystore alias name in the server side rampart policy. Thus this issue occus when trying to apply policy to a AxisFault. This is best explained using following example,

        Say, I have a web service with sign only security policy applied. Thus mistakenly I give a wrong keystore alias for server side policy. Now client sends a request and service needs to send a response. But when service tries to sign the response it gets an error. This error is reported as an AxisFault. But there is a sign only policy applied, therefore server again tries to sign the error (AxisFault). Again Rampart gets the same error. Since Axis2 framework is removing erroneous phases in an AxisFault this doesnt goes in a recursive loop. But a HTML page with "HTTP/1.1 500" is returned to the client.

        As discussed in Axis2 mail thread we decided to apply following solution. (See mail thread with subject "Handling framework errors when a policy is applied" for more details.)

        If there is an AxisFault, try to apply policy to AxisFault. If framework gets an error while applying policy to AxisFault, return original AxisFault (AxisFault before applying policy) to client.

        Thanks
        AmilaJ

        Show
        Amila Jayasekara added a comment - Hi, This issue is easily reproducible by giving a wrong keystore alias name in the server side rampart policy. Thus this issue occus when trying to apply policy to a AxisFault. This is best explained using following example, Say, I have a web service with sign only security policy applied. Thus mistakenly I give a wrong keystore alias for server side policy. Now client sends a request and service needs to send a response. But when service tries to sign the response it gets an error. This error is reported as an AxisFault. But there is a sign only policy applied, therefore server again tries to sign the error (AxisFault). Again Rampart gets the same error. Since Axis2 framework is removing erroneous phases in an AxisFault this doesnt goes in a recursive loop. But a HTML page with "HTTP/1.1 500" is returned to the client. As discussed in Axis2 mail thread we decided to apply following solution. (See mail thread with subject "Handling framework errors when a policy is applied" for more details.) If there is an AxisFault, try to apply policy to AxisFault. If framework gets an error while applying policy to AxisFault, return original AxisFault (AxisFault before applying policy) to client. Thanks AmilaJ
        Hide
        Amila Jayasekara added a comment -

        Attaching patch which contains agreed solution.
        Patch is created in revision 1057449 relative to trunk. (http://svn.apache.org/repos/asf/axis/axis2/java/rampart/trunk)

        Thanks
        AmilaJ

        Show
        Amila Jayasekara added a comment - Attaching patch which contains agreed solution. Patch is created in revision 1057449 relative to trunk. ( http://svn.apache.org/repos/asf/axis/axis2/java/rampart/trunk ) Thanks AmilaJ
        Amila Jayasekara made changes -
        Attachment RAMPART-305.diff [ 12467963 ]
        Thilina Buddhika made changes -
        Assignee Thilina Buddhika [ thilinamb ]
        Hide
        Thilina Buddhika added a comment -

        Thanks AmilaJ for the patch.

        After applying the patch, it is no longer returning the HTML error page (when deployed on an App Server), rather it sends the original Axis Fault.

        Patch is committed to r1072324.

        Show
        Thilina Buddhika added a comment - Thanks AmilaJ for the patch. After applying the patch, it is no longer returning the HTML error page (when deployed on an App Server), rather it sends the original Axis Fault. Patch is committed to r1072324.
        Thilina Buddhika made changes -
        Status Open [ 1 ] Resolved [ 5 ]
        Fix Version/s 1.6.0 [ 12316037 ]
        Resolution Fixed [ 1 ]

          People

          • Assignee:
            Thilina Buddhika
            Reporter:
            Herwig David
          • Votes:
            1 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development