You are viewing a plain text version of this content. The canonical link for it is here.
Posted to rampart-dev@ws.apache.org by Massimiliano Masi <ma...@math.unifi.it> on 2007/12/27 21:46:09 UTC
Strange exception using STSClient
Hello,
I would like to have a RST without the username token in the soap header,
using the wst:Base instead, in the RST.
If I engage rampart, I've to put something in the security header, right?
BTW, this is the policy for the service:
<wsp:Policy Id="urn:uuid:1CD756D0A145FF8A6B1198787786622">
−
<wsp:ExactlyOne>
<wsp:All/>
</wsp:ExactlyOne>
</wsp:Policy>
That contains nothing.
If I add an empty Security header by hand, I got a strange exception, looking
for a jsp page.
If I try to put this header:
<soapenv:Header>
<wsse:Security
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<wsse:UsernameToken>
<wsse:Username>max</wsse:Username>
<wsse:Password>max</wsse:Password>
</wsse:UsernameToken>
</wsse:Security>
<wsa:To>https://localhost/SpiritXUAServer/services/IdentityProviderIBMLike</wsa:To>
<wsa:MessageID>urn:uuid:ED1644D814BBAE48231198788276862</wsa:MessageID>
<wsa:Action>http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue</wsa:Action>
</soapenv:Header>
I get this: (really strange, since no policy and no
mustUnderstand=true in the header)
21:44:39,835 ERROR [STDERR] org.apache.axis2.AxisFault: Must
Understand check failed for header
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd :
Security
21:44:39,837 ERROR [STDERR] at
org.apache.axis2.engine.AxisEngine.checkMustUnderstand(AxisEngine.java:86)
21:44:39,839 ERROR [STDERR] at
org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:135)
21:44:39,839 ERROR [STDERR] at
org.apache.axis2.description.OutInAxisOperationClient.handleResponse(OutInAxisOperation.java:336)
21:44:39,841 ERROR [STDERR] at
org.apache.axis2.description.OutInAxisOperationClient.send(OutInAxisOperation.java:389)
21:44:39,842 ERROR [STDERR] at
org.apache.axis2.description.OutInAxisOperationClient.executeImpl(OutInAxisOperation.java:211)
21:44:39,842 ERROR [STDERR] at
org.apache.axis2.client.OperationClient.execute(OperationClient.java:163)
21:44:39,843 ERROR [STDERR] at
org.apache.axis2.client.ServiceClient.sendReceive(ServiceClient.java:528)
21:44:39,843 ERROR [STDERR] at
com.spirit.XUA.utils.MySTSClient.requestSecurityTokenWithSSL(MySTSClient.java:219)
21:44:39,844 ERROR [STDERR] at
com.spirit.XUA.utils.XUAAssertions.getAuthenticatedViaWSTrustAsPlain(XUAAssertions.java:553)
21:44:39,844 ERROR [STDERR] at
com.tmed.report.xds.io.XUAHandler.askNewAssertion(XUAHandler.java:90)
21:44:39,845 ERROR [STDERR] at com.tmed.report.Login.doGet(Login.java:83)
21:44:39,845 ERROR [STDERR] at com.tmed.report.Login.doPost(Login.java:128)
21:44:39,845 ERROR [STDERR] at
javax.servlet.http.HttpServlet.service(HttpServlet.java:710)
21:44:39,846 ERROR [STDERR] at
javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
21:44:39,846 ERROR [STDERR] at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
21:44:39,847 ERROR [STDERR] at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
21:44:39,847 ERROR [STDERR] at
org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
21:44:39,848 ERROR [STDERR] at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
21:44:39,850 ERROR [STDERR] at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
21:44:39,850 ERROR [STDERR] at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:230)
21:44:39,851 ERROR [STDERR] at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175)
21:44:39,852 ERROR [STDERR] at
org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:179)
21:44:39,852 ERROR [STDERR] at
org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:84)
21:44:39,853 ERROR [STDERR] at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
21:44:39,853 ERROR [STDERR] at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
21:44:39,854 ERROR [STDERR] at
org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:157)
21:44:39,855 ERROR [STDERR] at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
21:44:39,855 ERROR [STDERR] at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:262)
21:44:39,855 ERROR [STDERR] at
org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
21:44:39,856 ERROR [STDERR] at
org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
21:44:39,857 ERROR [STDERR] at
org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:446)
21:44:39,857 ERROR [STDERR] at java.lang.Thread.run(Thread.java:613)
----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.
