You are viewing a plain text version of this content. The canonical link for it is here.
Posted to java-user@axis.apache.org by Michal Niklas <mn...@heuthes.pl> on 2011/04/01 12:32:44 UTC
axis2+rampart: Must Understand check failed for header Security
Hello,
I have problem with axis2+rampart WS-Security response in case of server
internal error.
When server returns "200 OK" all seems ok. Response is checked by
rampart if it has proper timestamp, signature and decrypts function
response XML. But when server returns "500 Internal Server Error"
axis2/rapart throws exception:
ERROR Thread-11 org.apache.axis2.engine.AxisEngine - Must Understand
check failed for header
I thought there is something wrong with answer and tested it with
soapUI. There comes similar response both in secured and decrypted form.
Those responses differ only by HTTP status, XML response code indicating
error, and case of SOAP tags. In case of good response there is
<SOAP-ENV:Envelope ...
In case of error:
<soap:Envelope ...
Rest of the structure, including `mustUnderstand="1"` is the same.
In `axis2.xml` I configured `InFlow` and `InFaultFlow` to be the same
with order:
<phase name="Addressing">...</phase>
<phase name="Security"/>
<phase name="PreDispatch"/>
I enabled tracing of my client and in case of good reponse I see:
DEBUG Thread-11 org.apache.rampart.RampartEngine - Enter
process(MessageContext msgCtx)
DEBUG Thread-11 org.apache.axis2.engine.Phase - [MessageContext:
logID=urn:uuid:UUID] Invoking Handler 'SecurityInHandler' in Phase
'Security'
...there is decrypted message
DEBUG Thread-11 org.apache.rampart.handler.WSDoAllReceiver -
WSDoAllReceiver: exit invoke()
DEBUG Thread-11 org.apache.axis2.engine.Phase - [MessageContext:
logID=urn:uuid:UUID] Checking post-conditions for phase "Security"
DEBUG Thread-11 org.apache.axis2.engine.Phase - [MessageContext:
logID=urn:uuid:UUID] Checking pre-condition for Phase "PreDispatch"
...
There is no such trace in the case of error:
DEBUG Thread-11 org.apache.rampart.RampartEngine - Enter
process(MessageContext msgCtx)
DEBUG Thread-11 org.apache.axis2.engine.Phase - [MessageContext:
logID=urn:uuid:UUID] Checking post-conditions for phase "Security"
DEBUG Thread-11 org.apache.axis2.engine.Phase - [MessageContext:
logID=urn:uuid:UUID] Checking pre-condition for Phase "PreDispatch"
...
DEBUG Thread-11 org.apache.axis2.engine.Phase - [MessageContext:
logID=urn:uuid:UUID] Checking post-conditions for phase "soapmonitorPhase"
DEBUG Thread-11 org.apache.axis2.engine.AxisEngine - MustUnderstand
header not processed or registered as
understood{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security
DEBUG Thread-11 org.apache.axis2.i18n.ProjectResourceBundle -
org.apache.axis2.i18n.resource::handleGetObject(mustunderstandfailed)
ERROR Thread-11 org.apache.axis2.engine.AxisEngine - Must Understand
check failed for header
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
: Security
org.apache.axis2.AxisFault: Must Understand check failed for header
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
: Security
at
org.apache.axis2.engine.AxisEngine.checkMustUnderstand(AxisEngine.java:97)
at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:163)
at
org.apache.axis2.description.OutInAxisOperationClient.handleResponse(OutInAxisOperation.java:364)
at
org.apache.axis2.description.OutInAxisOperationClient.send(OutInAxisOperation.java:417)
at
org.apache.axis2.description.OutInAxisOperationClient.executeImpl(OutInAxisOperation.java:229)
at
org.apache.axis2.client.OperationClient.execute(OperationClient.java:165)
There is no `SecurityInHandler` invocation.
I would like to see decrypted message just like in case of "200 OK"
status or like in soapUI.
Any ideas what is wrong with my configuration?
Regards,
Michal
PS This is copy of my query at:
http://stackoverflow.com/questions/5511643/axis2rampart-must-understand-check-failed-for-header-security
---------------------------------------------------------------------
To unsubscribe, e-mail: java-user-unsubscribe@axis.apache.org
For additional commands, e-mail: java-user-help@axis.apache.org
Re: axis2+rampart: Must Understand check failed for header Security
Posted by Michal Niklas <mn...@heuthes.pl>.
W dniu 2011-04-04 11:20, Michal Niklas pisze:
>> Hello,
>>
>> I have problem with axis2+rampart WS-Security response in case of server
>> internal error.
>> When server returns "200 OK" all seems ok. Response is checked by
>> rampart if it has proper timestamp, signature and decrypts function
>> response XML. But when server returns "500 Internal Server Error"
>> axis2/rapart throws exception:
>>
>> ERROR Thread-11 org.apache.axis2.engine.AxisEngine - Must Understand
>> check failed for header
>>
>> I thought there is something wrong with answer and tested it with
>> soapUI. There comes similar response both in secured and decrypted form.
