axis-java-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ruchith Fernando" <ruchith.ferna...@gmail.com>
Subject Re: [Axis2] Secured Axis2-1.3 Client "Masks" Returned Fault Messages
Date Tue, 30 Oct 2007 02:27:41 GMT
Hi Tim,

This is not fixed yet in the latest build ... Please keep an eye on
the JIRA [1] we'll update it as soon as we fix it and the fix will be
available in the latest build of the trunk.

Thanks,
Ruchith

1.  https://issues.apache.org/jira/browse/RAMPART-90

On 10/29/07, Tim Munro (myDIALS) <tim.munro@mydials.com> wrote:
> Thanks for following up Ruchith, really appreciated. I look forward to this
> fix - will this appear in the latest builds, or will it only appear in the
> next "release" build.
>
> Best,
> Tim.
> -----Original Message-----
> From: Ruchith Fernando [mailto:ruchith.fernando@gmail.com]
> Sent: Monday, 29 October 2007 10:53 AM
> To: axis-dev@ws.apache.org
> Cc: tim.munro@mydials.com
> Subject: Re: [Axis2] Secured Axis2-1.3 Client "Masks" Returned Fault
> Messages
>
> Hi,
>
> This is an issue in Rampart because it doesn't processes the security header
> of fault messages.
>
> https://issues.apache.org/jira/browse/RAMPART-90
>
> This will be fixed in the next release of Apache Rampart.
>
> Thanks,
> Ruchith
>
> On 10/12/07, Tim Munro (myDIALS) <tim.munro@mydials.com> wrote:
> > Hi All,
> >
> > I have developed an Axis2-1.3 client (with Rampart 1.3, using an
> > xmlbeans
> > proxy) that calls methods on a secured .NET web service service. I can
> > successfully communicate with the .NET service, however when the .NET
> > server returns a valid fault message the xmlbeans proxy client never
> > receives the returned fault string; instead all the client receives is
> > the following
> > message:
> > Must Understand check failed for header
> >
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.
> > 0.xsd : Security
> >
> > Note that in Axis2-1.2 this was not a problem; my xmlbeans proxy
> > received the correct/expected error string.
> >
> > So, for example, if I call a method on the .NET web service with an
> > invalid parameter in the request document, the .NET web service
> > returns an informative message containing details of the problem.
> > Below is an example of the xml response message received from the .NET
> > server, and to me it appears to be a valid response:
> > <?xml version='1.0' encoding='utf-8'?> <s:Envelope
> > xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"
> > xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssec
> > urity-
> > utility-1.0.xsd">
> >         <s:Header>
> >                 <o:Security
> > xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssec
> > urity-
> > secext-1.0.xsd" s:mustUnderstand="1">
> >                         <u:Timestamp u:Id="_0">
> >
> > <u:Created>2007-10-12T01:02:16.796Z</u:Created>
> >
> > <u:Expires>2007-10-12T01:07:16.796Z</u:Expires>
> >                         </u:Timestamp>
> >                 </o:Security>
> >         </s:Header>
> >         <s:Body>
> >                 <s:Fault>
> >                         <faultcode>s:UnexpectedFault</faultcode>
> >                         <faultstring xml:lang="en-US">An unexpected
> > error has occurred in the service.
> > System.ServiceModel.FaultException`1[MyDials.Common.ServiceFaults.Inva
> > lidReq
> > uestFault]: The dimension member 'Midlands' was included in a
> > dimension reference for the 'Products' dimension, but is not valid.
> > (Fault Detail is equal to
> MyDials.Common.ServiceFaults.InvalidRequestFault).</faultstring>
> >                 </s:Fault>
> >         </s:Body>
> > </s:Envelope>
> >
> > When I interact with this returned message (through the xmlbeans
> > proxy), the error message I see is the "Must Understand check failed for
> header ..."
> > rather than the value contained in the faultstring elemrnt of the
> > returned document.
> >
> > The issue appears to be that the received message header contains a
> > (valid) timestamp, as indicated above, however the Axis2 response
> > handler never seems to to process this timestamp in the header,
> > meaning that when the
> > AxisEngine.checkMustUnderstand() performs the
> > headerBlock.isProcessed() test, the result is false and so the "Must
> understand check failed ..."
> > exception is thrown and my xmlbeans proxy never sees the real
> > faultstring message.
> >
> > I am struggling to understand what is going wrong here ... any
> > guidance on what to fault-find next would be greatly appreciated as
> > after a few days looking at this I am unsure if it is a problem in
> > returned document, or my policy.xml.
> >
> > Thanks,
> > Tim Munro
> > ===================
> >
> > Below is my policy.xml document:
> > <?xml version="1.0" encoding="UTF-8"?> <wsp:Policy wsu:Id="SigOnly"
> > xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wss