Re: Strange exception using STSClient
Posted by Massimiliano Masi <ma...@math.unifi.it>.
Hi Nandana,
Quoting Nandana Mihindukulasooriya <na...@gmail.com>:
>> If I engage rampart, I've to put something in the security header, right?
>
>
> Nope, if don't have a policy ( in the policy based configuration ) or a
> security
> parameter ( in the old way of configuration ), Rampart doesn't expect a
> secuerity
> header. There is a problem though , that whenever there is a policy, we
> expected a
> security header. This has to be fixed in Rampart by checking the policy and
> and enforcing a security header when only necessary.
>
I am using a fake policy, I have just an open wsp:SecurityPolicy, wsp:All and
as child the rampart configuration.
> It seems you are getting this must understand check fail error because you
> are getting a security
> header with a must understand true, in the response you get from the service
> and not in the
> request that you create. Can please a take look at that and the security
> configuration of the service
> for the out flow ?
I saw, and I don't have any InFlow and OutFlow. The policies are defined
as I described before.
I reimplemented my new TokenIssuerDispatcher, to see something.
But the problem is in the constructor of Rahasdata:
// If the principal or a SAML assertion is missing
if (this.principal == null && this.assertion == null) {
throw new TrustException(TrustException.REQUEST_FAILED);
}
That causes my problem: I've the UsernameToken in the wst:Base in the body.
So I cannot Use rahasdata(). I will extend it and write my own version.
Is this a right way to proceed?
Thank you,
Massimiliano
----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.
Re: Strange exception using STSClient
Posted by Nandana Mihindukulasooriya <na...@gmail.com>.
Hi Massimiliano,
So the problem is that if the module finds the
> securitypolicy
> it puts the security header, with mustUnderstand set to true.
>
Yes. This is a bug in Rampart. Even if the policy is not a security
policy, Rampart puts a security header to the soap message. Other
scenario is when there is a transport binding without any supporting
tokens,actually no security header is needed but Rampart creates an
empty security header here too. We should not create empty security
headers in these situations. Can you please raise a JIRA for this ?
Thanks,
Nandana
Re: Strange exception using STSClient
Posted by Massimiliano Masi <ma...@math.unifi.it>.
Hi Nandana,
Quoting Nandana Mihindukulasooriya <na...@gmail.com>:
> Please correct me if I am wrong. As it seems to me, there
> is still a
> possibility that you response from the server to have a security
> header in the
> response.
I found the problem. If I remove the empty securitypolicy placeholder,
<wsp:Policy xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
<wsp:ExactlyOne>
<wsp:All>
<rampart configuration
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
everything works. So the problem is that if the module finds the
securitypolicy
it puts the security header, with mustUnderstand set to true.
Thank you,
Massimiliano
----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.
Re: Strange exception using STSClient
Posted by Nandana Mihindukulasooriya <na...@gmail.com>.
Hi Massimiliano,
Please correct me if I am wrong. As it seems to me, there is still a
possibility that you response from the server to have a security header in the
response.
In the In flow of the server , the message path is
(client) -> rampart receiver -> MyTokenRequestDispatcher
In the Out flow of the sever, the message path is
MyTokenRequestDispatcher -> rampart sender -> (client)
As it seems, you are printing the soap envelope from the
MyTokenRequestDispatcher.
As you can see from above, Rampart Sender is not yet invoked when you print the
response. So if you have Rampart engaged in the server side there is
still a chance that
there can be security header with must understand set to true in the
response according
to the configuration you have. Can you capture the soap request and
the response from the TCP Monitor ? Then we will be able to see the
complete soap envelope coming out of the server.
