You are viewing a plain text version of this content. The canonical link for it is here.

Posted to rampart-dev@ws.apache.org by Nandana Mihindukulasooriya <na...@gmail.com> on 2008/09/30 08:58:05 UTC

Re: I must understand the "must understand" fault

Hi Taariq,
          The reason for this is, empty security header (with must
understand header set 1) being not processed by any of the handlers.
Normally security header is processed by Rampart module but in this case
after reading the policy Rampart decides that there is nothing to be
processed in the response as response doesn't need to have a security
header. But before handing over the message to the service, Axis Engine
checks whether all must understand headers are processed and fault if not.
We have successfully tested this scenario with Axis2 <-> Axis2 and Axis2 <->
WCF but in both cases Aixs2/WCF doesn't generate empty security headers when
security header is not necessary. Are you using oracle server ?
         I personally believe that we don't need to send empty security
headers when there is nothing to be send in the security header but we can
make Rampart to flag empty security header as processed when it expects
nothing in the security header for interoperability. Please create a issue
in the Rampart JIRA and it will be fixed. I don't recommend going back to
Axis2 1.3 / Rampart 1.3 just because of this issue as there has been lot of
improvements in both Axis2 and Rampart since 1.3.

thanks,
nandana

[1] - http://issues.apache.org/jira/browse/Rampart


On Tue, Sep 30, 2008 at 2:03 AM, Taariq Levack
<ta...@tasima.co.za>wrote:

> For the next one to fall into this trap, it's not worth it.
> Move swiftly along and download Axis 1.3 and Rampart 1.3.
>
> -----Original Message-----
> From: Taariq Levack [mailto:taariq.levack@tasima.co.za]
> Sent: 29 September 2008 17:26
> To: axis-user@ws.apache.org
> Subject: RE: I must understand the "must understand" fault
>
> If I set a breakpoint in AxisEngine and force the SOAPHeaderBlock's
> "mustUnderstand" to "0" it works.
> Obviously I don't want to change that code, I don't even understand why its
> checked on the response, is it a bug at all?
>
> The method isReceiverMustUnderstandProcessor checks if its server side and
> returns which it's not, or if the receiver's name ends in
> JAXWSMessageReceiver, if it's not null, which it is.
>
> I've attached the policy.xml file if that has anything to do with it.
>
>
>
> From: Taariq Levack [mailto:taariq.levack@tasima.co.za]
> Sent: 29 September 2008 13:13
> To: axis-user@ws.apache.org
> Subject: I must understand the "must understand" fault
>
> Hi
>
> The exception happens at the client side, after the request is sent,
> authenticated and response returned.
> Seems to me that the Axis engine doesn't expect the security header in the
> response.
> SoapUi client works, and the Oracle generated client works, surprisingly.
>
>
> This is the request header, simple username token....
> <soapenv:Header>
>          <wsse:Security xmlns:wsse="
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
> soapenv:mustUnderstand="1">
>             <wsse:UsernameToken xmlns:wsu="
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
> wsu:Id="UsernameToken-3201085">
>                <wsse:Username>USERNAME</wsse:Username>
>                <wsse:Password Type="
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText
> ">PASSWORD</wsse:Password>
>             </wsse:UsernameToken>
>          </wsse:Security>
>       </soapenv:Header>
>
> And this is the response header
> <env:Header>
>       <wsse:Security xmlns:wsse="
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
> xmlns="
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
> xmlns:env="http://schemas.xmlsoap.org/soap/envelope/"
> env:mustUnderstand="1"/>
>    </env:Header>
>
> Configuration....
> Axis 1.4
>  Rampart 1.4.
> The service is deployed in an oracle container, OC4J.
> The client was generated using Axis and the config is copied from the
> Rampart samples.
>
> Exception in thread "main" org.apache.axis2.AxisFault: Must Understand
> check failed for header
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd: Security
>       at
> org.apache.axis2.engine.AxisEngine.checkMustUnderstand(AxisEngine.java:102)
>       at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:166)
>       at
> org.apache.axis2.description.OutInAxisOperationClient.handleResponse(OutInAxisOperation.java:363)
>       at
> org.apache.axis2.description.OutInAxisOperationClient.send(OutInAxisOperation.java:416)
>       at
> org.apache.axis2.description.OutInAxisOperationClient.executeImpl(OutInAxisOperation.java:228)
>       at
> org.apache.axis2.client.OperationClient.execute(OperationClient.java:163)
>       at
> org.apache.axis2.client.ServiceClient.sendReceive(ServiceClient.java:548)
>       at
> org.apache.axis2.client.ServiceClient.sendReceive(ServiceClient.java:528)
>
> Thanks in advance for looking at the one millionth "must understand" error.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
> For additional commands, e-mail: axis-user-help@ws.apache.org
>
>


-- 
Nandana Mihindukulasooriya
WSO2 inc.

http://nandana83.blogspot.com/
http://www.wso2.org

RE: I must understand the "must understand" fault

Posted by Taariq Levack <ta...@tasima.co.za>.

