You are viewing a plain text version of this content. The canonical link for it is here.
Posted to rampart-dev@ws.apache.org by "Taariq Levack (JIRA)" <ji...@apache.org> on 2008/09/30 10:07:44 UTC
[jira] Created: (RAMPART-197) Rampart handler not processing empty
security header with mustUnderstand="1"
Rampart handler not processing empty security header with mustUnderstand="1"
----------------------------------------------------------------------------
Key: RAMPART-197
URL: https://issues.apache.org/jira/browse/RAMPART-197
Project: Rampart
Issue Type: Improvement
Affects Versions: 1.4
Environment: Oracle application server 10.1.3, embedded OC4J in JDeveloper & Eclipse used for testing.
Reporter: Taariq Levack
Assignee: Ruchith Udayanga Fernando
Fix For: 1.4
The application server returns a response that contains an empty security header and this is not processed by the Rampart handler and a fault is generated.
As per Nandana the solution is to flag the empty header as processed when it expects nothing in the security header, for interoperability.
This is the request header, simple username token....
<soapenv:Header>
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" soapenv:mustUnderstand="1">
<wsse:UsernameToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="UsernameToken-3201085">
<wsse:Username>USERNAME</wsse:Username>
<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">PASSWORD</wsse:Password>
</wsse:UsernameToken>
</wsse:Security>
</soapenv:Header>
And this is the response header
<env:Header>
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" env:mustUnderstand="1"/>
</env:Header>
Exception in thread "main" org.apache.axis2.AxisFault: Must Understand check failed for header http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd : Security
at org.apache.axis2.engine.AxisEngine.checkMustUnderstand(AxisEngine.java:102)
at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:166)
at org.apache.axis2.description.OutInAxisOperationClient.handleResponse(OutInAxisOperation.java:363)
at org.apache.axis2.description.OutInAxisOperationClient.send(OutInAxisOperation.java:416)
at org.apache.axis2.description.OutInAxisOperationClient.executeImpl(OutInAxisOperation.java:228)
at org.apache.axis2.client.OperationClient.execute(OperationClient.java:163)
at org.apache.axis2.client.ServiceClient.sendReceive(ServiceClient.java:548)
at org.apache.axis2.client.ServiceClient.sendReceive(ServiceClient.java:528)
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Assigned: (RAMPART-197) Rampart handler not processing empty
security header with mustUnderstand="1"
Posted by "Nandana Mihindukulasooriya (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/RAMPART-197?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Nandana Mihindukulasooriya reassigned RAMPART-197:
--------------------------------------------------
Assignee: Nandana Mihindukulasooriya (was: Ruchith Udayanga Fernando)
> Rampart handler not processing empty security header with mustUnderstand="1"
> ----------------------------------------------------------------------------
>
> Key: RAMPART-197
> URL: https://issues.apache.org/jira/browse/RAMPART-197
> Project: Rampart
> Issue Type: Improvement
> Affects Versions: 1.4
> Environment: Oracle application server 10.1.3, embedded OC4J in JDeveloper & Eclipse used for testing.
> Reporter: Taariq Levack
> Assignee: Nandana Mihindukulasooriya
> Fix For: 1.4
>
>
> The application server returns a response that contains an empty security header and this is not processed by the Rampart handler and a fault is generated.
> As per Nandana the solution is to flag the empty header as processed when it expects nothing in the security header, for interoperability.
> This is the request header, simple username token....
> <soapenv:Header>
> <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" soapenv:mustUnderstand="1">
> <wsse:UsernameToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="UsernameToken-3201085">
> <wsse:Username>USERNAME</wsse:Username>
> <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">PASSWORD</wsse:Password>
> </wsse:UsernameToken>
> </wsse:Security>
> </soapenv:Header>
> And this is the response header
> <env:Header>
> <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" env:mustUnderstand="1"/>
> </env:Header>
> Exception in thread "main" org.apache.axis2.AxisFault: Must Understand check failed for header http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd : Security
> at org.apache.axis2.engine.AxisEngine.checkMustUnderstand(AxisEngine.java:102)
> at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:166)
> at org.apache.axis2.description.OutInAxisOperationClient.handleResponse(OutInAxisOperation.java:363)
> at org.apache.axis2.description.OutInAxisOperationClient.send(OutInAxisOperation.java:416)
> at org.apache.axis2.description.OutInAxisOperationClient.executeImpl(OutInAxisOperation.java:228)
> at org.apache.axis2.client.OperationClient.execute(OperationClient.java:163)
> at org.apache.axis2.client.ServiceClient.sendReceive(ServiceClient.java:548)
> at org.apache.axis2.client.ServiceClient.sendReceive(ServiceClient.java:528)
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (RAMPART-197) Rampart handler not processing
empty security header with mustUnderstand="1"
Posted by "Bob Wall (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/RAMPART-197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12795640#action_12795640 ]
Bob Wall commented on RAMPART-197:
----------------------------------
We are seeing this same problem with an Axis2/Java client. Looks like it's been sitting around for a year or more - is there any plan to fix this?