Thanks,
Nandana
On 1/5/08, Massimiliano Masi <ma...@math.unifi.it> wrote:
> Hi Nandana,
>
> Quoting Nandana Mihindukulasooriya <na...@gmail.com>:
> > It seems you are getting this must understand check fail error because
> you
> > are getting a security
> > header with a must understand true, in the response you get from the
> service
> > and not in the
> > request that you create. Can please a take look at that and the security
> > configuration of the service
> > for the out flow ?
>
> I rewrote the STSMessageReceiver. This is the incoming envelope:
>
> 13:11:08,189 DEBUG -
> com.spirit.XUA.utils.MyTokenRequestDispatcher.handle(MyTokenRequestDispatcher.java:44)
> - *********************** TokenRequestDispatcher
> received
> <?xml version='1.0' encoding='utf-8'?><soapenv:Envelope
> xmlns:soapenv="http://www.w3.org/2003/05/soap-envelope"
> xmlns:wsa="http://www.w3.org/2005/08/addressing"><soapenv:Header><wsse:Security
> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
> mustUnderstand="0"
> /><wsa:To>https://localhost/SpiritXUAServer/services/IdentityProviderIBMLike</wsa:To><wsa:MessageID>urn:uuid:9840EA3FD9E92DCF421199535065940</wsa:MessageID><wsa:Action>http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue</wsa:Action></soapenv:Header><soapenv:Body><wst:RequestSecurityToken
> xmlns:wst="http://schemas.xmlsoap.org/ws/2005/02/trust"><wst:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Issue</wst:RequestType><wsp:AppliesTo
> xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"><EndpointReference><Address>http://localhost:8080/XDS/12/registry</Address></EndpointReference></wsp:AppliesTo><wst:Lifetime><wsu:Created
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2008-01-05T12:11:05.779Z</wsu:Created><wsu:Expires
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2008-01-05T12:16:05.779Z</wsu:Expires></wst:Lifetime><wst:TokenType>urn:oasis:names:tc:SAML:2.0:assertion</wst:TokenType><wst:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Issue</wst:RequestType><wsp:AppliesTo
> xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"><wsa:EndpointReference><wsa:Address>http://ihe.connecthaton.2008.XUA/X-ServiceProvider-NA2008</wsa:Address></wsa:EndpointReference></wsp:AppliesTo><wst:Base><wsse:UsernameToken
>
> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"><wsse:Username>Xuagood^User</wsse:Username><wsse:Password>xua</wsse:Password></wsse:UsernameToken></wst:Base></wst:RequestSecurityToken></soapenv:Body></soapenv:Envelope>
>
>
> and this is the outgoing envelope:
>
> 13:11:16,185 DEBUG -
> com.spirit.XUA.utils.MyTokenRequestDispatcher.handle(MyTokenRequestDispatcher.java:66)
> - *********************** TokenRequestDispatcher sent
> out
> <?xml version='1.0' encoding='utf-8'?><soapenv:Envelope
> xmlns:soapenv="http://www.w3.org/2003/05/soap-envelope"><soapenv:Body><wst:RequestSecurityTokenResponse
> xmlns:wst="http://schemas.xmlsoap.org/ws/2005/02/trust"><wst:TokenType>oasis:names:tc:SAML:2.0:assertion</wst:TokenType><wst:RequestedAttachedReference><wsse:SecurityTokenReference
> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"><wsse:Reference
> URI="#_7cec639dfaf8da1ff680853f79fd2c18"
> ValueType="oasis:names:tc:SAML:2.0:assertion"
> /></wsse:SecurityTokenReference></wst:RequestedAttachedReference><wsp:AppliesTo
> xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"><wsa:EndpointReference
> xmlns:wsa="http://www.w3.org/2005/08/addressing"><wsa:Address>http://ihe.connecthaton.2008.XUA/X-ServiceProvider-NA2008</wsa:Address></wsa:EndpointReference></wsp:AppliesTo><wst:RequestedSecurityToken><saml:Assertion
> xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
> ID="_7cec639dfaf8da1ff680853f79fd2c18"
> IssueInstant="2008-01-05T12:11:15.427Z" Version="2.0"><saml:Issuer
