Grzegorz, all well, in that case you may have a security problem :-).
After reading SOAP 1.2 specs again I came to the same conclusion as you: Header processing for "mustUnderstand" headers is *always necessary* even in case the SOAP Body contins a Fault block. What follows is: 1st: if a client requires Security (as defined in WSDD) for a response then the server must generate Security headers with appropriate information in *any* case. This fact must be known to the server (Security Policy) 2nd: even if the Security handler at the server rejects some Security stuff, for example the signature verification fails, then the Fault response to the client must be "Security" processed according to the security requirements (policies) of both parties. Thus, if your client receives a Fault message and you have defined Security actions in the response flow then the Fault *must* contain Security header blocks - otherwise you get a Fault "no Security" from the receiver handler. According to the specs this seems to be the correct behaviour. I admitt in that case you may not see the real (server side) fault because it may be overlayed with the fault generated by the Receiver handler. Well, now i'm getting confused now :-). Any thaughts how to handle this? All are invited to smash in their ideas how to handle this topic. Regards, Werner > -----Ursprüngliche Nachricht----- > Von: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] > Gesendet: Freitag, 16. Dezember 2005 10:48 > An: Dittmann, Werner > Cc: [email protected] > Betreff: Re: wsse:Security header and soap:Fault > > Werner, > > One more thing... > > > > > > > > > if this is the case (mustUnderstand headers MUST be processed > > > > in any case) then just comment the offendling lines the > check for > > > > a Fault element. The normal processing takes place and > the security > > > > handler does its job - the additional check you mentioned is not > > > > necessary in that case. > > This check is however necessary... > Letting WSDoAllReceiver go with its processing in case when WS method > threw > AxisFault produces the "Request does not contain required > Security header" > exception because wsResult = > secEngine.processSecurityHeader() == null. > It's not possible to change the declared <responseFlow> in client.wsdd > (action = "Timestamp Signature")... > > > > > > > > Thank You! It's the easiest way - is this change going to > > > appear in future > > > versions of WSS4J? > > > > yes but probably I'll make it configurable somehow to > > retain backward compatibility. I'll start a discussion > > on the mailing list to get opionions of the other peers > > and users. > > > > I will read this discussion with pleasure > > Regards > Grzegorz Grzybek > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