That makes good sense, I've created issue 197.

https://issues.apache.org/jira/browse/RAMPART-197

 

Yes we're using Oracle server, OC4J 10.1.3. We're also sending requests
to a server we have no control over and don't know what it will be as
yet.

 

Thank you Nandana.

 

Best regards

Taariq

 

 

From: Nandana Mihindukulasooriya [mailto:nandana.cse@gmail.com] 
Sent: 30 September 2008 08:58
To: axis-user@ws.apache.org
Cc: rampart-dev@ws.apache.org
Subject: Re: I must understand the "must understand" fault

 

Hi Taariq,
          The reason for this is, empty security header (with must
understand header set 1) being not processed by any of the handlers.
Normally security header is processed by Rampart module but in this case
after reading the policy Rampart decides that there is nothing to be
processed in the response as response doesn't need to have a security
header. But before handing over the message to the service, Axis Engine
checks whether all must understand headers are processed and fault if
not. We have successfully tested this scenario with Axis2 <-> Axis2 and
Axis2 <-> WCF but in both cases Aixs2/WCF doesn't generate empty
security headers when security header is not necessary. Are you using
oracle server ?
         I personally believe that we don't need to send empty security
headers when there is nothing to be send in the security header but we
can make Rampart to flag empty security header as processed when it
expects nothing in the security header for interoperability. Please
create a issue in the Rampart JIRA and it will be fixed. I don't
recommend going back to Axis2 1.3 / Rampart 1.3 just because of this
issue as there has been lot of improvements in both Axis2 and Rampart
since 1.3. 

thanks,
nandana

[1] - http://issues.apache.org/jira/browse/Rampart
           

On Tue, Sep 30, 2008 at 2:03 AM, Taariq Levack
<ta...@tasima.co.za> wrote:

For the next one to fall into this trap, it's not worth it.
Move swiftly along and download Axis 1.3 and Rampart 1.3.


-----Original Message-----
From: Taariq Levack [mailto:taariq.levack@tasima.co.za]

Sent: 29 September 2008 17:26
To: axis-user@ws.apache.org

Subject: RE: I must understand the "must understand" fault

If I set a breakpoint in AxisEngine and force the SOAPHeaderBlock's
"mustUnderstand" to "0" it works.
Obviously I don't want to change that code, I don't even understand why
its checked on the response, is it a bug at all?

The method isReceiverMustUnderstandProcessor checks if its server side
and returns which it's not, or if the receiver's name ends in
JAXWSMessageReceiver, if it's not null, which it is.

I've attached the policy.xml file if that has anything to do with it.



From: Taariq Levack [mailto:taariq.levack@tasima.co.za]
Sent: 29 September 2008 13:13
To: axis-user@ws.apache.org
Subject: I must understand the "must understand" fault

Hi

The exception happens at the client side, after the request is sent,
authenticated and response returned.
Seems to me that the Axis engine doesn't expect the security header in
the response.
SoapUi client works, and the Oracle generated client works,
surprisingly.


This is the request header, simple username token....
<soapenv:Header>
         <wsse:Security
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wsse
curity-secext-1.0.xsd" soapenv:mustUnderstand="1">
            <wsse:UsernameToken
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssec
urity-utility-1.0.xsd" wsu:Id="UsernameToken-3201085">
               <wsse:Username>USERNAME</wsse:Username>
               <wsse:Password
Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-t
oken-profile-1.0#PasswordText">PASSWORD</wsse:Password>
            </wsse:UsernameToken>
         </wsse:Security>
      </soapenv:Header>

And this is the response header
<env:Header>
      <wsse:Security
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wsse
curity-secext-1.0.xsd"
xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurit
y-secext-1.0.xsd" xmlns:env="http://schemas.xmlsoap.org/soap/envelope/"
env:mustUnderstand="1"/>
   </env:Header>

Configuration....
Axis 1.4
 Rampart 1.4.
The service is deployed in an oracle container, OC4J.
The client was generated using Axis and the config is copied from the
Rampart samples.

Exception in thread "main" org.apache.axis2.AxisFault: Must Understand
check failed for header
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secex
t-1.0.xsd : Security
      at
org.apache.axis2.engine.AxisEngine.checkMustUnderstand(AxisEngine.java:1
02)
      at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:166)
      at
org.apache.axis2.description.OutInAxisOperationClient.handleResponse(Out
InAxisOperation.java:363)
      at
org.apache.axis2.description.OutInAxisOperationClient.send(OutInAxisOper
ation.java:416)
      at
org.apache.axis2.description.OutInAxisOperationClient.executeImpl(OutInA
xisOperation.java:228)
      at
org.apache.axis2.client.OperationClient.execute(OperationClient.java:163
)
      at
org.apache.axis2.client.ServiceClient.sendReceive(ServiceClient.java:548
)
      at
org.apache.axis2.client.ServiceClient.sendReceive(ServiceClient.java:528
)

Thanks in advance for looking at the one millionth "must understand"
error.

---------------------------------------------------------------------
To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
For additional commands, e-mail: axis-user-help@ws.apache.org




-- 
Nandana Mihindukulasooriya  
WSO2 inc.

http://nandana83.blogspot.com/
http://www.wso2.org