Discussion:
Axis2 1.7.3 + Rampart 1.7.0 WS-Security not invoked
lanabe
2016-07-13 13:29:21 UTC
Permalink
Hi, I'm working on using WS-Security with Axis2 1.7.3 .

Axis2 1.6.4 + Rampart 1.6.4 works perfectly, but in Axis2 1.7.3 + Rampart
1.7.0, I got the following error.

---
13-Jul-2016 22:10:21.222 SEVERE [http-nio-8080-exec-4]
org.apache.axis2.engine.AxisEngine.receive Must Understand check failed for
headers: {
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security
org.apache.axis2.AxisFault: Must Understand check failed for headers: {
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security
at
org.apache.axis2.jaxws.handler.HandlerUtils.checkMustUnderstand(HandlerUtils.java:160)
at
org.apache.axis2.jaxws.server.EndpointController.inboundHeaderAndHandlerProcessing(EndpointController.java:336)
at
org.apache.axis2.jaxws.server.EndpointController.handleRequest(EndpointController.java:258)
at
org.apache.axis2.jaxws.server.EndpointController.invoke(EndpointController.java:101)
[...]
---

It seems not to be enable the settings for InflowSecurity.

I've created a simple reproducer, which has 2 projects in each
version(1.6.4, 1.7.3).
https://github.com/emag-notes/axis2-ws-security

Any Idea?
lanabe
2016-07-14 08:16:46 UTC
Permalink
Hi, apparently I found a workaround.

Axis2 1.7.3 + Rampart 1.6.4 works fine(ofc, I suspect there should be more
proper way with Rampart 1.7.0).

I noticed that Rampart 1.7.0 doesn't have WSDoAllHandler which processes
WS-Security Header.

AxisEngine#receive() will call each Phases Handlers, and Security Phase has
two handlers with Rampart 1.6.4.

* org.apache.rampart.handler.RampartReceiver
* org.apache.rampart.handler.WSDoAllHandler

WSDoAllHandler will call SOAPHeaderBlockImpl.setProcessed() so the
WS-Secrutiy QName is marked as processed as I said above.

While, Rampart 1.7.0 doesn't have it, so WS-Securtiy QName will not process
and then Axis2 will complain about it as the error.

---
EVERE [http-nio-8080-exec-4] org.apache.axis2.engine.AxisEngine.receive
Must Understand check failed for headers: {
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security
org.apache.axis2.AxisFault: Must Understand check failed for headers: {
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security
at
org.apache.axis2.jaxws.handler.HandlerUtils.checkMustUnderstand(HandlerUtils.java:160)
[...]
---

So, I should change the question. Should I use Rampart 1.6.4? Or, is there
any proper way to use Rampart 1.7.0?
Post by lanabe
Hi, I'm working on using WS-Security with Axis2 1.7.3 .
Axis2 1.6.4 + Rampart 1.6.4 works perfectly, but in Axis2 1.7.3 + Rampart
1.7.0, I got the following error.
---
13-Jul-2016 22:10:21.222 SEVERE [http-nio-8080-exec-4]
org.apache.axis2.engine.AxisEngine.receive Must Understand check failed for
headers: {
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security
org.apache.axis2.AxisFault: Must Understand check failed for headers: {
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security
at
org.apache.axis2.jaxws.handler.HandlerUtils.checkMustUnderstand(HandlerUtils.java:160)
at
org.apache.axis2.jaxws.server.EndpointController.inboundHeaderAndHandlerProcessing(EndpointController.java:336)
at
org.apache.axis2.jaxws.server.EndpointController.handleRequest(EndpointController.java:258)
at
org.apache.axis2.jaxws.server.EndpointController.invoke(EndpointController.java:101)
[...]
---
It seems not to be enable the settings for InflowSecurity.
I've created a simple reproducer, which has 2 projects in each
version(1.6.4, 1.7.3).
https://github.com/emag-notes/axis2-ws-security
Any Idea?
Martin Gainty
2016-07-14 15:28:25 UTC
Permalink
From: ***@gmail.com
Date: Thu, 14 Jul 2016 08:16:46 +0000
Subject: Re: Axis2 1.7.3 + Rampart 1.7.0 WS-Security not invoked
To: java-***@axis.apache.org

Hi, apparently I found a workaround.
Axis2 1.7.3 + Rampart 1.6.4 works fine(ofc, I suspect there should be more proper way with Rampart 1.7.0).I noticed that Rampart 1.7.0 doesn't have WSDoAllHandler which processes WS-Security Header.

