Axis2 1.7.3 + Rampart 1.7.0 WS-Security not invoked

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

Axis2 1.7.3 + Rampart 1.7.0 WS-Security not invoked

lanabe
Hi, I'm working on using WS-Security with Axis2 1.7.3 .

Axis2 1.6.4 + Rampart 1.6.4 works perfectly, but in Axis2 1.7.3 + Rampart 1.7.0, I got the following error.

---
13-Jul-2016 22:10:21.222 SEVERE [http-nio-8080-exec-4] org.apache.axis2.engine.AxisEngine.receive Must Understand check failed for headers: {http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security
 org.apache.axis2.AxisFault: Must Understand check failed for headers: {http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security
    at org.apache.axis2.jaxws.handler.HandlerUtils.checkMustUnderstand(HandlerUtils.java:160)
    at org.apache.axis2.jaxws.server.EndpointController.inboundHeaderAndHandlerProcessing(EndpointController.java:336)
    at org.apache.axis2.jaxws.server.EndpointController.handleRequest(EndpointController.java:258)
    at org.apache.axis2.jaxws.server.EndpointController.invoke(EndpointController.java:101)
 [...]
---

It seems not to be enable the settings for InflowSecurity.

I've created a simple reproducer, which has 2 projects in each version(1.6.4, 1.7.3).
https://github.com/emag-notes/axis2-ws-security

Any Idea?
Reply | Threaded
Open this post in threaded view
|

Re: Axis2 1.7.3 + Rampart 1.7.0 WS-Security not invoked

lanabe
Hi, apparently I found a workaround.

Axis2 1.7.3 + Rampart 1.6.4 works fine(ofc, I suspect there should be more proper way with Rampart 1.7.0).

I noticed that Rampart 1.7.0 doesn't have WSDoAllHandler which processes WS-Security Header.

AxisEngine#receive() will call each Phases Handlers, and Security Phase has two handlers with Rampart 1.6.4.

 * org.apache.rampart.handler.RampartReceiver
 * org.apache.rampart.handler.WSDoAllHandler

WSDoAllHandler  will call SOAPHeaderBlockImpl.setProcessed() so the WS-Secrutiy QName is marked as processed as I said above.

While, Rampart 1.7.0 doesn't have it, so WS-Securtiy QName will not process and then Axis2 will complain about it as the error.

---
EVERE [http-nio-8080-exec-4] org.apache.axis2.engine.AxisEngine.receive Must Understand check failed for headers: {http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security
 org.apache.axis2.AxisFault: Must Understand check failed for headers: {http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security
    at org.apache.axis2.jaxws.handler.HandlerUtils.checkMustUnderstand(HandlerUtils.java:160)
[...]
---

So, I should change the question. Should I use Rampart 1.6.4? Or, is there any proper way to use Rampart 1.7.0?

On Wed, Jul 13, 2016 at 10:29 PM lanabe <[hidden email]> wrote:
Hi, I'm working on using WS-Security with Axis2 1.7.3 .

Axis2 1.6.4 + Rampart 1.6.4 works perfectly, but in Axis2 1.7.3 + Rampart 1.7.0, I got the following error.

---
13-Jul-2016 22:10:21.222 SEVERE [http-nio-8080-exec-4] org.apache.axis2.engine.AxisEngine.receive Must Understand check failed for headers: {http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security
 org.apache.axis2.AxisFault: Must Understand check failed for headers: {http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security
    at org.apache.axis2.jaxws.handler.HandlerUtils.checkMustUnderstand(HandlerUtils.java:160)
    at org.apache.axis2.jaxws.server.EndpointController.inboundHeaderAndHandlerProcessing(EndpointController.java:336)
    at org.apache.axis2.jaxws.server.EndpointController.handleRequest(EndpointController.java:258)
    at org.apache.axis2.jaxws.server.EndpointController.invoke(EndpointController.java:101)
 [...]
---

It seems not to be enable the settings for InflowSecurity.

I've created a simple reproducer, which has 2 projects in each version(1.6.4, 1.7.3).
https://github.com/emag-notes/axis2-ws-security

Any Idea?
Reply | Threaded
Open this post in threaded view
|

RE: Axis2 1.7.3 + Rampart 1.7.0 WS-Security not invoked

Martin Gainty






From: [hidden email]
Date: Thu, 14 Jul 2016 08:16:46 +0000
Subject: Re: Axis2 1.7.3 + Rampart 1.7.0 WS-Security not invoked
To: [hidden email]

Hi, apparently I found a workaround.
Axis2 1.7.3 + Rampart 1.6.4 works fine(ofc, I suspect there should be more proper way with Rampart 1.7.0).
I noticed that Rampart 1.7.0 doesn't have WSDoAllHandler which processes WS-Security Header.


