From: lanabe.lan...@gmail.com
Date: Thu, 14 Jul 2016 16:39:07 +0000
Subject: Re: Axis2 1.7.3 + Rampart 1.7.0 WS-Security not invoked
To: java-user@axis.apache.org
Martin, Thank you for your reply.
Before filing a issue, I have a question about missing WSDoAllHandler.
The following commit deleted WSDoAllHandler says:
---
Removing the deprecated basic configuration (This was deprecated since version
1.1).
https://github.com/apache/rampart/commit/1863364037019275f70e66cf77d1f092bf3bd984
---
And Rampart 1.7.0 release notes says:
---
Please note that Apache Rampart uses a configuration model based on WS-Policy
and WS-Security Policy and that the Apache Rampart 1.0 style configuration
(already deprecated since Rampart 1.1) is no longer supported in 1.7.0.
http://axis.apache.org/axis2/java/rampart/release-notes/1.7.0.html
---
I guess Rampart already provides more suitable way to use WS-Security because
WSDoAllHandler seems to be deprecated(so removed).
MG>the caveat is WSDoAllHandler is deprecated ...IF.. wss4j (specifically
WSS4JHandler) is presentMG>If WSS4JHandler not on classpath then Axis 2 throws
Exception with "mustUnderstand header not detected"
MG>0 WSHandler (with no default) TestCase Scenario:MG>anyone who has worked
with providers would know that without default provider a 0 providers test
always throws Exception
MG>reliance on any one transient dependent provider/handler is never a good
idea unless there exists a default provider MG>(otherwise missing
provider/handler exceptions will be thrown in the field will come back to haunt
the architect)
MG>the Ruchith disagreement with WSS4J author Werner Dittman extends back to
2006:
Ruchith>The module.xml file in this module archive hasRuchith>instructions to
place the handlers in the appropriate message flows
MG>(Inflow, Outflow and FaultFlow)MG>Thus 3 different handlers for 3 different
flows is a well architected solution vs Werners contention of one WSS4JHandler
fits MG>like a glove for all all 3 flows..Werners design stipulates without
documentation or testcases borders on "one WSS4JHandler MG>should work" is not
grounded to accomodate InFlow,OutFlow and FaultFlow phases
https://mail-archives.apache.org/mod_mbox/ws-wss4j-dev/200602.mbox/%3c559c463d0602040034t203a184co317d0cccabc7e...@mail.gmail.com%3E
MG>I agree with Rucith on promoting WSDoAllHandler family of Handlers instead
of one size fits all Handler implementing
MG>WSS4JHandlerhttps://wiki.apache.org/ws/FrontPage/Architecture/Deployment
What do you think?
On Fri, Jul 15, 2016 at 12:28 AM Martin Gainty <mgai...@hotmail.com> wrote:
From: lanabe.lan...@gmail.com
Date: Thu, 14 Jul 2016 08:16:46 +0000
Subject: Re: Axis2 1.7.3 + Rampart 1.7.0 WS-Security not invoked
To: java-user@axis.apache.org
Hi, apparently I found a workaround.
Axis2 1.7.3 + Rampart 1.6.4 works fine(ofc, I suspect there should be more
proper way with Rampart 1.7.0).I noticed that Rampart 1.7.0 doesn't have
WSDoAllHandler which processes WS-Security Header.
MG>Ianabe please file Urgent priority JIRA bug on missing WSDoAllHandler for
Rampart 1.70
https://issues.apache.org/jira/browse/RAMPART/?selectedTab=com.atlassian.jira.jira-projects-plugin:summary-panel
So, I should change the question. Should I use Rampart 1.6.4? Or, is there any
proper way to use Rampart 1.7.0?
On Wed, Jul 13, 2016 at 10:29 PM lanabe <lanabe.lan...@gmail.com> wrote:
Hi, I'm working on using WS-Security with Axis2 1.7.3 .
Axis2 1.6.4 + Rampart 1.6.4 works perfectly, but in Axis2 1.7.3 + Rampart
1.7.0, I got the following error.
---
13-Jul-2016 22:10:21.222 SEVERE [http-nio-8080-exec-4]
org.apache.axis2.engine.AxisEngine.receive Must Understand check failed for
headers:
{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security
org.apache.axis2.AxisFault: Must Understand check failed for headers:
{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security
at
org.apache.axis2.jaxws.handler.HandlerUtils.checkMustUnderstand(HandlerUtils.java:160)
at
org.apache.axis2.jaxws.server.EndpointController.inboundHeaderAndHandlerProcessing(EndpointController.java:336)
at
org.apache.axis2.jaxws.server.EndpointController.handleRequest(EndpointController.java:258)
at
org.apache.axis2.jaxws.server.EndpointController.invoke(EndpointController.java:101)
[...]
---
It seems not to be enable the settings for InflowSecurity.
I've created a simple reproducer, which has 2 projects in each version(1.6.4,
1.7.3).
https://github.com/emag-notes/axis2-ws-security
Any Idea?
