axis-java-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ruchith Fernando" <ruchith.ferna...@gmail.com>
Subject Re: [Axis2] Secured Axis2-1.3 Client "Masks" Returned Fault Messages
Date Mon, 29 Oct 2007 00:52:41 GMT
Hi,

This is an issue in Rampart because it doesn't processes the security
header of fault messages.

https://issues.apache.org/jira/browse/RAMPART-90

This will be fixed in the next release of Apache Rampart.

Thanks,
Ruchith

On 10/12/07, Tim Munro (myDIALS) <tim.munro@mydials.com> wrote:
> Hi All,
>
> I have developed an Axis2-1.3 client (with Rampart 1.3, using an xmlbeans
> proxy) that calls methods on a secured .NET web service service. I can
> successfully communicate with the .NET service, however when the .NET server
> returns a valid fault message the xmlbeans proxy client never receives the
> returned fault string; instead all the client receives is the following
> message:
> Must Understand check failed for header
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.
> 0.xsd : Security
>
> Note that in Axis2-1.2 this was not a problem; my xmlbeans proxy received
> the correct/expected error string.
>
> So, for example, if I call a method on the .NET web service with an invalid
> parameter in the request document, the .NET web service returns an
> informative message containing details of the problem. Below is an example
> of the xml response message received from the .NET server, and to me it
> appears to be a valid response:
> <?xml version='1.0' encoding='utf-8'?>
> <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"
> xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-
> utility-1.0.xsd">
>         <s:Header>
>                 <o:Security
> xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-
> secext-1.0.xsd" s:mustUnderstand="1">
>                         <u:Timestamp u:Id="_0">
>
> <u:Created>2007-10-12T01:02:16.796Z</u:Created>
>
> <u:Expires>2007-10-12T01:07:16.796Z</u:Expires>
>                         </u:Timestamp>
>                 </o:Security>
>         </s:Header>
>         <s:Body>
>                 <s:Fault>
>                         <faultcode>s:UnexpectedFault</faultcode>
>                         <faultstring xml:lang="en-US">An unexpected error
> has occurred in the service.
> System.ServiceModel.FaultException`1[MyDials.Common.ServiceFaults.InvalidReq
> uestFault]: The dimension member 'Midlands' was included in a dimension
> reference for the 'Products' dimension, but is not valid. (Fault Detail is
> equal to MyDials.Common.ServiceFaults.InvalidRequestFault).</faultstring>
>                 </s:Fault>
>         </s:Body>
> </s:Envelope>
>
> When I interact with this returned message (through the xmlbeans proxy), the
> error message I see is the "Must Understand check failed for header ..."
> rather than the value contained in the faultstring elemrnt of the returned
> document.
>
> The issue appears to be that the received message header contains a (valid)
> timestamp, as indicated above, however the Axis2 response handler never
> seems to to process this timestamp in the header, meaning that when the
> AxisEngine.checkMustUnderstand() performs the headerBlock.isProcessed()
> test, the result is false and so the "Must understand check failed ..."
> exception is thrown and my xmlbeans proxy never sees the real faultstring
> message.
>
> I am struggling to understand what is going wrong here ... any guidance on
> what to fault-find next would be greatly appreciated as after a few days
> looking at this I am unsure if it is a problem in returned document, or my
> policy.xml.
>
> Thanks,
> Tim Munro
> ===================
>
> Below is my policy.xml document:
> <?xml version="1.0" encoding="UTF-8"?>
> <wsp:Policy wsu:Id="SigOnly"
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurit
> y-utility-1.0.xsd" xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
>         <wsp:ExactlyOne>
>                 <wsp:All>
>                         <sp:TransportBinding
> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
>                                 <wsp:Policy>
>                                         <sp:TransportToken>
>                                                 <wsp:Policy>
>                                                         <sp:HttpsToken
> RequireClientCertificate="false"/>
>                                                 </wsp:Policy>
>                                         </sp:TransportToken>
>                                         <sp:AlgorithmSuite>
>                                                 <wsp:Policy>
>                                                         <sp:Basic256/>
>                                                 </wsp:Policy>
>                                         </sp:AlgorithmSuite>
>                                         <sp:Layout>
>                                                 <wsp:Policy>
>                                                         <sp:Lax/>
>                                                 </wsp:Policy>
>                                         </sp:Layout>
>                                         <sp:IncludeTimestamp/>
>                                 </wsp:Policy>
>                         </sp:TransportBinding>
>                         <sp:EndorsingSupportingTokens
> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
>                                 <wsp:Policy>
>                                         <sp:X509Token
> sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/Includ
> eToken/AlwaysToRecipient">
>                                                 <wsp:Policy>
>
> <sp:WssX509V3Token10/>
>                                                 </wsp:Policy>
>                                         </sp:X509Token>
>                                 </wsp:Policy>
>                         </sp:EndorsingSupportingTokens>
>                         <sp:Wss10
> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
>                                 <wsp:Policy>
>                                         <sp:MustSupportRefKeyIdentifier/>
>                                         <sp:MustSupportRefIssuerSerial/>
>                                 </wsp:Policy>
>                         </sp:Wss10>
>
>                         <ramp:RampartConfig
> xmlns:ramp="http://ws.apache.org/rampart/policy">
>                                 <ramp:timestampTTL>300</ramp:timestampTTL>
>
> <ramp:timestampMaxSkew>300</ramp:timestampMaxSkew>
>
> <ramp:user>cc40b01503ff1f5ededf6d07c3a3c56c_81ea973b-e847-4bba-abc9-e6e69109
> 3f9d</ramp:user>
>                                 <!-- passwordCallbackClass is set in mydials
> config -->
>                                 <!--
> <ramp:passwordCallbackClass>com.mydials.wshelper.PWCBHandler</ramp:passwordC
> allbackClass> -->
>
>                                 <ramp:signatureCrypto>
>                                         <ramp:crypto
> provider="org.apache.ws.security.components.crypto.Merlin">
>                                                 <ramp:property
> name="org.apache.ws.security.crypto.merlin.keystore.type">pkcs12</ramp:prope
> rty>
>                                                 <ramp:property
> name="org.apache.ws.security.crypto.merlin.file">MyDialsCert.pfx</ramp:prope
> rty>
>                                                 <ramp:property
> name="org.apache.ws.security.crypto.merlin.keystore.password"></ramp:propert
> y>
>                                         </ramp:crypto>
>                                 </ramp:signatureCrypto>
>                         </ramp:RampartConfig>
>
>                 </wsp:All>
>         </wsp:ExactlyOne>
> </wsp:Policy>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: axis-dev-unsubscribe@ws.apache.org
> For additional commands, e-mail: axis-dev-help@ws.apache.org
>
>


-- 
http://blog.ruchith.org
http://wso2.org

---------------------------------------------------------------------
To unsubscribe, e-mail: axis-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: axis-dev-help@ws.apache.org


Mime
View raw message