> Format="urn:oasis:names:SAML:2.0:nameid-format:entity"
> SPNameQualifier="spirit-idp" SPProvidedID="spirit-idp">Address:
> https://localhost/SpiritXUAServer/services/IdentityProviderIBMLike</saml:Issuer><ds:Signature
>
> xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
> <ds:SignedInfo>
> <ds:CanonicalizationMethod
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"
> />
> <ds:Reference URI="#_7cec639dfaf8da1ff680853f79fd2c18">
> <ds:Transforms>
> <ds:Transform
> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
> <ds:Transform
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#WithComments"><ec:InclusiveNamespaces
> xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="ds saml"
> /></ds:Transform>
> </ds:Transforms>
> <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
> <ds:DigestValue>eOsEzD+7x0vh4T3Xz1LB+wNYLxb+dfD5VlINPB3NZqs=</ds:DigestValue>
> </ds:Reference>
> </ds:SignedInfo>
> <ds:SignatureValue>
> GFurmnokKM99DPG9etErMUPI85jidXpbA3TfnEA3cp1mn92lW5McbIw3t85ZXqIPGI/SavsieBxh
> 3/piRuyMDyKYVxe/luExPGErk9yZLFTsfRoi1KmTwCpLMa2GBOZ8d926j9jlEdNxYRhCaPcCCE7H
> IOx1cKSqJVKWhVv236E=
> </ds:SignatureValue>
> </ds:Signature><saml:Subject><saml:NameID>Xuagood^User</saml:NameID><saml:SubjectConfirmation
> Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"
> /></saml:Subject><saml:Conditions NotBefore="2008-01-05T12:11:15.427Z"
> NotOnOrAfter="2008-01-05T13:11:15.427Z"><saml:AudienceRestriction><saml:Audience>http://ihe.connecthaton.2008.XUA/X-ServiceProvider-NA2008</saml:Audience></saml:AudienceRestriction></saml:Conditions><saml:AuthnStatement
> AuthnInstant="2008-01-05T12:11:15.427Z"
> SessionNotOnOrAfter="2008-01-05T13:11:15.427Z"><saml:AuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef></saml:AuthnContext></saml:AuthnStatement></saml:Assertion></wst:RequestedSecurityToken><wst:Status><wst:Code>http://schemas.xmlsoap.org/ws/2005/02/trust/status/valid</wst:Code></wst:Status></wst:RequestSecurityTokenResponse></soapenv:Body></soapenv:Envelope>
>
>
> and just after this, I get:
>
> Must Understand check failed for header
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
> :
> Security
>
> As you can see, there is no mustUnderstand="1". I've no idea on how to
> proceed...
>
> This is the complete stack trace:
>
> 13:11:16,569 ERROR [STDERR] org.apache.axis2.AxisFault: Must
> Understand check failed for header
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
> :
> Security
> 13:11:16,571 ERROR [STDERR] at
> org.apache.axis2.engine.AxisEngine.checkMustUnderstand(AxisEngine.java:86)
> 13:11:16,572 ERROR [STDERR] at
> org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:135)
> 13:11:16,572 ERROR [STDERR] at
> org.apache.axis2.description.OutInAxisOperationClient.handleResponse(OutInAxisOperation.java:336)
> 13:11:16,573 ERROR [STDERR] at
> org.apache.axis2.description.OutInAxisOperationClient.send(OutInAxisOperation.java:389)
> 13:11:16,573 ERROR [STDERR] at
> org.apache.axis2.description.OutInAxisOperationClient.executeImpl(OutInAxisOperation.java:211)
> 13:11:16,574 ERROR [STDERR] at
> org.apache.axis2.client.OperationClient.execute(OperationClient.java:163)
> 13:11:16,575 ERROR [STDERR] at
> org.apache.axis2.client.ServiceClient.sendReceive(ServiceClient.java:528)
> 13:11:16,575 ERROR [STDERR] at
> com.spirit.XUA.utils.MySTSClient.requestSecurityTokenWithSSL(MySTSClient.java:222)
> 13:11:16,577 ERROR [STDERR] at
> com.spirit.XUA.utils.XUAAssertions.getAuthenticatedViaWSTrustAsPlain(XUAAssertions.java:553)
> 13:11:16,577 ERROR [STDERR] at
> com.tmed.report.xds.io.XUAHandler.askNewAssertion(XUAHandler.java:90)
> 13:11:16,578 ERROR [STDERR] at com.tmed.report.Login.doGet(Login.java:83)
> 13:11:16,578 ERROR [STDERR] at com.tmed.report.Login.doPost(Login.java:128)
