Hi, This is an issue in Rampart because it doesn't processes the security header of fault messages.
https://issues.apache.org/jira/browse/RAMPART-90 This will be fixed in the next release of Apache Rampart. Thanks, Ruchith On 10/12/07, Tim Munro (myDIALS) <[EMAIL PROTECTED]> wrote: > Hi All, > > I have developed an Axis2-1.3 client (with Rampart 1.3, using an xmlbeans > proxy) that calls methods on a secured .NET web service service. I can > successfully communicate with the .NET service, however when the .NET server > returns a valid fault message the xmlbeans proxy client never receives the > returned fault string; instead all the client receives is the following > message: > Must Understand check failed for header > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1. > 0.xsd : Security > > Note that in Axis2-1.2 this was not a problem; my xmlbeans proxy received > the correct/expected error string. > > So, for example, if I call a method on the .NET web service with an invalid > parameter in the request document, the .NET web service returns an > informative message containing details of the problem. Below is an example > of the xml response message received from the .NET server, and to me it > appears to be a valid response: > <?xml version='1.0' encoding='utf-8'?> > <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"; > xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity- > utility-1.0.xsd"> > <s:Header> > <o:Security > xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity- > secext-1.0.xsd" s:mustUnderstand="1"> > <u:Timestamp u:Id="_0"> > > <u:Created>2007-10-12T01:02:16.796Z</u:Created> > > <u:Expires>2007-10-12T01:07:16.796Z</u:Expires> > </u:Timestamp> > </o:Security> > </s:Header> > <s:Body> > <s:Fault> > <faultcode>s:UnexpectedFault</faultcode> > <faultstring xml:lang="en-US">An unexpected error > has occurred in the service. > System.ServiceModel.FaultException`1[MyDials.Common.ServiceFaults.InvalidReq > uestFault]: The dimension member 'Midlands' was included in a dimension > reference for the 'Products' dimension, but is not valid. (Fault Detail is > equal to MyDials.Common.ServiceFaults.InvalidRequestFault).</faultstring> > </s:Fault> > </s:Body> > </s:Envelope> > > When I interact with this returned message (through the xmlbeans proxy), the > error message I see is the "Must Understand check failed for header ..." > rather than the value contained in the faultstring elemrnt of the returned > document. > > The issue appears to be that the received message header contains a (valid) > timestamp, as indicated above, however the Axis2 response handler never > seems to to process this timestamp in the header, meaning that when the > AxisEngine.checkMustUnderstand() performs the headerBlock.isProcessed() > test, the result is false and so the "Must understand check failed ..." > exception is thrown and my xmlbeans proxy never sees the real faultstring > message. > > I am struggling to understand what is going wrong here ... any guidance on > what to fault-find next would be greatly appreciated as after a few days > looking at this I am unsure if it is a problem in returned document, or my > policy.xml. > > Thanks, > Tim Munro > =================== > > Below is my policy.xml document: > <?xml version="1.0" encoding="UTF-8"?> > <wsp:Policy wsu:Id="SigOnly" > xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurit > y-utility-1.0.xsd" xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy";> > <wsp:ExactlyOne> > <wsp:All> > <sp:TransportBinding > xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";> > <wsp:Policy> > <sp:TransportToken> > <wsp:Policy> > <sp:HttpsToken > RequireClientCertificate="false"/> > </wsp:Policy> > </sp:TransportToken> > <sp:AlgorithmSuite> > <wsp:Policy> > <sp:Basic256/> > </wsp:Policy> > </sp:AlgorithmSuite> > <sp:Layout> > <wsp:Policy> > <sp:Lax/> > </wsp:Policy> > </sp:Layout> > <sp:IncludeTimestamp/> > </wsp:Policy> > </sp:TransportBinding> > <sp:EndorsingSupportingTokens > xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";> > <wsp:Policy> > <sp:X509Token > sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/Includ > eToken/AlwaysToRecipient"> > <wsp:Policy> > > <sp:WssX509V3Token10/> > </wsp:Policy> > </sp:X509Token> > </wsp:Policy> > </sp:EndorsingSupportingTokens> > <sp:Wss10 > xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";> > <wsp:Policy> > <sp:MustSupportRefKeyIdentifier/> > <sp:MustSupportRefIssuerSerial/> > </wsp:Policy> > </sp:Wss10> > > <ramp:RampartConfig > xmlns:ramp="http://ws.apache.org/rampart/policy";> > <ramp:timestampTTL>300</ramp:timestampTTL> > > <ramp:timestampMaxSkew>300</ramp:timestampMaxSkew> > > <ramp:user>cc40b01503ff1f5ededf6d07c3a3c56c_81ea973b-e847-4bba-abc9-e6e69109 > 3f9d</ramp:user> > <!-- passwordCallbackClass is set in mydials > config --> > <!-- > <ramp:passwordCallbackClass>com.mydials.wshelper.PWCBHandler</ramp:passwordC > allbackClass> --> > > <ramp:signatureCrypto> > <ramp:crypto > provider="org.apache.ws.security.components.crypto.Merlin"> > <ramp:property > name="org.apache.ws.security.crypto.merlin.keystore.type">pkcs12</ramp:prope > rty> > <ramp:property > name="org.apache.ws.security.crypto.merlin.file">MyDialsCert.pfx</ramp:prope > rty> > <ramp:property > name="org.apache.ws.security.crypto.merlin.keystore.password"></ramp:propert > y> > </ramp:crypto> > </ramp:signatureCrypto> > </ramp:RampartConfig> > > </wsp:All> > </wsp:ExactlyOne> > </wsp:Policy> > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > -- http://blog.ruchith.org http://wso2.org --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
