Hello, please see my comments inline. On Sun, Sep 29, 2019 at 11:40 PM Auke Schrijnen <aschrij...@bkwi.nl> wrote:
> Hi, > > We are trying to implement a couple of services in Apache Axis2 and Apache > Synapse which must conform to the Dutch specifications ‘Digikoppeling’ and > 'SuwiML Transactiestandaard’. This is basically ‘WS-I Basic Profile 1.1’ > with a few additional requirements. > > One of the requirements is the use of the WS-Addressing To header in the > response. Although the services only have synchronous request-response > operations we have to set the wsa:To header in the response to a custom > value. The result is that Axis2 tries to send the response to the address > specified in the wsa:To header, which we don’t want since this is a > synchronous request-response operation. > > The Axis2 module trunk/modules/addressing/test has a wide range of example code that may help you here. There is also a jaws-integration module with addressing test code. I would start there. Having a response sent to another address than "the address specified in the wsa:To header" may require some custom coding or handlers - not sure. > I noticed that this is the case for both the Axis2 Commons HTTP sender > (CommonsHTTPTransportSender.java @ 221) and the Apache Synapse PassThrough > (PassThroughHttpSender.java @ 258) and NIO sender (HttpCoreNIOSender.java @ > 257). > > We are about to remove any older support for commons httpclient 3. You can use the http client 4 classes by changing your axis2.xml transportSender element to instead use org.apache.axis2.transport.http.impl.httpclient4.HTTPClient4TransportSender . The 'Web Services Addressing 1.0 - SOAP Binding’ specification states that > ‘any response message SHOULD be sent using a separate connection and using > the address value specified by response endpoint’ when a value other than " > http://www.w3.org/2005/08/addressing/anonymous"; is used, but this applies > to 'response endpoint’, which ‘refers to the [reply endpoint] and [fault > endpoint]’ (see https://www.w3.org/TR/ws-addr-soap/#addressesinsoap). > It’s not clear to me if the ‘reply endpoint’ or ‘fault endpoint’ refers to > the wsa:From header in the response or only the ReplyTo and FaultTo in the > request. > Interestingly enough I see a lot of axis2 source code use of the wsa headers, but nothing on wsa:From ... at a glance, I may have missed something. > Is the implementation in Axis2 and Synapse too strict and should it allow > any value for the wsa:To in the response, or does our requirement conflict > with the WS-Addressing specification? > > These specs are rather old now but anyways the main reason for the current axis2 behavior is security related of course, I found this section to be relevant: " Messages that use wsa:ReplyTo or wsa:FaultTo headers whose [address] is not the predefined anonymous URI should include claims that allow a receiver to confirm that the EPR was issued by a principle with authority to represent the [address] of the EPR. When receiving a SOAP message, certain SOAP headers may have resulted from the serialization of an EPR's [reference parameters] property. A SOAP message receiver should perform additional security and sanity checks to prevent unintended actions. " Regards, Robert Auke > --------------------------------------------------------------------- > To unsubscribe, e-mail: java-user-unsubscr...@axis.apache.org > For additional commands, e-mail: java-user-h...@axis.apache.org > >