> 13:11:16,579 ERROR [STDERR] at
> javax.servlet.http.HttpServlet.service(HttpServlet.java:710)
> 13:11:16,579 ERROR [STDERR] at
> javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
> 13:11:16,580 ERROR [STDERR] at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
> 13:11:16,580 ERROR [STDERR] at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
> 13:11:16,581 ERROR [STDERR] at
> org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
> 13:11:16,581 ERROR [STDERR] at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
> 13:11:16,582 ERROR [STDERR] at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
> 13:11:16,582 ERROR [STDERR] at
> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:230)
> 13:11:16,583 ERROR [STDERR] at
> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175)
> 13:11:16,583 ERROR [STDERR] at
> org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:179)
> 13:11:16,583 ERROR [STDERR] at
> org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:84)
> 13:11:16,584 ERROR [STDERR] at
> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
> 13:11:16,585 ERROR [STDERR] at
> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
> 13:11:16,585 ERROR [STDERR] at
> org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:157)
> 13:11:16,585 ERROR [STDERR] at
> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
> 13:11:16,586 ERROR [STDERR] at
> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:262)
> 13:11:16,586 ERROR [STDERR] at
> org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
> 13:11:16,588 ERROR [STDERR] at
> org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
> 13:11:16,588 ERROR [STDERR] at
> org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:446)
> 13:11:16,589 ERROR [STDERR] at java.lang.Thread.run(Thread.java:613)
>
>
> Thank you,
>
> Massimiliano
>
>
>
> ----------------------------------------------------------------
> This message was sent using IMP, the Internet Messaging Program.
>
>
>
Re: Strange exception using STSClient
Posted by Massimiliano Masi <ma...@math.unifi.it>.
Hi Nandana,
Quoting Nandana Mihindukulasooriya <na...@gmail.com>:
> It seems you are getting this must understand check fail error because you
> are getting a security
> header with a must understand true, in the response you get from the service
> and not in the
> request that you create. Can please a take look at that and the security
> configuration of the service
> for the out flow ?
I rewrote the STSMessageReceiver. This is the incoming envelope:
13:11:08,189 DEBUG -
com.spirit.XUA.utils.MyTokenRequestDispatcher.handle(MyTokenRequestDispatcher.java:44) - *********************** TokenRequestDispatcher
received
<?xml version='1.0' encoding='utf-8'?><soapenv:Envelope
xmlns:soapenv="http://www.w3.org/2003/05/soap-envelope"
xmlns:wsa="http://www.w3.org/2005/08/addressing"><soapenv:Header><wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" mustUnderstand="0" /><wsa:To>https://localhost/SpiritXUAServer/services/IdentityProviderIBMLike</wsa:To><wsa:MessageID>urn:uuid:9840EA3FD9E92DCF421199535065940</wsa:MessageID><wsa:Action>http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue</wsa:Action></soapenv:Header><soapenv:Body><wst:RequestSecurityToken xmlns:wst="http://schemas.xmlsoap.org/ws/2005/02/trust"><wst:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Issue</wst:RequestType><wsp:AppliesTo xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"><EndpointReference><Address>http://localhost:8080/XDS/12/registry</Address></EndpointReference></wsp:AppliesTo><wst:Lifetime><wsu:Created xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2008-01-05T12:11:05.779Z</wsu:Created><wsu:Expires xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2008-01-05T12:16:05.779Z</wsu:Expires></wst:Lifetime><wst:TokenType>urn:oasis:names:tc:SAML:2.0:assertion</wst:TokenType><wst:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Issue</wst:RequestType><wsp:AppliesTo xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"><wsa:EndpointReference><wsa:Address>http://ihe.connecthaton.2008.XUA/X-ServiceProvider-NA2008</wsa:Address></wsa:EndpointReference></wsp:AppliesTo><wst:Base><wsse:UsernameToken