MG>Ianabe please file Urgent priority JIRA bug on missing WSDoAllHandler for Rampart 1.70






So, I should change the question. Should I use Rampart 1.6.4? Or, is there any proper way to use Rampart 1.7.0?

On Wed, Jul 13, 2016 at 10:29 PM lanabe <[hidden email]> wrote:
Hi, I'm working on using WS-Security with Axis2 1.7.3 .

Axis2 1.6.4 + Rampart 1.6.4 works perfectly, but in Axis2 1.7.3 + Rampart 1.7.0, I got the following error.

---
13-Jul-2016 22:10:21.222 SEVERE [http-nio-8080-exec-4] org.apache.axis2.engine.AxisEngine.receive Must Understand check failed for headers: {http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security
 org.apache.axis2.AxisFault: Must Understand check failed for headers: {http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security
    at org.apache.axis2.jaxws.handler.HandlerUtils.checkMustUnderstand(HandlerUtils.java:160)
    at org.apache.axis2.jaxws.server.EndpointController.inboundHeaderAndHandlerProcessing(EndpointController.java:336)
    at org.apache.axis2.jaxws.server.EndpointController.handleRequest(EndpointController.java:258)
    at org.apache.axis2.jaxws.server.EndpointController.invoke(EndpointController.java:101)
 [...]
---

It seems not to be enable the settings for InflowSecurity.

I've created a simple reproducer, which has 2 projects in each version(1.6.4, 1.7.3).
https://github.com/emag-notes/axis2-ws-security

Any Idea?
Reply | Threaded
Open this post in threaded view
|

Re: Axis2 1.7.3 + Rampart 1.7.0 WS-Security not invoked

lanabe
Martin, Thank you for your reply.

Before filing a issue, I have a question about missing WSDoAllHandler.

The following commit deleted WSDoAllHandler says:
---
Removing the deprecated basic configuration (This was deprecated since version 1.1).

https://github.com/apache/rampart/commit/1863364037019275f70e66cf77d1f092bf3bd984
---

And Rampart 1.7.0 release notes says:
---
Please note that Apache Rampart uses a configuration model based on WS-Policy and WS-Security Policy and that the Apache Rampart 1.0 style configuration (already deprecated since Rampart 1.1) is no longer supported in 1.7.0.

http://axis.apache.org/axis2/java/rampart/release-notes/1.7.0.html
---

I guess Rampart already provides more suitable way to use WS-Security because WSDoAllHandler seems to be deprecated(so removed).

What do you think?

On Fri, Jul 15, 2016 at 12:28 AM Martin Gainty <[hidden email]> wrote:






From: [hidden email]
Date: Thu, 14 Jul 2016 08:16:46 +0000
Subject: Re: Axis2 1.7.3 + Rampart 1.7.0 WS-Security not invoked
To: [hidden email]

Hi, apparently I found a workaround.
Axis2 1.7.3 + Rampart 1.6.4 works fine(ofc, I suspect there should be more proper way with Rampart 1.7.0).
I noticed that Rampart 1.7.0 doesn't have WSDoAllHandler which processes WS-Security Header.


MG>Ianabe please file Urgent priority JIRA bug on missing WSDoAllHandler for Rampart 1.70






So, I should change the question. Should I use Rampart 1.6.4? Or, is there any proper way to use Rampart 1.7.0?

On Wed, Jul 13, 2016 at 10:29 PM lanabe <[hidden email]> wrote:
Hi, I'm working on using WS-Security with Axis2 1.7.3 .

Axis2 1.6.4 + Rampart 1.6.4 works perfectly, but in Axis2 1.7.3 + Rampart 1.7.0, I got the following error.

---
13-Jul-2016 22:10:21.222 SEVERE [http-nio-8080-exec-4] org.apache.axis2.engine.AxisEngine.receive Must Understand check failed for headers: {http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security
 org.apache.axis2.AxisFault: Must Understand check failed for headers: {http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security
    at org.apache.axis2.jaxws.handler.HandlerUtils.checkMustUnderstand(HandlerUtils.java:160)
    at org.apache.axis2.jaxws.server.EndpointController.inboundHeaderAndHandlerProcessing(EndpointController.java:336)
    at org.apache.axis2.jaxws.server.EndpointController.handleRequest(EndpointController.java:258)
    at org.apache.axis2.jaxws.server.EndpointController.invoke(EndpointController.java:101)
 [...]
---

It seems not to be enable the settings for InflowSecurity.

I've created a simple reproducer, which has 2 projects in each version(1.6.4, 1.7.3).
https://github.com/emag-notes/axis2-ws-security

Any Idea?
Reply | Threaded
Open this post in threaded view
|

RE: Axis2 1.7.3 + Rampart 1.7.0 WS-Security not invoked

Martin Gainty






From: [hidden email]
Date: Thu, 14 Jul 2016 16:39:07 +0000
Subject: Re: Axis2 1.7.3 + Rampart 1.7.0 WS-Security not invoked
To: [hidden email]

Martin, Thank you for your reply.

