chemistry-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Andrei Rebegea (JIRA)" <>
Subject [jira] [Created] (CMIS-1047) UsernameTokenInterceptor does not implement getUnderstoodHeaders
Date Tue, 03 Oct 2017 15:26:03 GMT
Andrei Rebegea created CMIS-1047:

             Summary: UsernameTokenInterceptor does not implement getUnderstoodHeaders
                 Key: CMIS-1047
             Project: Chemistry
          Issue Type: Bug
          Components: opencmis-server
    Affects Versions: OpenCMIS 1.0.0
         Environment: chemistry-opencmis-server-bindings-1.0.0.jar

            Reporter: Andrei Rebegea

*Problem* and *Steps to reproduce*: When a user does a SOAP call with mustUnderstand="1" flag
in the security header:
<?xml version="1.0" encoding="UTF-8"?>
<s:Envelope xmlns:s="" xmlns:u="">
      <o:Security xmlns:o=""
s:mustUnderstand="1" >
         <o:UsernameToken u:Id="uuid-19e89b95-2c59-4b20-9a59-f2940d1a1217-3">
            <o:Password Type="">admin</o:Password>
   <s:Body xmlns:xsd="" xmlns:xsi="">
      <getRepositories xmlns="">
         <extension xsi:nil="true" />

We are getting this error:
<soap:Envelope xmlns:soap="">
         <faultstring>MustUnderstand headers: [{}Security]
are not understood.</faultstring>

*Proposed solution*: In my opinion org.apache.chemistry.opencmis.server.impl.webservices.UsernameTokenInterceptor
should have implemented the getUnderstoodHeaders method to let the org.apache.cxf.binding.soap.interceptor.MustUnderstandInterceptor.MustUnderstandEndingInterceptor
know that the security header is understood.
  private void initServiceSideInfo(Set<QName> mustUnderstandQNames, SoapMessage soapMessage,
                    Set<URI> serviceRoles, Set<QName> paramHeaders) {

        if (paramHeaders != null) {
        for (Interceptor<? extends org.apache.cxf.message.Message> interceptorInstance

            : soapMessage.getInterceptorChain()) {
            if (interceptorInstance instanceof SoapInterceptor) {
                SoapInterceptor si = (SoapInterceptor) interceptorInstance;
                Set<URI> roles = si.getRoles();
                if (roles != null) {
                Set<QName> understoodHeaders = si.getUnderstoodHeaders(); // <---
Here is where all the interceptors, including the UsernameTokenInterceptor is queried for
known headers
                if (understoodHeaders != null) {

 private void checkUltimateReceiverHeaders(Set<Header> ultimateReceiverHeaders,
                                              Set<QName> mustUnderstandQNames, 
                                              SoapMessage soapMessage) {
            .add(new UltimateReceiverMustUnderstandInterceptor(mustUnderstandQNames));
        if (!ultimateReceiverHeaders.isEmpty()) {
            Set<QName> notFound = new HashSet<QName>();
            for (Header h : ultimateReceiverHeaders) {
                if (!mustUnderstandQNames.contains(h.getName())) {  //<-------- this is
where the problem happens, because the UsernameTokenInterceptor  did not inform it knows about
the security headers
            if (!notFound.isEmpty()) {
                // Defer throwing soap fault exception in SOAPHeaderInterceptor once the isOneway
                // be detected
                soapMessage.put(MustUnderstandInterceptor.UNKNOWNS, notFound);

I think the same idea is used by other people as a workaround :

Let me know if you need extra details (or if we are not using it correctly).

Note that: we recently updated from 0.11, and that worked fine for us (for this use case)
- but that was completely ignoring the mustUnderstand="1" from what we saw.

We only bring the minimal required dependencies for the open-cmis.
Here are some other libraries in our project that may interest you:

This message was sent by Atlassian JIRA

View raw message