> > ecurit y-utility-1.0.xsd"
> > xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
> >         <wsp:ExactlyOne>
> >                 <wsp:All>
> >                         <sp:TransportBinding
> > xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> >                                 <wsp:Policy>
> >                                         <sp:TransportToken>
> >                                                 <wsp:Policy>
> >                                                         <sp:HttpsToken
> > RequireClientCertificate="false"/>
> >                                                 </wsp:Policy>
> >                                         </sp:TransportToken>
> >                                         <sp:AlgorithmSuite>
> >                                                 <wsp:Policy>
> >                                                         <sp:Basic256/>
> >                                                 </wsp:Policy>
> >                                         </sp:AlgorithmSuite>
> >                                         <sp:Layout>
> >                                                 <wsp:Policy>
> >                                                         <sp:Lax/>
> >                                                 </wsp:Policy>
> >                                         </sp:Layout>
> >                                         <sp:IncludeTimestamp/>
> >                                 </wsp:Policy>
> >                         </sp:TransportBinding>
> >                         <sp:EndorsingSupportingTokens
> > xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> >                                 <wsp:Policy>
> >                                         <sp:X509Token
> > sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/
> > Includ
> > eToken/AlwaysToRecipient">
> >                                                 <wsp:Policy>
> >
> > <sp:WssX509V3Token10/>
> >                                                 </wsp:Policy>
> >                                         </sp:X509Token>
> >                                 </wsp:Policy>
> >                         </sp:EndorsingSupportingTokens>
> >                         <sp:Wss10
> > xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> >                                 <wsp:Policy>
> >                                         <sp:MustSupportRefKeyIdentifier/>
> >                                         <sp:MustSupportRefIssuerSerial/>
> >                                 </wsp:Policy>
> >                         </sp:Wss10>
> >
> >                         <ramp:RampartConfig
> > xmlns:ramp="http://ws.apache.org/rampart/policy">
> >
> > <ramp:timestampTTL>300</ramp:timestampTTL>
> >
> > <ramp:timestampMaxSkew>300</ramp:timestampMaxSkew>
> >
> > <ramp:user>cc40b01503ff1f5ededf6d07c3a3c56c_81ea973b-e847-4bba-abc9-e6
> > e69109
> > 3f9d</ramp:user>
> >                                 <!-- passwordCallbackClass is set in
> > mydials config -->
> >                                 <!--
> > <ramp:passwordCallbackClass>com.mydials.wshelper.PWCBHandler</ramp:pas
> > swordC
> > allbackClass> -->
> >
> >                                 <ramp:signatureCrypto>
> >                                         <ramp:crypto
> > provider="org.apache.ws.security.components.crypto.Merlin">
> >                                                 <ramp:property
> > name="org.apache.ws.security.crypto.merlin.keystore.type">pkcs12</ramp
> > :prope
> > rty>
> >                                                 <ramp:property
> > name="org.apache.ws.security.crypto.merlin.file">MyDialsCert.pfx</ramp
> > :prope
> > rty>
> >                                                 <ramp:property
> > name="org.apache.ws.security.crypto.merlin.keystore.password"></ramp:p
> > ropert
> > y>
> >                                         </ramp:crypto>
> >                                 </ramp:signatureCrypto>
> >                         </ramp:RampartConfig>
> >
> >                 </wsp:All>
> >         </wsp:ExactlyOne>
> > </wsp:Policy>
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: axis-dev-unsubscribe@ws.apache.org
> > For additional commands, e-mail: axis-dev-help@ws.apache.org
> >
> >
>
>
> --
> http://blog.ruchith.org
> http://wso2.org
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: axis-dev-unsubscribe@ws.apache.org
> For additional commands, e-mail: axis-dev-help@ws.apache.org
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: axis-dev-unsubscribe@ws.apache.org
> For additional commands, e-mail: axis-dev-help@ws.apache.org
>
>


-- 
http://blog.ruchith.org
http://wso2.org

---------------------------------------------------------------------
To unsubscribe, e-mail: axis-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: axis-dev-help@ws.apache.org


Mime
View raw message