Re: axis2+rampart: Must Understand check failed for header Security

Mon, 04 Apr 2011 22:04:04 -0700 

W dniu 2011-04-04 11:20, Michal Niklas pisze:
>> Hello,
>>
>> I have problem with axis2+rampart WS-Security response in case of server
>> internal error.
>> When server returns "200 OK" all seems ok. Response is checked by
>> rampart if it has proper timestamp, signature and decrypts function
>> response XML. But when server returns "500 Internal Server Error"
>> axis2/rapart throws exception:
>>
>>      ERROR Thread-11 org.apache.axis2.engine.AxisEngine - Must Understand
>> check failed for header
>>
>> I thought there is something wrong with answer and tested it with
>> soapUI. There comes similar response both in secured and decrypted form.
>> Those responses differ only by HTTP status, XML response code indicating
>> error, and case of SOAP tags. In case of good response there is
>>
>>      <SOAP-ENV:Envelope ...
>>
>> In case of error:
>>
>>      <soap:Envelope ...
>>
>> Rest of the structure, including `mustUnderstand="1"` is the same.
>>
>> In `axis2.xml` I configured `InFlow` and `InFaultFlow` to be the same
>> with order:
>>
>>      <phase name="Addressing">...</phase>
>>      <phase name="Security"/>
>>      <phase name="PreDispatch"/>
>>
>> I enabled tracing of my client and in case of good reponse I see:
>>
>>      DEBUG Thread-11 org.apache.rampart.RampartEngine - Enter
>> process(MessageContext msgCtx)
>>      DEBUG Thread-11 org.apache.axis2.engine.Phase - [MessageContext:
>> logID=urn:uuid:UUID] Invoking Handler 'SecurityInHandler' in Phase
>> 'Security'
>>      ...there is decrypted message
>>      DEBUG Thread-11 org.apache.rampart.handler.WSDoAllReceiver -
>> WSDoAllReceiver: exit invoke()
>>      DEBUG Thread-11 org.apache.axis2.engine.Phase - [MessageContext:
>> logID=urn:uuid:UUID] Checking post-conditions for phase "Security"
>>      DEBUG Thread-11 org.apache.axis2.engine.Phase - [MessageContext:
>> logID=urn:uuid:UUID] Checking pre-condition for Phase "PreDispatch"
>>      ...
>>
>> There is no such trace in the case of error:
>>
>>      DEBUG Thread-11 org.apache.rampart.RampartEngine - Enter
>> process(MessageContext msgCtx)
>>      DEBUG Thread-11 org.apache.axis2.engine.Phase - [MessageContext:
>> logID=urn:uuid:UUID] Checking post-conditions for phase "Security"
>>      DEBUG Thread-11 org.apache.axis2.engine.Phase - [MessageContext:
>> logID=urn:uuid:UUID] Checking pre-condition for Phase "PreDispatch"
>>      ...
>>      DEBUG Thread-11 org.apache.axis2.engine.Phase - [MessageContext:
>> logID=urn:uuid:UUID] Checking post-conditions for phase "soapmonitorPhase"
>>      DEBUG Thread-11 org.apache.axis2.engine.AxisEngine - MustUnderstand
>> header not processed or registered as
>> understood{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security
>>      DEBUG Thread-11 org.apache.axis2.i18n.ProjectResourceBundle -
>> org.apache.axis2.i18n.resource::handleGetObject(mustunderstandfailed)
>>      ERROR Thread-11 org.apache.axis2.engine.AxisEngine - Must Understand
>> check failed for header
>> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
>> : Security
>>      org.apache.axis2.AxisFault: Must Understand check failed for header
>> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
>> : Security
>>      at
>> org.apache.axis2.engine.AxisEngine.checkMustUnderstand(AxisEngine.java:97)
>>      at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:163)
>>      at
>> org.apache.axis2.description.OutInAxisOperationClient.handleResponse(OutInAxisOperation.java:364)
>>      at
>> org.apache.axis2.description.OutInAxisOperationClient.send(OutInAxisOperation.java:417)
>>      at
>> org.apache.axis2.description.OutInAxisOperationClient.executeImpl(OutInAxisOperation.java:229)
>>      at
>> org.apache.axis2.client.OperationClient.execute(OperationClient.java:165)
>>
>> There is no `SecurityInHandler` invocation.
>>
>> I would like to see decrypted message just like in case of "200 OK"
>> status or like in soapUI.
>> Any ideas what is wrong with my configuration?
>>
>> PS This is copy of my query at:
>> http://stackoverflow.com/questions/5511643/axis2rampart-must-understand-check-failed-for-header-security
> 
> 
> I have checked that I got such error only in case of "500 Internal
> Server Error". If server reply with "200 OK" and the same encrypted
> content then axis2 is able to decrypt it!


I will answer myself:

I searched Rampart sources to see where `SecurityInHandler` is.
It was in `META-INF/module.xml` of `rampart-1.5.1.mar`,
but only in `<InFlow>` section. I copied it to `<InFaultFlow>`
and it works!

Now my `<InFaultFlow>` section looks like:

    <InFaultFlow>
        <handler name="PolicyBasedSecurityInHandler"
class="org.apache.rampart.handler.RampartReceiver">
            <order phase="Security" phaseFirst="true"/>
        </handler>
        <handler name="SecurityInHandler"
class="org.apache.rampart.handler.WSDoAllReceiver">
            <order phase="Security"/>
        </handler>
        <handler name="PostDispatchVerificationHandler"
class="org.apache.rampart.handler.PostDispatchVerificationHandler">
            <order phase="Dispatch" phaseLast="true"/>
        </handler>
    </InFaultFlow>


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to