>> Those responses differ only by HTTP status, XML response code indicating
>> error, and case of SOAP tags. In case of good response there is
>>
>> <SOAP-ENV:Envelope ...
>>
>> In case of error:
>>
>> <soap:Envelope ...
>>
>> Rest of the structure, including `mustUnderstand="1"` is the same.
>>
>> In `axis2.xml` I configured `InFlow` and `InFaultFlow` to be the same
>> with order:
>>
>> <phase name="Addressing">...</phase>
>> <phase name="Security"/>
>> <phase name="PreDispatch"/>
>>
>> I enabled tracing of my client and in case of good reponse I see:
>>
>> DEBUG Thread-11 org.apache.rampart.RampartEngine - Enter
>> process(MessageContext msgCtx)
>> DEBUG Thread-11 org.apache.axis2.engine.Phase - [MessageContext:
>> logID=urn:uuid:UUID] Invoking Handler 'SecurityInHandler' in Phase
>> 'Security'
>> ...there is decrypted message
>> DEBUG Thread-11 org.apache.rampart.handler.WSDoAllReceiver -
>> WSDoAllReceiver: exit invoke()
>> DEBUG Thread-11 org.apache.axis2.engine.Phase - [MessageContext:
>> logID=urn:uuid:UUID] Checking post-conditions for phase "Security"
>> DEBUG Thread-11 org.apache.axis2.engine.Phase - [MessageContext:
>> logID=urn:uuid:UUID] Checking pre-condition for Phase "PreDispatch"
>> ...
>>
>> There is no such trace in the case of error:
>>
>> DEBUG Thread-11 org.apache.rampart.RampartEngine - Enter
>> process(MessageContext msgCtx)
>> DEBUG Thread-11 org.apache.axis2.engine.Phase - [MessageContext:
>> logID=urn:uuid:UUID] Checking post-conditions for phase "Security"
>> DEBUG Thread-11 org.apache.axis2.engine.Phase - [MessageContext:
>> logID=urn:uuid:UUID] Checking pre-condition for Phase "PreDispatch"
>> ...
>> DEBUG Thread-11 org.apache.axis2.engine.Phase - [MessageContext:
>> logID=urn:uuid:UUID] Checking post-conditions for phase "soapmonitorPhase"
>> DEBUG Thread-11 org.apache.axis2.engine.AxisEngine - MustUnderstand
>> header not processed or registered as
>> understood{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security
>> DEBUG Thread-11 org.apache.axis2.i18n.ProjectResourceBundle -
>> org.apache.axis2.i18n.resource::handleGetObject(mustunderstandfailed)
>> ERROR Thread-11 org.apache.axis2.engine.AxisEngine - Must Understand
>> check failed for header
>> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
>> : Security
>> org.apache.axis2.AxisFault: Must Understand check failed for header
>> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
>> : Security
>> at
>> org.apache.axis2.engine.AxisEngine.checkMustUnderstand(AxisEngine.java:97)
>> at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:163)
>> at
>> org.apache.axis2.description.OutInAxisOperationClient.handleResponse(OutInAxisOperation.java:364)
>> at
>> org.apache.axis2.description.OutInAxisOperationClient.send(OutInAxisOperation.java:417)
>> at
>> org.apache.axis2.description.OutInAxisOperationClient.executeImpl(OutInAxisOperation.java:229)
>> at
>> org.apache.axis2.client.OperationClient.execute(OperationClient.java:165)
>>
>> There is no `SecurityInHandler` invocation.
>>
>> I would like to see decrypted message just like in case of "200 OK"
>> status or like in soapUI.
>> Any ideas what is wrong with my configuration?
>>
>> PS This is copy of my query at:
>> http://stackoverflow.com/questions/5511643/axis2rampart-must-understand-check-failed-for-header-security
>
>
> I have checked that I got such error only in case of "500 Internal
> Server Error". If server reply with "200 OK" and the same encrypted
> content then axis2 is able to decrypt it!
I will answer myself:
I searched Rampart sources to see where `SecurityInHandler` is.
It was in `META-INF/module.xml` of `rampart-1.5.1.mar`,
but only in `<InFlow>` section. I copied it to `<InFaultFlow>`
and it works!
Now my `<InFaultFlow>` section looks like:
<InFaultFlow>
<handler name="PolicyBasedSecurityInHandler"
class="org.apache.rampart.handler.RampartReceiver">
<order phase="Security" phaseFirst="true"/>
</handler>
<handler name="SecurityInHandler"
class="org.apache.rampart.handler.WSDoAllReceiver">
<order phase="Security"/>
</handler>
<handler name="PostDispatchVerificationHandler"
class="org.apache.rampart.handler.PostDispatchVerificationHandler">
<order phase="Dispatch" phaseLast="true"/>
</handler>
</InFaultFlow>
---------------------------------------------------------------------
To unsubscribe, e-mail: java-user-unsubscribe@axis.apache.org
For additional commands, e-mail: java-user-help@axis.apache.org
Re: axis2+rampart: Must Understand check failed for header Security
Posted by Michal Niklas <mn...@heuthes.pl>.