Before filing a issue, I have a question about missing WSDoAllHandler.

The following commit deleted WSDoAllHandler says:
---
Removing the deprecated basic configuration (This was deprecated since version 1.1).

https://github.com/apache/rampart/commit/1863364037019275f70e66cf77d1f092bf3bd984
---

And Rampart 1.7.0 release notes says:
---
Please note that Apache Rampart uses a configuration model based on WS-Policy and WS-Security Policy and that the Apache Rampart 1.0 style configuration (already deprecated since Rampart 1.1) is no longer supported in 1.7.0.

http://axis.apache.org/axis2/java/rampart/release-notes/1.7.0.html
---

I guess Rampart already provides more suitable way to use WS-Security because WSDoAllHandler seems to be deprecated(so removed).

MG>the caveat is WSDoAllHandler is deprecated ...IF.. wss4j  (specifically WSS4JHandler) is present
MG>If WSS4JHandler not on classpath then Axis 2 throws Exception with "mustUnderstand header not detected"

MG>0 WSHandler (with no default) TestCase Scenario:
MG>anyone who has worked with providers would know that without default provider a 0 providers test always throws Exception
MG>reliance on any one transient dependent provider/handler is never a good idea unless there exists a default provider 
MG>(otherwise missing provider/handler exceptions will be thrown in the field will come back to haunt the architect)

MG>the Ruchith disagreement with WSS4J author Werner Dittman extends back to 2006:

Ruchith>The module.xml file in this module archive has
Ruchith>instructions to place the handlers in the appropriate message flows MG>(Inflow, Outflow and FaultFlow)
MG>Thus 3 different handlers for 3 different flows is a well architected solution vs Werners contention of one WSS4JHandler fits MG>like a glove for all all 3 flows..Werners design stipulates without documentation or testcases borders on "one WSS4JHandler MG>should work" is not grounded to accomodate InFlow,OutFlow and FaultFlow phases
https://mail-archives.apache.org/mod_mbox/ws-wss4j-dev/200602.mbox/%3C559c463d0602040034t203a184co317d0cccabc7ec11@...%3E

MG>I agree with Rucith on promoting WSDoAllHandler family of Handlers instead of one size fits all Handler implementing MG>WSS4JHandler

What do you think?

On Fri, Jul 15, 2016 at 12:28 AM Martin Gainty <[hidden email]> wrote:






From: [hidden email]
Date: Thu, 14 Jul 2016 08:16:46 +0000
Subject: Re: Axis2 1.7.3 + Rampart 1.7.0 WS-Security not invoked
To: [hidden email]

Hi, apparently I found a workaround.
Axis2 1.7.3 + Rampart 1.6.4 works fine(ofc, I suspect there should be more proper way with Rampart 1.7.0).
I noticed that Rampart 1.7.0 doesn't have WSDoAllHandler which processes WS-Security Header.


MG>Ianabe please file Urgent priority JIRA bug on missing WSDoAllHandler for Rampart 1.70






So, I should change the question. Should I use Rampart 1.6.4? Or, is there any proper way to use Rampart 1.7.0?

On Wed, Jul 13, 2016 at 10:29 PM lanabe <[hidden email]> wrote:
Hi, I'm working on using WS-Security with Axis2 1.7.3 .

Axis2 1.6.4 + Rampart 1.6.4 works perfectly, but in Axis2 1.7.3 + Rampart 1.7.0, I got the following error.

---
13-Jul-2016 22:10:21.222 SEVERE [http-nio-8080-exec-4] org.apache.axis2.engine.AxisEngine.receive Must Understand check failed for headers: {http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security
 org.apache.axis2.AxisFault: Must Understand check failed for headers: {http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security
    at org.apache.axis2.jaxws.handler.HandlerUtils.checkMustUnderstand(HandlerUtils.java:160)
    at org.apache.axis2.jaxws.server.EndpointController.inboundHeaderAndHandlerProcessing(EndpointController.java:336)
    at org.apache.axis2.jaxws.server.EndpointController.handleRequest(EndpointController.java:258)
    at org.apache.axis2.jaxws.server.EndpointController.invoke(EndpointController.java:101)
 [...]
---

It seems not to be enable the settings for InflowSecurity.

I've created a simple reproducer, which has 2 projects in each version(1.6.4, 1.7.3).
https://github.com/emag-notes/axis2-ws-security

Any Idea?
Reply | Threaded
Open this post in threaded view
|

Re: Axis2 1.7.3 + Rampart 1.7.0 WS-Security not invoked

lanabe
Thanks for the information. Hmm, I'm not completely with you.

At least It seems Rampart 1.7.0 has some breaking changes with no backward compatibility,
so I want some docs or hints for using it :)

I've created a issue as the perspective.
https://issues.apache.org/jira/browse/RAMPART-436

Thanks!

