You are viewing a plain text version of this content. The canonical link for it is here.
Posted to java-dev@axis.apache.org by "Dimuthu Leelarathne (JIRA)" <ji...@apache.org> on 2006/12/14 13:57:22 UTC
[jira] Commented: (AXIS2-1849) Security exception is swallowed
[ http://issues.apache.org/jira/browse/AXIS2-1849?page=comments#action_12458464 ]
Dimuthu Leelarathne commented on AXIS2-1849:
--------------------------------------------
Hi Ali,
I tried to re-create the situation as follows.
1) Created a private key and a X509 certificate unknown to a service.
2) Then using this private key, I sent a signed soap message to the service, by using the configuration "<signatureKeyIdentifier>SKIKeyIdentifier</signatureKeyIdentifier>". So the service doesn't have the cerificate and it has no way of know it.
3) Then I debugged using the standard HTTPReciever in axis2. This ended up in the "processHTTPPostRequest" method of "org.apache.axis2.transport.http.HTTPTransportUtils.processHTTPPostRequest". Here[1] the AxisEngine has been invoked in a try-catch block.
4) This thows a AxisFault which is thrown. I just put a stack trace and the result is as follows[2].
So I am wondering whether you have catched a "AxisFault" in your custom reciever. Just check and let me know.
Regards,
Dimuthu
[1]
try{
......many many code lines follows
AxisEngine engine = new AxisEngine(msgContext.getConfigurationContext());
if (envelope.getBody().hasFault()) {
engine.receiveFault(msgContext);
} else {
engine.receive(msgContext);
}
} catch (SOAPProcessingException e) {
throw new AxisFault(e);
} catch (AxisFault e) {
e.printStackTrace(); // This is what I put
throw e;
} catch (IOException e) {
throw new AxisFault(e);
} catch (OMException e) {
throw new AxisFault(e);
} catch (XMLStreamException e) {
throw new AxisFault(e);
} catch (FactoryConfigurationError e) {
throw new AxisFault(e);
} finally {
if ((msgContext.getEnvelope() == null) && soapVersion != VERSION_SOAP11) {
msgContext.setEnvelope(new SOAP12Factory().getDefaultEnvelope());
}
}
[2]
org.apache.axis2.AxisFault: WSDoAllReceiver: security processing failed; nested exception is:
org.apache.ws.security.WSSecurityException: The signature verification failed
at org.apache.rampart.handler.WSDoAllReceiver.processBasic(WSDoAllReceiver.java:259)
at org.apache.rampart.handler.WSDoAllReceiver.processMessage(WSDoAllReceiver.java:91)
at org.apache.rampart.handler.WSDoAllHandler.invoke(WSDoAllHandler.java:74)
at org.apache.axis2.engine.Phase.invoke(Phase.java:382)
at org.apache.axis2.engine.AxisEngine.invoke(AxisEngine.java:522)
at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:487)
at org.apache.axis2.transport.http.HTTPTransportUtils.processHTTPPostRequest(HTTPTransportUtils.java:326)
at org.apache.axis2.transport.http.HTTPWorker.service(HTTPWorker.java:230)
at org.apache.axis2.transport.http.server.DefaultHttpServiceProcessor.doService(DefaultHttpServiceProcessor.java:190)
at org.apache.http.protocol.HttpService.handleRequest(HttpService.java:123)
at org.apache.axis2.transport.http.server.DefaultHttpServiceProcessor.run(DefaultHttpServiceProcessor.java:262)
at edu.emory.mathcs.backport.java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:665)
at edu.emory.mathcs.backport.java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:690)
at java.lang.Thread.run(Thread.java:595)
Caused by: org.apache.ws.security.WSSecurityException: The signature verification failed
at org.apache.ws.security.processor.SignatureProcessor.verifyXMLSignature(SignatureProcessor.java:251)
at org.apache.ws.security.processor.SignatureProcessor.handleToken(SignatureProcessor.java:79)
at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:279)
at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:201)
at org.apache.rampart.handler.WSDoAllReceiver.processBasic(WSDoAllReceiver.java:256)
... 13 more
> Security exception is swallowed
> -------------------------------
>
> Key: AXIS2-1849
> URL: http://issues.apache.org/jira/browse/AXIS2-1849
> Project: Apache Axis 2.0 (Axis2)
> Issue Type: Bug
> Components: modules
> Affects Versions: 1.1
> Environment: Windows XP Professional, JDK 1.4.2.12-b03
> Reporter: Ali Sadik Kumlali
> Assigned To: Dimuthu Leelarathne
>
> I need to catch the exception occured in securiy phase. But it seems Rampart just logs the exception and not propagate to the transport receiver. Thus, I'm not able to catch it and notify the sender.
> Here is my scenario:
> - My WSDL has input only (one-way) operations.
> - Client sends signed messages by invoking appropriate method of generated stub.
> - Service's keystore doesn't have the public certificate of the client
> - Rampart logs the exception[1] BUT doesn't throw it.
> Since I wrote my own transport receiver, I'm able to catch any exception(including RuntimeException) thrown through the execution path(transport receiver -> phases/modules -> message receiver).
> Regards,
> Ali Sadik Kumlali
> [1] [ERROR][2006-12-08 14:40:48,535] org.apache.axis2.transport.jms.AxisMdb - JMS Wo
> rker [JMS Session Delivery Thread] Encountered an Axis Fault : WSDoAllReceiver:
> security processing failed; nested exception is:
> org.apache.ws.security.WSSecurityException: The signature verification f
> ailed
> org.apache.axis2.AxisFault: WSDoAllReceiver: security processing failed; nested
> exception is:
> org.apache.ws.security.WSSecurityException: The signature verification f
> ailed
> at org.apache.rampart.handler.WSDoAllReceiver.processBasic(WSDoAllReceiv
> er.java:275)
> at org.apache.rampart.handler.WSDoAllReceiver.processMessage(WSDoAllRece
> iver.java:98)
> at org.apache.rampart.handler.WSDoAllHandler.invoke(WSDoAllHandler.java:
> 74)
> at org.apache.axis2.engine.Phase.invoke(Phase.java:381)
> at org.apache.axis2.engine.AxisEngine.invoke(AxisEngine.java:521)
> at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:485)
> at org.apache.axis2.transport.jms.AxisMdb.onMessage(AxisMdb.java:245)
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: axis-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: axis-dev-help@ws.apache.org