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"><wsse:Username>Xuagood^User</wsse:Username><wsse:Password>xua</wsse:Password></wsse:UsernameToken></wst:Base></wst:RequestSecurityToken></soapenv:Body></soapenv:Envelope>
and this is the outgoing envelope:
13:11:16,185 DEBUG -
com.spirit.XUA.utils.MyTokenRequestDispatcher.handle(MyTokenRequestDispatcher.java:66) - *********************** TokenRequestDispatcher sent
out
<?xml version='1.0' encoding='utf-8'?><soapenv:Envelope
xmlns:soapenv="http://www.w3.org/2003/05/soap-envelope"><soapenv:Body><wst:RequestSecurityTokenResponse xmlns:wst="http://schemas.xmlsoap.org/ws/2005/02/trust"><wst:TokenType>oasis:names:tc:SAML:2.0:assertion</wst:TokenType><wst:RequestedAttachedReference><wsse:SecurityTokenReference xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"><wsse:Reference URI="#_7cec639dfaf8da1ff680853f79fd2c18" ValueType="oasis:names:tc:SAML:2.0:assertion" /></wsse:SecurityTokenReference></wst:RequestedAttachedReference><wsp:AppliesTo xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"><wsa:EndpointReference xmlns:wsa="http://www.w3.org/2005/08/addressing"><wsa:Address>http://ihe.connecthaton.2008.XUA/X-ServiceProvider-NA2008</wsa:Address></wsa:EndpointReference></wsp:AppliesTo><wst:RequestedSecurityToken><saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_7cec639dfaf8da1ff680853f79fd2c18" IssueInstant="2008-01-05T12:11:15.427Z" Version="2.0"><saml:Issuer Format="urn:oasis:names:SAML:2.0:nameid-format:entity" SPNameQualifier="spirit-idp" SPProvidedID="spirit-idp">Address: https://localhost/SpiritXUAServer/services/IdentityProviderIBMLike</saml:Issuer><ds:Signature
xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<ds:Reference URI="#_7cec639dfaf8da1ff680853f79fd2c18">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#WithComments"><ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="ds saml"
/></ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<ds:DigestValue>eOsEzD+7x0vh4T3Xz1LB+wNYLxb+dfD5VlINPB3NZqs=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
GFurmnokKM99DPG9etErMUPI85jidXpbA3TfnEA3cp1mn92lW5McbIw3t85ZXqIPGI/SavsieBxh
3/piRuyMDyKYVxe/luExPGErk9yZLFTsfRoi1KmTwCpLMa2GBOZ8d926j9jlEdNxYRhCaPcCCE7H
IOx1cKSqJVKWhVv236E=
</ds:SignatureValue>
</ds:Signature><saml:Subject><saml:NameID>Xuagood^User</saml:NameID><saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer" /></saml:Subject><saml:Conditions NotBefore="2008-01-05T12:11:15.427Z" NotOnOrAfter="2008-01-05T13:11:15.427Z"><saml:AudienceRestriction><saml:Audience>http://ihe.connecthaton.2008.XUA/X-ServiceProvider-NA2008</saml:Audience></saml:AudienceRestriction></saml:Conditions><saml:AuthnStatement AuthnInstant="2008-01-05T12:11:15.427Z"
SessionNotOnOrAfter="2008-01-05T13:11:15.427Z"><saml:AuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef></saml:AuthnContext></saml:AuthnStatement></saml:Assertion></wst:RequestedSecurityToken><wst:Status><wst:Code>http://schemas.xmlsoap.org/ws/2005/02/trust/status/valid</wst:Code></wst:Status></wst:RequestSecurityTokenResponse></soapenv:Body></soapenv:Envelope>
and just after this, I get:
Must Understand check failed for header
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd :
Security
As you can see, there is no mustUnderstand="1". I've no idea on how to
proceed...