> Rampart handler not processing empty security header with mustUnderstand="1"
> ----------------------------------------------------------------------------
>
> Key: RAMPART-197
> URL: https://issues.apache.org/jira/browse/RAMPART-197
> Project: Rampart
> Issue Type: Improvement
> Affects Versions: 1.4
> Environment: Oracle application server 10.1.3, embedded OC4J in JDeveloper & Eclipse used for testing.
> Reporter: Taariq Levack
> Assignee: Nandana Mihindukulasooriya
> Fix For: 1.4
>
>
> The application server returns a response that contains an empty security header and this is not processed by the Rampart handler and a fault is generated.
> As per Nandana the solution is to flag the empty header as processed when it expects nothing in the security header, for interoperability.
> This is the request header, simple username token....
> <soapenv:Header>
> <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" soapenv:mustUnderstand="1">
> <wsse:UsernameToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="UsernameToken-3201085">
> <wsse:Username>USERNAME</wsse:Username>
> <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">PASSWORD</wsse:Password>
> </wsse:UsernameToken>
> </wsse:Security>
> </soapenv:Header>
> And this is the response header
> <env:Header>
> <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" env:mustUnderstand="1"/>
> </env:Header>
> Exception in thread "main" org.apache.axis2.AxisFault: Must Understand check failed for header http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd : Security
> at org.apache.axis2.engine.AxisEngine.checkMustUnderstand(AxisEngine.java:102)
> at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:166)
> at org.apache.axis2.description.OutInAxisOperationClient.handleResponse(OutInAxisOperation.java:363)
> at org.apache.axis2.description.OutInAxisOperationClient.send(OutInAxisOperation.java:416)
> at org.apache.axis2.description.OutInAxisOperationClient.executeImpl(OutInAxisOperation.java:228)
> at org.apache.axis2.client.OperationClient.execute(OperationClient.java:163)
> at org.apache.axis2.client.ServiceClient.sendReceive(ServiceClient.java:548)
> at org.apache.axis2.client.ServiceClient.sendReceive(ServiceClient.java:528)
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (RAMPART-197) Rampart handler not processing
empty security header with mustUnderstand="1"
Posted by "Diego Moore (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/RAMPART-197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12726385#action_12726385 ]
Diego Moore commented on RAMPART-197:
-------------------------------------
While I don't have access to source code I've been told by a developer that this is a major issue with WCF too and there is no known workaround. WCF just simple does not like the empty security header!
We're using WSF-PHP which in turn uses axis2c and therefore rampartc. A solution on the server side is to include TimeStamps but we're also having issues with wsf-php 2.0 and timestamps.
I've checked the spec and can't see anything else that could be added to the security headers as we're just using username token for authentication.
Can I please suggest that this is changed from a feature to a bug? Otherwise what's the point of Web Services if it's not interoperable with two other frameworks (Oracle and WCF) which happen to be widely used throughout...
> Rampart handler not processing empty security header with mustUnderstand="1"
> ----------------------------------------------------------------------------
>
> Key: RAMPART-197
> URL: https://issues.apache.org/jira/browse/RAMPART-197
> Project: Rampart
> Issue Type: Improvement
> Affects Versions: 1.4
> Environment: Oracle application server 10.1.3, embedded OC4J in JDeveloper & Eclipse used for testing.
> Reporter: Taariq Levack
> Assignee: Nandana Mihindukulasooriya
> Fix For: 1.4
>
>
> The application server returns a response that contains an empty security header and this is not processed by the Rampart handler and a fault is generated.
> As per Nandana the solution is to flag the empty header as processed when it expects nothing in the security header, for interoperability.
> This is the request header, simple username token....
> <soapenv:Header>
> <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" soapenv:mustUnderstand="1">
> <wsse:UsernameToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="UsernameToken-3201085">
> <wsse:Username>USERNAME</wsse:Username>
> <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">PASSWORD</wsse:Password>
> </wsse:UsernameToken>
> </wsse:Security>
> </soapenv:Header>
> And this is the response header
> <env:Header>
> <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" env:mustUnderstand="1"/>
> </env:Header>
> Exception in thread "main" org.apache.axis2.AxisFault: Must Understand check failed for header http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd : Security
> at org.apache.axis2.engine.AxisEngine.checkMustUnderstand(AxisEngine.java:102)
> at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:166)
> at org.apache.axis2.description.OutInAxisOperationClient.handleResponse(OutInAxisOperation.java:363)
> at org.apache.axis2.description.OutInAxisOperationClient.send(OutInAxisOperation.java:416)
> at org.apache.axis2.description.OutInAxisOperationClient.executeImpl(OutInAxisOperation.java:228)
> at org.apache.axis2.client.OperationClient.execute(OperationClient.java:163)
> at org.apache.axis2.client.ServiceClient.sendReceive(ServiceClient.java:548)
> at org.apache.axis2.client.ServiceClient.sendReceive(ServiceClient.java:528)
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.