MG>Ianabe please file Urgent priority JIRA bug on missing WSDoAllHandler for Rampart 1.70
https://issues.apache.org/jira/browse/RAMPART/?selectedTab=com.atlassian.jira.jira-projects-plugin:summary-panel




So, I should change the question. Should I use Rampart 1.6.4? Or, is there any proper way to use Rampart 1.7.0?

On Wed, Jul 13, 2016 at 10:29 PM lanabe <***@gmail.com> wrote:
Hi, I'm working on using WS-Security with Axis2 1.7.3 .

Axis2 1.6.4 + Rampart 1.6.4 works perfectly, but in Axis2 1.7.3 + Rampart 1.7.0, I got the following error.

---
13-Jul-2016 22:10:21.222 SEVERE [http-nio-8080-exec-4] org.apache.axis2.engine.AxisEngine.receive Must Understand check failed for headers: {http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security
org.apache.axis2.AxisFault: Must Understand check failed for headers: {http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security
at org.apache.axis2.jaxws.handler.HandlerUtils.checkMustUnderstand(HandlerUtils.java:160)
at org.apache.axis2.jaxws.server.EndpointController.inboundHeaderAndHandlerProcessing(EndpointController.java:336)
at org.apache.axis2.jaxws.server.EndpointController.handleRequest(EndpointController.java:258)
at org.apache.axis2.jaxws.server.EndpointController.invoke(EndpointController.java:101)
[...]
---

It seems not to be enable the settings for InflowSecurity.

I've created a simple reproducer, which has 2 projects in each version(1.6.4, 1.7.3).
https://github.com/emag-notes/axis2-ws-security

Any Idea?
lanabe
2016-07-14 16:39:07 UTC
Permalink
Martin, Thank you for your reply.

Before filing a issue, I have a question about missing WSDoAllHandler.

The following commit deleted WSDoAllHandler says:
---
Removing the deprecated basic configuration (This was deprecated since
version 1.1).

https://github.com/apache/rampart/commit/1863364037019275f70e66cf77d1f092bf3bd984
---

And Rampart 1.7.0 release notes says:
---
Please note that Apache Rampart uses a configuration model based on
WS-Policy and WS-Security Policy and that the Apache Rampart 1.0 style
configuration (already deprecated since Rampart 1.1) is no longer supported
in 1.7.0.

http://axis.apache.org/axis2/java/rampart/release-notes/1.7.0.html
---

I guess Rampart already provides more suitable way to use WS-Security
because WSDoAllHandler seems to be deprecated(so removed).

What do you think?
------------------------------
Date: Thu, 14 Jul 2016 08:16:46 +0000
Subject: Re: Axis2 1.7.3 + Rampart 1.7.0 WS-Security not invoked
Hi, apparently I found a workaround.
Axis2 1.7.3 + Rampart 1.6.4 works fine(ofc, I suspect there should be more
proper way with Rampart 1.7.0).
I noticed that Rampart 1.7.0 doesn't have WSDoAllHandler which processes
WS-Security Header.
MG>Ianabe please file Urgent priority JIRA bug on missing WSDoAllHandler for Rampart 1.70
https://issues.apache.org/jira/browse/RAMPART/?selectedTab=com.atlassian.jira.jira-projects-plugin:summary-panel
So, I should change the question. Should I use Rampart 1.6.4? Or, is there
any proper way to use Rampart 1.7.0?
Hi, I'm working on using WS-Security with Axis2 1.7.3 .
Axis2 1.6.4 + Rampart 1.6.4 works perfectly, but in Axis2 1.7.3 + Rampart
1.7.0, I got the following error.
---
13-Jul-2016 22:10:21.222 SEVERE [http-nio-8080-exec-4]
org.apache.axis2.engine.AxisEngine.receive Must Understand check failed for
headers: {
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security
org.apache.axis2.AxisFault: Must Understand check failed for headers: {
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security
at
org.apache.axis2.jaxws.handler.HandlerUtils.checkMustUnderstand(HandlerUtils.java:160)
at
org.apache.axis2.jaxws.server.EndpointController.inboundHeaderAndHandlerProcessing(EndpointController.java:336)
at
org.apache.axis2.jaxws.server.EndpointController.handleRequest(EndpointController.java:258)
at
org.apache.axis2.jaxws.server.EndpointController.invoke(EndpointController.java:101)
[...]
---
It seems not to be enable the settings for InflowSecurity.
I've created a simple reproducer, which has 2 projects in each
version(1.6.4, 1.7.3).
https://github.com/emag-notes/axis2-ws-security
Any Idea?
Martin Gainty
2016-07-14 18:43:25 UTC
Permalink
From: ***@gmail.com
Date: Thu, 14 Jul 2016 16:39:07 +0000
Subject: Re: Axis2 1.7.3 + Rampart 1.7.0 WS-Security not invoked
To: java-***@axis.apache.org

Martin, Thank you for your reply.