This is the complete stack trace:
13:11:16,569 ERROR [STDERR] org.apache.axis2.AxisFault: Must
Understand check failed for header
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd :
Security
13:11:16,571 ERROR [STDERR] at
org.apache.axis2.engine.AxisEngine.checkMustUnderstand(AxisEngine.java:86)
13:11:16,572 ERROR [STDERR] at
org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:135)
13:11:16,572 ERROR [STDERR] at
org.apache.axis2.description.OutInAxisOperationClient.handleResponse(OutInAxisOperation.java:336)
13:11:16,573 ERROR [STDERR] at
org.apache.axis2.description.OutInAxisOperationClient.send(OutInAxisOperation.java:389)
13:11:16,573 ERROR [STDERR] at
org.apache.axis2.description.OutInAxisOperationClient.executeImpl(OutInAxisOperation.java:211)
13:11:16,574 ERROR [STDERR] at
org.apache.axis2.client.OperationClient.execute(OperationClient.java:163)
13:11:16,575 ERROR [STDERR] at
org.apache.axis2.client.ServiceClient.sendReceive(ServiceClient.java:528)
13:11:16,575 ERROR [STDERR] at
com.spirit.XUA.utils.MySTSClient.requestSecurityTokenWithSSL(MySTSClient.java:222)
13:11:16,577 ERROR [STDERR] at
com.spirit.XUA.utils.XUAAssertions.getAuthenticatedViaWSTrustAsPlain(XUAAssertions.java:553)
13:11:16,577 ERROR [STDERR] at
com.tmed.report.xds.io.XUAHandler.askNewAssertion(XUAHandler.java:90)
13:11:16,578 ERROR [STDERR] at com.tmed.report.Login.doGet(Login.java:83)
13:11:16,578 ERROR [STDERR] at com.tmed.report.Login.doPost(Login.java:128)
13:11:16,579 ERROR [STDERR] at
javax.servlet.http.HttpServlet.service(HttpServlet.java:710)
13:11:16,579 ERROR [STDERR] at
javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
13:11:16,580 ERROR [STDERR] at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
13:11:16,580 ERROR [STDERR] at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
13:11:16,581 ERROR [STDERR] at
org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
13:11:16,581 ERROR [STDERR] at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
13:11:16,582 ERROR [STDERR] at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
13:11:16,582 ERROR [STDERR] at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:230)
13:11:16,583 ERROR [STDERR] at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175)
13:11:16,583 ERROR [STDERR] at
org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:179)
13:11:16,583 ERROR [STDERR] at
org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:84)
13:11:16,584 ERROR [STDERR] at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
13:11:16,585 ERROR [STDERR] at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
13:11:16,585 ERROR [STDERR] at
org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:157)
13:11:16,585 ERROR [STDERR] at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
13:11:16,586 ERROR [STDERR] at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:262)
13:11:16,586 ERROR [STDERR] at
org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
13:11:16,588 ERROR [STDERR] at
org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
13:11:16,588 ERROR [STDERR] at
org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:446)
13:11:16,589 ERROR [STDERR] at java.lang.Thread.run(Thread.java:613)
Thank you,
Massimiliano
----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.
Re: Strange exception using STSClient
Posted by Nandana Mihindukulasooriya <na...@gmail.com>.
Hi,
If I engage rampart, I've to put something in the security header, right?
Nope, if don't have a policy ( in the policy based configuration ) or a
security
parameter ( in the old way of configuration ), Rampart doesn't expect a
secuerity
header. There is a problem though , that whenever there is a policy, we
expected a
security header. This has to be fixed in Rampart by checking the policy and
and enforcing a security header when only necessary.
> org.apache.axis2.engine.AxisEngine.checkMustUnderstand(AxisEngine.java:86)
> 21:44:39,839 ERROR [STDERR] at
> org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:135)
> 21:44:39,839 ERROR [STDERR] at
> org.apache.axis2.description.OutInAxisOperationClient.handleResponse(
> OutInAxisOperation.java:336)
> 21:44:39,841 ERROR [STDERR] at
It seems you are getting this must understand check fail error because you
are getting a security
header with a must understand true, in the response you get from the service
and not in the
request that you create. Can please a take look at that and the security
configuration of the service
for the out flow ?
Thanks,
Nandana