Details
-
Bug
-
Status: Open
-
Major
-
Resolution: Unresolved
-
1.6.0
-
None
-
None
-
Linux, Rampart running with Axis2 1.6.0 under JBoss AS 7.2
Description
When Rampart cannot validate a timestamp in a wsse security header, (the timestamp is outside of the valid times) it should return a SoapFault for an invalid timestamp. But a NPE is thrown resulting in an HTTP 404 returned instead. This occurs if the web service operation has no fault mappings in the axis services.xml file. The NPE is below:
05-29-2014 10:24:47,505 ERROR [org.apache.catalina.core.ContainerBase.[jboss.web].[default-host].[/wintoe].[AxisServlet]] (http-/0.0.0.0:8080-5) JBWEB000236: Servlet.service() for servlet AxisServlet threw exception: java.lang.NullPointerException
at org.apache.rampart.util.RampartUtil.getRampartConfigCallbackHandler(RampartUtil.java:218) [rampart-core-1.6.0.jar:1.6.0]
at org.apache.rampart.RampartMessageData.<init>(RampartMessageData.java:278) [rampart-core-1.6.0.jar:1.6.0]
at org.apache.rampart.MessageBuilder.build(MessageBuilder.java:61) [rampart-core-1.6.0.jar:1.6.0]
at org.apache.rampart.handler.RampartSender.invoke(RampartSender.java:65) [rampart-core-1.6.0.jar:1.6.0]
at org.apache.axis2.engine.Phase.invokeHandler(Phase.java:340) [axis2-kernel-1.6.0.jar:1.6.0]
at org.apache.axis2.engine.Phase.invoke(Phase.java:313) [axis2-kernel-1.6.0.jar:1.6.0]
at org.apache.axis2.engine.AxisEngine.invoke(AxisEngine.java:262) [axis2-kernel-1.6.0.jar:1.6.0]
at org.apache.axis2.engine.AxisEngine.sendFault(AxisEngine.java:516) [axis2-kernel-1.6.0.jar:1.6.0]
at org.apache.axis2.transport.http.AxisServlet.handleFault(AxisServlet.java:433) [axis2-transport-http-1.6.0.jar:]
at org.apache.axis2.transport.http.AxisServlet.processAxisFault(AxisServlet.java:398) [axis2-transport-http-1.6.0.jar:]
at org.apache.axis2.transport.http.AxisServlet.doPost(AxisServlet.java:188) [axis2-transport-http-1.6.0.jar:]
at javax.servlet.http.HttpServlet.service(HttpServlet.java:754) [jboss-servlet-api_3.0_spec-1.0.2.Final.jar:1.0.2.Final]
at javax.servlet.http.HttpServlet.service(HttpServlet.java:847) [jboss-servlet-api_3.0_spec-1.0.2.Final.jar:1.0.2.Final]
at sun.reflect.GeneratedMethodAccessor44.invoke(Unknown Source) [:1.7.0_51]
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) [rt.jar:1.7.0_51]
at java.lang.reflect.Method.invoke(Method.java:606) [rt.jar:1.7.0_51]
at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:280) [jbossweb-7.2.0.Final-LM-1.jar:7.2.0.Final]
at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:278) [jbossweb-7.2.0.Final-LM-1.jar:7.2.0.Final]
at java.security.AccessController.doPrivileged(Native Method) [rt.jar:1.7.0_51]
at javax.security.auth.Subject.doAsPrivileged(Subject.java:536) [rt.jar:1.7.0_51]
Here are examples of 2 WSDL operations. This one results in the NPE when the timestamp in the security header is not valid:
<operation name="QueryAllTransformationRequest" mep="http://www.w3.org/ns/wsdl/in-out" namespace="http://.../MediationService">
<actionMapping>http://....../MediationService/QueryAllTransformationRequest</actionMapping>
<outputActionMapping>http://..../MediationService/MediationPortType/QueryAllTransformationRequestResponse</outputActionMapping>
</operation>
If we add a faultActionMapping to the services.xml file for that operation, then the NPE does not occur and the correct SoapFault is returned.
This operation does not throw the NPE:
<operation name="QuerySpecificTransformationRequest" mep="http://www.w3.org/ns/wsdl/in-out" namespace="http://..../MediationService">
<actionMapping>http://..../MediationService/QuerySpecificTransformationRequest</actionMapping>
<outputActionMapping>http://..../MediationService/MediationPortType/QuerySpecificTransformationRequestResponse</outputActionMapping>
<faultActionMapping faultName="NoTransformationFoundFault">http://.../MediationService/MediationPortType/QuerySpecificTransformationRequest/Fault/NoTransformationFoundFault</faultActionMapping>
</operation>