[
https://issues.apache.org/jira/browse/RAMPART-332?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13039712#comment-13039712
]
Oliver Rohr commented on RAMPART-332:
-------------------------------------
We have included a rampart-core patch in our server, which solves the problem.
The following method was extracted from RampartMessageData constructor and made
synchronized:
private static synchronized Policy loadPolicy(MessageContext msgCtx)
{
Policy policy = null;
if (msgCtx.getProperty(KEY_RAMPART_POLICY) != null)
{
policy = (Policy)msgCtx.getProperty(KEY_RAMPART_POLICY);
}
/*
* Init policy: When creating the RampartMessageData instance we extract
the service policy is set in the msgCtx.
* If it is missing then try to obtain from the configuration files.
*/
if (policy == null)
{
policy = msgCtx.getEffectivePolicy();
}
if (policy == null)
{
Parameter param =
msgCtx.getParameter(RampartMessageData.KEY_RAMPART_POLICY);
if (param != null)
{
OMElement policyElem =
param.getParameterElement().getFirstElement();
policy = PolicyEngine.getPolicy(policyElem);
}
}
return policy;
}
> InvalidSecurity for first requests
> ----------------------------------
>
> Key: RAMPART-332
> URL: https://issues.apache.org/jira/browse/RAMPART-332
> Project: Rampart
> Issue Type: Bug
> Affects Versions: 1.4, 1.5
> Environment: Axis 1.5.2, rampart 1.4
> Reporter: Oliver Rohr
> Priority: Critical
>
> The exception in the same as in AXIS2-3999, but Im not sure if it has the
> same origin
> org.apache.axis2.AxisFault: InvalidSecurity
> at
> org.apache.rampart.handler.PostDispatchVerificationHandler.invoke(PostDispatchVerificationHandler.java:143)
> at org.apache.axis2.engine.Phase.invoke(Phase.java:318)
> at org.apache.axis2.engine.AxisEngine.invoke(AxisEngine.java:251)
> at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:160)
> at
> org.apache.axis2.transport.http.HTTPTransportUtils.processHTTPPostRequest(HTTPTransportUtils.java:167)
> at
> org.apache.axis2.transport.http.AxisServlet.doPost(AxisServlet.java:142)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:641)
> ...
> we do have 3 services and we are using MTOM in the Clients to sent
> attachments. Rampart engaged in the services.xml and a policy using a custom
> password handler as follows:
> <module ref="rampart" />
> <module ref="addressing" />
>
> <wsp:Policy wsu:Id="UTOverTransport"
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
> xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy";>
> <wsp:ExactlyOne>
> <wsp:All>
> <sp:TransportBinding
> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
> <wsp:Policy>
> <sp:TransportToken>
> <wsp:Policy>
> <!-- <sp:HashPassword/> -->
> </wsp:Policy>
> </sp:TransportToken>
> </wsp:Policy>
> </sp:TransportBinding>
> <sp:SignedSupportingTokens
> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
> <wsp:Policy>
> <sp:UsernameToken
> sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient";
> />
> </wsp:Policy>
> </sp:SignedSupportingTokens>
>
> <ramp:RampartConfig
> xmlns:ramp="http://ws.apache.org/rampart/policy";>
>
> <ramp:passwordCallbackClass>custom.PasswordCallbackHandler</ramp:passwordCallbackClass>
> </ramp:RampartConfig>
> </wsp:All>
> </wsp:ExactlyOne>
> </wsp:Policy>
> policy.xml in client:
> <wsp:Policy wsu:Id="UsernameToken" xmlns:wsu=
>
> "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
> xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy";>
> <wsp:ExactlyOne>
> <wsp:All>
> <sp:SupportingTokens
>
> xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";>
> <wsp:Policy>
> <sp:UsernameToken sp:IncludeToken=
>
> "http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient";>
> <wsp:Policy>
> <!-- <sp:HashPassword/>-->
> </wsp:Policy>
> </sp:UsernameToken>
> </wsp:Policy>
> </sp:SupportingTokens>
> </wsp:All>
> </wsp:ExactlyOne>
> </wsp:Policy>
> Client code:
> ServiceClient sc = stub._getServiceClient();
> sc.engageModule("addressing");
> sc.engageModule("rampart");
> Options options = sc.getOptions();
> options.setProperty(RampartMessageData.KEY_RAMPART_POLICY,
> loadPolicy("axis2repo/policies/policy.xml"));
> options.setUserName(config.getServerUser());
> options.setPassword(config.getServerPassword());
> // enale MTOM optimzation in client
> options.setProperty(Constants.Configuration.ENABLE_MTOM,
> Constants.VALUE_TRUE);
> options.setTimeOutInMilliSeconds(getConnectionTimeout() * 1000);
> The facts:
> 1) This works fine for any amount of requests that are sent in sequence.
> 2) This doesnt work for multiple requests (tested with 10 requests sent at
> approx. the same time) that are received by the server right after the server
> startup. In this case one (or some?) of the first requests produce the
> mentioned security exception.
> 3) If then again 10 requests are sent in parallel all works fine again.
> Thus I assume this is a problem with the policy loading at the beginning
> (lazy loading?), e.g. something is not thread safe?
> I would like to know if this a known problem and if there is a workaround for
> this (e.g. on startup of the application could I just load everything that is
> needed to ensure Axis/rampart policy parts are fully initialized).
> Note: I also tried this with Axis 1.5.4 and rampart 1.5 but the same problem
> occured.
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
