Return-Path: Delivered-To: apmail-ws-axis-dev-archive@www.apache.org Received: (qmail 72439 invoked from network); 29 Oct 2007 00:53:23 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 29 Oct 2007 00:53:23 -0000 Received: (qmail 16484 invoked by uid 500); 29 Oct 2007 00:53:04 -0000 Delivered-To: apmail-ws-axis-dev-archive@ws.apache.org Received: (qmail 16425 invoked by uid 500); 29 Oct 2007 00:53:03 -0000 Mailing-List: contact axis-dev-help@ws.apache.org; run by ezmlm Precedence: bulk Reply-To: axis-dev@ws.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list axis-dev@ws.apache.org Received: (qmail 16414 invoked by uid 99); 29 Oct 2007 00:53:03 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 28 Oct 2007 17:53:03 -0700 X-ASF-Spam-Status: No, hits=-0.0 required=10.0 tests=SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of ruchith.fernando@gmail.com designates 209.85.146.180 as permitted sender) Received: from [209.85.146.180] (HELO wa-out-1112.google.com) (209.85.146.180) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 29 Oct 2007 00:53:04 +0000 Received: by wa-out-1112.google.com with SMTP id k22so2052756waf for ; Sun, 28 Oct 2007 17:52:42 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; bh=OlVYZgYrA5B4nk+4Zaz5L8KY27jNIeGgTBb1EP/Indw=; b=Y2LBh4FRLFfw+cu42mBMKaAT80wjeKGibj514Fbbkv4YZfLzsLfOwF2vpDeBCHcWF8YYQpSslcsuUCmOgDK92CvA53lu4DncBcxTRprJrSEXrwlQpZteQNFuRNe76vvq9lR5F0OSDH3gy6b9uKggjyQAjuyF6A5CdfqxpAR7UWk= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=QcPBHp0zKrfOjIdY93ddGql2P/XMG0ut5CQlq50PMqcLZ1DYw0eylz1LRU2Y40ZY5FMXrEpDgHyyCWfFo7wwuA2rchH+WIvNf2n56QZSNuk91Buo56m9olzlU7g8flUIXl0/X6a3J5gnyKW9BntM2gheH3l46XEQkBbD9056N5E= Received: by 10.115.72.1 with SMTP id z1mr6388959wak.1193619161582; Sun, 28 Oct 2007 17:52:41 -0700 (PDT) Received: by 10.115.17.20 with HTTP; Sun, 28 Oct 2007 17:52:41 -0700 (PDT) Message-ID: <559c463d0710281752x626b0cddq666638470bf08d0a@mail.gmail.com> Date: Mon, 29 Oct 2007 06:22:41 +0530 From: "Ruchith Fernando" To: axis-dev@ws.apache.org Subject: Re: [Axis2] Secured Axis2-1.3 Client "Masks" Returned Fault Messages Cc: tim.munro@mydials.com In-Reply-To: <001301c80c71$a58b80c0$39073d0a@timmunro> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <001301c80c71$a58b80c0$39073d0a@timmunro> X-Virus-Checked: Checked by ClamAV on apache.org Hi, This is an issue in Rampart because it doesn't processes the security header of fault messages. https://issues.apache.org/jira/browse/RAMPART-90 This will be fixed in the next release of Apache Rampart. Thanks, Ruchith On 10/12/07, Tim Munro (myDIALS) wrote: > Hi All, > > I have developed an Axis2-1.3 client (with Rampart 1.3, using an xmlbeans > proxy) that calls methods on a secured .NET web service service. I can > successfully communicate with the .NET service, however when the .NET server > returns a valid fault message the xmlbeans proxy client never receives the > returned fault string; instead all the client receives is the following > message: > Must Understand check failed for header > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1. > 0.xsd : Security > > Note that in Axis2-1.2 this was not a problem; my xmlbeans proxy received > the correct/expected error string. > > So, for example, if I call a method on the .NET web service with an invalid > parameter in the request document, the .NET web service returns an > informative message containing details of the problem. Below is an example > of the xml response message received from the .NET server, and to me it > appears to be a valid response: > > xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity- > utility-1.0.xsd"> > > xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity- > secext-1.0.xsd" s:mustUnderstand="1"> > > > 2007-10-12T01:02:16.796Z > > 2007-10-12T01:07:16.796Z > > > > > > s:UnexpectedFault > An unexpected error > has occurred in the service. > System.ServiceModel.FaultException`1[MyDials.Common.ServiceFaults.InvalidReq > uestFault]: The dimension member 'Midlands' was included in a dimension > reference for the 'Products' dimension, but is not valid. (Fault Detail is > equal to MyDials.Common.ServiceFaults.InvalidRequestFault). > > > > > When I interact with this returned message (through the xmlbeans proxy), the > error message I see is the "Must Understand check failed for header ..." > rather than the value contained in the faultstring elemrnt of the returned > document. > > The issue appears to be that the received message header contains a (valid) > timestamp, as indicated above, however the Axis2 response handler never > seems to to process this timestamp in the header, meaning that when the > AxisEngine.checkMustUnderstand() performs the headerBlock.isProcessed() > test, the result is false and so the "Must understand check failed ..." > exception is thrown and my xmlbeans proxy never sees the real faultstring > message. > > I am struggling to understand what is going wrong here ... any guidance on > what to fault-find next would be greatly appreciated as after a few days > looking at this I am unsure if it is a problem in returned document, or my > policy.xml. > > Thanks, > Tim Munro > =================== > > Below is my policy.xml document: > > xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurit > y-utility-1.0.xsd" xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"> > > > xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"> > > > > RequireClientCertificate="false"/> > > > > > > > > > > > > > > > > xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"> > > sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/Includ > eToken/AlwaysToRecipient"> > > > > > > > > xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"> > > > > > > > xmlns:ramp="http://ws.apache.org/rampart/policy"> > 300 > > 300 > > cc40b01503ff1f5ededf6d07c3a3c56c_81ea973b-e847-4bba-abc9-e6e69109 > 3f9d > > > > > provider="org.apache.ws.security.components.crypto.Merlin"> > name="org.apache.ws.security.crypto.merlin.keystore.type">pkcs12 rty> > name="org.apache.ws.security.crypto.merlin.file">MyDialsCert.pfx rty> > name="org.apache.ws.security.crypto.merlin.keystore.password"> y> > > > > > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: axis-dev-unsubscribe@ws.apache.org > For additional commands, e-mail: axis-dev-help@ws.apache.org > > -- http://blog.ruchith.org http://wso2.org --------------------------------------------------------------------- To unsubscribe, e-mail: axis-dev-unsubscribe@ws.apache.org For additional commands, e-mail: axis-dev-help@ws.apache.org