Before filing a issue, I have a question about missing WSDoAllHandler.

The following commit deleted WSDoAllHandler says:
---
Removing the deprecated basic configuration (This was deprecated since version 1.1).

https://github.com/apache/rampart/commit/1863364037019275f70e66cf77d1f092bf3bd984
---

And Rampart 1.7.0 release notes says:
---
Please note that Apache Rampart uses a configuration model based on WS-Policy and WS-Security Policy and that the Apache Rampart 1.0 style configuration (already deprecated since Rampart 1.1) is no longer supported in 1.7.0.

http://axis.apache.org/axis2/java/rampart/release-notes/1.7.0.html
---

I guess Rampart already provides more suitable way to use WS-Security because WSDoAllHandler seems to be deprecated(so removed).
MG>the caveat is WSDoAllHandler is deprecated ...IF.. wss4j (specifically WSS4JHandler) is presentMG>If WSS4JHandler not on classpath then Axis 2 throws Exception with "mustUnderstand header not detected"
MG>0 WSHandler (with no default) TestCase Scenario:MG>anyone who has worked with providers would know that without default provider a 0 providers test always throws Exception
MG>reliance on any one transient dependent provider/handler is never a good idea unless there exists a default provider MG>(otherwise missing provider/handler exceptions will be thrown in the field will come back to haunt the architect)

MG>the Ruchith disagreement with WSS4J author Werner Dittman extends back to 2006:
Ruchith>The module.xml file in this module archive hasRuchith>instructions to place the handlers in the appropriate message flows
MG>(Inflow, Outflow and FaultFlow)MG>Thus 3 different handlers for 3 different flows is a well architected solution vs Werners contention of one WSS4JHandler fits MG>like a glove for all all 3 flows..Werners design stipulates without documentation or testcases borders on "one WSS4JHandler MG>should work" is not grounded to accomodate InFlow,OutFlow and FaultFlow phases

https://mail-archives.apache.org/mod_mbox/ws-wss4j-dev/200602.mbox/%***@mail.gmail.com%3E

MG>I agree with Rucith on promoting WSDoAllHandler family of Handlers instead of one size fits all Handler implementing MG>WSS4JHandlerhttps://wiki.apache.org/ws/FrontPage/Architecture/Deployment
What do you think?

On Fri, Jul 15, 2016 at 12:28 AM Martin Gainty <***@hotmail.com> wrote:








From: ***@gmail.com
Date: Thu, 14 Jul 2016 08:16:46 +0000
Subject: Re: Axis2 1.7.3 + Rampart 1.7.0 WS-Security not invoked
To: java-***@axis.apache.org

Hi, apparently I found a workaround.
Axis2 1.7.3 + Rampart 1.6.4 works fine(ofc, I suspect there should be more proper way with Rampart 1.7.0).I noticed that Rampart 1.7.0 doesn't have WSDoAllHandler which processes WS-Security Header.

MG>Ianabe please file Urgent priority JIRA bug on missing WSDoAllHandler for Rampart 1.70
https://issues.apache.org/jira/browse/RAMPART/?selectedTab=com.atlassian.jira.jira-projects-plugin:summary-panel




So, I should change the question. Should I use Rampart 1.6.4? Or, is there any proper way to use Rampart 1.7.0?

On Wed, Jul 13, 2016 at 10:29 PM lanabe <***@gmail.com> wrote:
Hi, I'm working on using WS-Security with Axis2 1.7.3 .

Axis2 1.6.4 + Rampart 1.6.4 works perfectly, but in Axis2 1.7.3 + Rampart 1.7.0, I got the following error.

---
13-Jul-2016 22:10:21.222 SEVERE [http-nio-8080-exec-4] org.apache.axis2.engine.AxisEngine.receive Must Understand check failed for headers: {http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security
org.apache.axis2.AxisFault: Must Understand check failed for headers: {http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security
at org.apache.axis2.jaxws.handler.HandlerUtils.checkMustUnderstand(HandlerUtils.java:160)
at org.apache.axis2.jaxws.server.EndpointController.inboundHeaderAndHandlerProcessing(EndpointController.java:336)
at org.apache.axis2.jaxws.server.EndpointController.handleRequest(EndpointController.java:258)
at org.apache.axis2.jaxws.server.EndpointController.invoke(EndpointController.java:101)
[...]
---

It seems not to be enable the settings for InflowSecurity.