W dniu 2011-04-01 12:32, Michal Niklas pisze:
> Hello,
>
> I have problem with axis2+rampart WS-Security response in case of server
> internal error.
> When server returns "200 OK" all seems ok. Response is checked by
> rampart if it has proper timestamp, signature and decrypts function
> response XML. But when server returns "500 Internal Server Error"
> axis2/rapart throws exception:
>
> ERROR Thread-11 org.apache.axis2.engine.AxisEngine - Must Understand
> check failed for header
>
> I thought there is something wrong with answer and tested it with
> soapUI. There comes similar response both in secured and decrypted form.
> Those responses differ only by HTTP status, XML response code indicating
> error, and case of SOAP tags. In case of good response there is
>
> <SOAP-ENV:Envelope ...
>
> In case of error:
>
> <soap:Envelope ...
>
> Rest of the structure, including `mustUnderstand="1"` is the same.
>
> In `axis2.xml` I configured `InFlow` and `InFaultFlow` to be the same
> with order:
>
> <phase name="Addressing">...</phase>
> <phase name="Security"/>
> <phase name="PreDispatch"/>
>
> I enabled tracing of my client and in case of good reponse I see:
>
> DEBUG Thread-11 org.apache.rampart.RampartEngine - Enter
> process(MessageContext msgCtx)
> DEBUG Thread-11 org.apache.axis2.engine.Phase - [MessageContext:
> logID=urn:uuid:UUID] Invoking Handler 'SecurityInHandler' in Phase
> 'Security'
> ...there is decrypted message
> DEBUG Thread-11 org.apache.rampart.handler.WSDoAllReceiver -
> WSDoAllReceiver: exit invoke()
> DEBUG Thread-11 org.apache.axis2.engine.Phase - [MessageContext:
> logID=urn:uuid:UUID] Checking post-conditions for phase "Security"
> DEBUG Thread-11 org.apache.axis2.engine.Phase - [MessageContext:
> logID=urn:uuid:UUID] Checking pre-condition for Phase "PreDispatch"
> ...
>
> There is no such trace in the case of error:
>
> DEBUG Thread-11 org.apache.rampart.RampartEngine - Enter
> process(MessageContext msgCtx)
> DEBUG Thread-11 org.apache.axis2.engine.Phase - [MessageContext:
> logID=urn:uuid:UUID] Checking post-conditions for phase "Security"
> DEBUG Thread-11 org.apache.axis2.engine.Phase - [MessageContext:
> logID=urn:uuid:UUID] Checking pre-condition for Phase "PreDispatch"
> ...
> DEBUG Thread-11 org.apache.axis2.engine.Phase - [MessageContext:
> logID=urn:uuid:UUID] Checking post-conditions for phase "soapmonitorPhase"
> DEBUG Thread-11 org.apache.axis2.engine.AxisEngine - MustUnderstand
> header not processed or registered as
> understood{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security
> DEBUG Thread-11 org.apache.axis2.i18n.ProjectResourceBundle -
> org.apache.axis2.i18n.resource::handleGetObject(mustunderstandfailed)
> ERROR Thread-11 org.apache.axis2.engine.AxisEngine - Must Understand
> check failed for header
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
> : Security
> org.apache.axis2.AxisFault: Must Understand check failed for header
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
> : Security
> at
> org.apache.axis2.engine.AxisEngine.checkMustUnderstand(AxisEngine.java:97)
> at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:163)
> at
> org.apache.axis2.description.OutInAxisOperationClient.handleResponse(OutInAxisOperation.java:364)
> at
> org.apache.axis2.description.OutInAxisOperationClient.send(OutInAxisOperation.java:417)
> at
> org.apache.axis2.description.OutInAxisOperationClient.executeImpl(OutInAxisOperation.java:229)
> at
> org.apache.axis2.client.OperationClient.execute(OperationClient.java:165)
>
> There is no `SecurityInHandler` invocation.
>
> I would like to see decrypted message just like in case of "200 OK"
> status or like in soapUI.
> Any ideas what is wrong with my configuration?
>
> PS This is copy of my query at:
> http://stackoverflow.com/questions/5511643/axis2rampart-must-understand-check-failed-for-header-security
I have checked that I got such error only in case of "500 Internal
Server Error". If server reply with "200 OK" and the same encrypted
content then axis2 is able to decrypt it!
Regards,
MichaĆ
---------------------------------------------------------------------
To unsubscribe, e-mail: java-user-unsubscribe@axis.apache.org
For additional commands, e-mail: java-user-help@axis.apache.org