You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@synapse.apache.org by Gary Snider <ga...@gmail.com> on 2008/08/09 13:43:48 UTC

Synapse Axis2FlexibleMEPClient removes AddressingHeaders. Causes problems with ws-security

Just curious but why does the
org.apache.synapse.core.axis2.Axis2FlexibleMEPClient
remove addressing headers?

I've tried using synapse in proxy mode as well but here is the scenario and
why removing the headers is wrong for what we're doing:

1) A WS-Security message comes in to synapse (with wsa:MessageID signed &
referenced in the digital signature )
2) Synapse Axis2FlexibleMEPClient removes the wsa:MessageID in the original
message  (Axis2FlexibleMEPClient.removeAddressingHeaders)
3) The endpoint gets the 'forwarded' request and it fails ws-security
validation.  Why?  Because synapse removed the wsa:MessageID which is
referenced in the digital signature!

Why even in 'transparent' proxy mode would synapse remove that?  And what
are my options?

Re: Synapse Axis2FlexibleMEPClient removes AddressingHeaders. Causes problems with ws-security

Posted by Ruwan Linton <ru...@gmail.com>.

Hi Gary,

we remove addressing headers in-order to guarantee that non addressing aware
services or clients getting addressing aware messages, I think this feature
has to be able to turn off because of the troubles like what you have
encountered. Well, I must also say that addressing header are not must
understand headers and hence having them does no harm according to the
specification, but it is not nice to keep the addressing header unless you
specifically ask Synapse to enable addressing for the out going messages.

Can you please raise a JIRA for this, I was working on some addressing
related issues on proxy services (for example for the moment you cannot
enable only addressing for proxy services and was in the process of fixing
that :-) ), and I will fix this along with those changes. Basically I will
add a switch so that you can set a message context property and ask synapse
to not to remove addressing headers, but I would like to keep this behavior
as the default behavior.

Thanks,
Ruwan

On Sat, Aug 9, 2008 at 5:13 PM, Gary Snider <ga...@gmail.com> wrote:

> Just curious but why does the org.apache.synapse.core.axis2.Axis2FlexibleMEPClient
> remove addressing headers?
>
> I've tried using synapse in proxy mode as well but here is the scenario and
> why removing the headers is wrong for what we're doing:
>
> 1) A WS-Security message comes in to synapse (with wsa:MessageID signed &
> referenced in the digital signature )
> 2) Synapse Axis2FlexibleMEPClient removes the wsa:MessageID in the original
> message  (Axis2FlexibleMEPClient.removeAddressingHeaders)
> 3) The endpoint gets the 'forwarded' request and it fails ws-security
> validation.  Why?  Because synapse removed the wsa:MessageID which is
> referenced in the digital signature!
>
> Why even in 'transparent' proxy mode would synapse remove that?  And what
> are my options?
>

-- 
Ruwan Linton
http://wso2.org - "Oxygenating the Web Services Platform"
http://ruwansblog.blogspot.com/