On Fri, Jul 15, 2016 at 3:43 AM Martin Gainty <[hidden email]> wrote:






From: [hidden email]
Date: Thu, 14 Jul 2016 16:39:07 +0000

Subject: Re: Axis2 1.7.3 + Rampart 1.7.0 WS-Security not invoked
To: [hidden email]

Martin, Thank you for your reply.

Before filing a issue, I have a question about missing WSDoAllHandler.

The following commit deleted WSDoAllHandler says:
---
Removing the deprecated basic configuration (This was deprecated since version 1.1).

https://github.com/apache/rampart/commit/1863364037019275f70e66cf77d1f092bf3bd984
---

And Rampart 1.7.0 release notes says:
---
Please note that Apache Rampart uses a configuration model based on WS-Policy and WS-Security Policy and that the Apache Rampart 1.0 style configuration (already deprecated since Rampart 1.1) is no longer supported in 1.7.0.

http://axis.apache.org/axis2/java/rampart/release-notes/1.7.0.html
---

I guess Rampart already provides more suitable way to use WS-Security because WSDoAllHandler seems to be deprecated(so removed).

MG>the caveat is WSDoAllHandler is deprecated ...IF.. wss4j  (specifically WSS4JHandler) is present
MG>If WSS4JHandler not on classpath then Axis 2 throws Exception with "mustUnderstand header not detected"

MG>0 WSHandler (with no default) TestCase Scenario:
MG>anyone who has worked with providers would know that without default provider a 0 providers test always throws Exception
MG>reliance on any one transient dependent provider/handler is never a good idea unless there exists a default provider 
MG>(otherwise missing provider/handler exceptions will be thrown in the field will come back to haunt the architect)

MG>the Ruchith disagreement with WSS4J author Werner Dittman extends back to 2006:

Ruchith>The module.xml file in this module archive has
Ruchith>instructions to place the handlers in the appropriate message flows MG>(Inflow, Outflow and FaultFlow)
MG>Thus 3 different handlers for 3 different flows is a well architected solution vs Werners contention of one WSS4JHandler fits MG>like a glove for all all 3 flows..Werners design stipulates without documentation or testcases borders on "one WSS4JHandler MG>should work" is not grounded to accomodate InFlow,OutFlow and FaultFlow phases
https://mail-archives.apache.org/mod_mbox/ws-wss4j-dev/200602.mbox/%3C559c463d0602040034t203a184co317d0cccabc7ec11@...%3E

MG>I agree with Rucith on promoting WSDoAllHandler family of Handlers instead of one size fits all Handler implementing MG>WSS4JHandler

What do you think?

On Fri, Jul 15, 2016 at 12:28 AM Martin Gainty <[hidden email]> wrote:






From: [hidden email]
Date: Thu, 14 Jul 2016 08:16:46 +0000
Subject: Re: Axis2 1.7.3 + Rampart 1.7.0 WS-Security not invoked
To: [hidden email]

Hi, apparently I found a workaround.
Axis2 1.7.3 + Rampart 1.6.4 works fine(ofc, I suspect there should be more proper way with Rampart 1.7.0).
I noticed that Rampart 1.7.0 doesn't have WSDoAllHandler which processes WS-Security Header.


MG>Ianabe please file Urgent priority JIRA bug on missing WSDoAllHandler for Rampart 1.70






So, I should change the question. Should I use Rampart 1.6.4? Or, is there any proper way to use Rampart 1.7.0?

On Wed, Jul 13, 2016 at 10:29 PM lanabe <[hidden email]> wrote:
Hi, I'm working on using WS-Security with Axis2 1.7.3 .

Axis2 1.6.4 + Rampart 1.6.4 works perfectly, but in Axis2 1.7.3 + Rampart 1.7.0, I got the following error.

---
13-Jul-2016 22:10:21.222 SEVERE [http-nio-8080-exec-4] org.apache.axis2.engine.AxisEngine.receive Must Understand check failed for headers: {http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security
 org.apache.axis2.AxisFault: Must Understand check failed for headers: {http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security
    at org.apache.axis2.jaxws.handler.HandlerUtils.checkMustUnderstand(HandlerUtils.java:160)
    at org.apache.axis2.jaxws.server.EndpointController.inboundHeaderAndHandlerProcessing(EndpointController.java:336)
    at org.apache.axis2.jaxws.server.EndpointController.handleRequest(EndpointController.java:258)
    at org.apache.axis2.jaxws.server.EndpointController.invoke(EndpointController.java:101)
 [...]
---

It seems not to be enable the settings for InflowSecurity.

I've created a simple reproducer, which has 2 projects in each version(1.6.4, 1.7.3).
https://github.com/emag-notes/axis2-ws-security

Any Idea?