I've created a simple reproducer, which has 2 projects in each version(1.6.4, 1.7.3).
https://github.com/emag-notes/axis2-ws-security

Any Idea?
lanabe
2016-07-15 01:50:53 UTC
Permalink
Thanks for the information. Hmm, I'm not completely with you.

At least It seems Rampart 1.7.0 has some breaking changes with no backward
compatibility,
so I want some docs or hints for using it :)

I've created a issue as the perspective.
https://issues.apache.org/jira/browse/RAMPART-436

Thanks!
------------------------------
Date: Thu, 14 Jul 2016 16:39:07 +0000
Subject: Re: Axis2 1.7.3 + Rampart 1.7.0 WS-Security not invoked
Martin, Thank you for your reply.
Before filing a issue, I have a question about missing WSDoAllHandler.
---
Removing the deprecated basic configuration (This was deprecated since version 1.1).
https://github.com/apache/rampart/commit/1863364037019275f70e66cf77d1f092bf3bd984
---
---
Please note that Apache Rampart uses a configuration model based on
WS-Policy and WS-Security Policy and that the Apache Rampart 1.0 style
configuration (already deprecated since Rampart 1.1) is no longer supported
in 1.7.0.
http://axis.apache.org/axis2/java/rampart/release-notes/1.7.0.html
---
I guess Rampart already provides more suitable way to use WS-Security
because WSDoAllHandler seems to be deprecated(so removed).
MG>the caveat is WSDoAllHandler is deprecated ...IF.. wss4j (specifically WSS4JHandler)
is present
MG>If WSS4JHandler not on classpath then Axis 2 throws Exception with
"mustUnderstand header not detected"
MG>anyone who has worked with providers would know that without default
provider a 0 providers test always throws Exception
MG>reliance on any one transient dependent provider/handler is never a
good idea unless there exists a default provider
MG>(otherwise missing provider/handler exceptions will be thrown in the
field will come back to haunt the architect)
Ruchith>The module.xml file in this module archive has
Ruchith>instructions to place the handlers in the appropriate message
flows MG>(Inflow, Outflow and FaultFlow)
MG>Thus 3 different handlers for 3 different flows is a well architected
solution vs Werners contention of one WSS4JHandler fits MG>like a glove
for all all 3 flows..Werners design stipulates without documentation or
testcases borders on "one WSS4JHandler MG>should work" is not grounded to
accomodate InFlow,OutFlow and FaultFlow phases
MG>I agree with Rucith on promoting WSDoAllHandler family of Handlers
instead of one size fits all Handler implementing MG>WSS4JHandler
https://wiki.apache.org/ws/FrontPage/Architecture/Deployment
What do you think?
------------------------------
Date: Thu, 14 Jul 2016 08:16:46 +0000
Subject: Re: Axis2 1.7.3 + Rampart 1.7.0 WS-Security not invoked
Hi, apparently I found a workaround.
Axis2 1.7.3 + Rampart 1.6.4 works fine(ofc, I suspect there should be more
proper way with Rampart 1.7.0).
I noticed that Rampart 1.7.0 doesn't have WSDoAllHandler which processes
WS-Security Header.
MG>Ianabe please file Urgent priority JIRA bug on missing WSDoAllHandler for Rampart 1.70
https://issues.apache.org/jira/browse/RAMPART/?selectedTab=com.atlassian.jira.jira-projects-plugin:summary-panel
So, I should change the question. Should I use Rampart 1.6.4? Or, is there
any proper way to use Rampart 1.7.0?
Hi, I'm working on using WS-Security with Axis2 1.7.3 .
Axis2 1.6.4 + Rampart 1.6.4 works perfectly, but in Axis2 1.7.3 + Rampart
1.7.0, I got the following error.
---
13-Jul-2016 22:10:21.222 SEVERE [http-nio-8080-exec-4]
org.apache.axis2.engine.AxisEngine.receive Must Understand check failed for
headers: {
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security
org.apache.axis2.AxisFault: Must Understand check failed for headers: {
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security
at
org.apache.axis2.jaxws.handler.HandlerUtils.checkMustUnderstand(HandlerUtils.java:160)
at
org.apache.axis2.jaxws.server.EndpointController.inboundHeaderAndHandlerProcessing(EndpointController.java:336)
at
org.apache.axis2.jaxws.server.EndpointController.handleRequest(EndpointController.java:258)
at
org.apache.axis2.jaxws.server.EndpointController.invoke(EndpointController.java:101)
[...]
---
It seems not to be enable the settings for InflowSecurity.
I've created a simple reproducer, which has 2 projects in each
version(1.6.4, 1.7.3).
https://github.com/emag-notes/axis2-ws-security
Any Idea?
Loading...