Axis 2 and Rampart- why does service return wsse:Security header in request?

web-services soap https axis2 rampart
11,235

Solution 1

It looks as if the error isn't with the outbound request, but with handling the response. The response doesn't have a security header and when we're trying to unencrypt it, an exception occurs.

I need to somehow change my Rampart configuration to only do outbound security, not inbound

I'll report back :)

Ok the problem was that once Rampart is engaged, it expects the response to have the same security header. The way I solved the problem was by removing the handler to the Inflow security in the Rampart.mar file.

I'm not sure if this is the best fix, but it worked for us.

To remove the inflow handler: Unpack the rampart.mar file

Comment out the Inflow section

Zip up the META_INF folder. Then rename the .zip file to be .mar

Now when you use this as there are no handlers defined for inflow, it will just use the standard Axis2 response handler.

I guess if you had several projects using Rampart where some had the security header in the response and some didn't you would need a different approach.

Another approach is detailed here. It's probably a better approach :

http://blog.rampartfaq.com/2009/11/how-to-generate-non-secure-response-to.html

Exception:

org.apache.axis2.AxisFault: Missing wsse:Security header in request at org.apache.rampart.handler.RampartReceiver.setFaultCodeAndThrowAxisFault(RampartReceiver.java:180) at org.apache.rampart.handler.RampartReceiver.invoke(RampartReceiver.java:99) at org.apache.axis2.engine.Phase.invoke(Phase.java:318) at org.apache.axis2.engine.AxisEngine.invoke(AxisEngine.java:251) at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:160) at org.apache.axis2.description.OutInAxisOperationClient.handleResponse(OutInAxisOperation.java:364) at org.apache.axis2.description.OutInAxisOperationClient.send(OutInAxisOperation.java:417) at org.apache.axis2.description.OutInAxisOperationClient.executeImpl(OutInAxisOperation.java:229)

Solution 2

After navigating a lot, and reading the same pages several times, I finally got a solution that satisfied me.

From previous post I Quote: "Ok the problem was that once Rampart is engaged, it expects the response to have the same security header." (as the request) This is absolutely true!

I feel that the best approach is found in the following link: http://xacmlinfo.org/2012/11/09/disabling-ws-security-for-in-or-out-messages-in-axis2/

However, in my case, I didn't want to make a new module, so I decided to emulate the module in my code. I tried to explain it in three steps.

  1. (First) I used a default policy (take from the previous link), as a method in my code. (It's worked for Axis 1.6.2 and the compatible version of Rampart)

private String getPolicy() { return "xml for policy" }

Important the method must return the following xml as String (better reading)

<wsp:Policy wsu:Id="emptryPolicy" 
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsp:ExactlyOne>
<wsp:All>
<sp:TransportBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"> 
<wsp:Policy>
</wsp:Policy>
</sp:TransportBinding>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
  1. (Second) I created a Policy (object) based on the previous method.

InputStream stream = new ByteArrayInputStream(getPolicy().getBytes());

Policy p = PolicyEngine.getPolicy(stream);

  1. (Third) I used the properties of KEY_RAMPART_IN_POLICY and KEY_RAMPART_OUT_POLICY.

Stub._getServiceClient().getOptions().setProperty(RampartMessageData.KEY_RAMPART_OUT_POLICY, the security policy of the web service);

Stub._getServiceClient().getOptions().setProperty(RampartMessageData.KEY_RAMPART_IN_POLICY, p);

Important The security policy of the web service, depends on the security that the web service uses... If your provider supplied the policy in the wsdl, you would not have to struggle with this... but in other cases, you just use the Rampart Policies. In the rampart site, are examples described very clear for each type of security policy. (UsernameToken Authentication, AsymmetricBinding, etc.)

This example fashions a request with security and response without security. It Works for me!

Share:
11,235
bob
Author by

bob

Updated on June 05, 2022

Comments

  • bob
    bob almost 2 years

    I'm connecting to a secure service.

    I have a SOAP UI project configured to use a jks file to provide the certificate, along with appropriate security settings to allow me to get a valid response.

    I've have used AXIS 2 and Rampart to create a SOAP request from a JAVA project. Using TCPMon I've managed to grab the SOAP request.

    When the request runs in the JAVA project, I just get the response:

    org.apache.axis2.AxisFault: Missing wsse:Security header in request

    but if I take the same request, captured in TCPMon and put it in a SOAP UI project, I get a response successfully.

    Anyone got any ideas?

    <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">  <soapenv:Header>  
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"  
soapenv:mustUnderstand="1">  
  <wsu:Timestamp xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"  
  wsu:Id="Timestamp-1">  
    <wsu:Created>2012-06-01T15:09:12.520Z</wsu:Created>  
    <wsu:Expires>2012-06-01T15:14:12.520Z</wsu:Expires>  
  </wsu:Timestamp>  
  <wsse:BinarySecurityToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"  
  EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"  
  ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"  
  wsu:Id="CertId-ECDB0E....01">  
  MIID4DCCA0mgAwIBAgIBFjAN....</wsse:BinarySecurityToken>  
  <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"  
  Id="Signature-2">  
    <ds:SignedInfo>  
      <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />  
      <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />  
      <ds:Reference URI="#Id-15..93">  
        <ds:Transforms>  
          <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />  
        </ds:Transforms>  
        <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />  
        <ds:DigestValue>  
        3wgvhJ8SI2soC..IA=</ds:DigestValue>  
      </ds:Reference>  
      <ds:Reference URI="#Timestamp-1">  
        <ds:Transforms>  
          <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />  
        </ds:Transforms>  
        <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />  
        <ds:DigestValue>  
        VlzDT69YEl..qTlbj0=</ds:DigestValue>  
      </ds:Reference>  
    </ds:SignedInfo>  
    <ds:SignatureValue>  
    ZCRypw/..=</ds:SignatureValue>  
    <ds:KeyInfo Id="KeyId-ECD..2">  
      <wsse:SecurityTokenReference xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"  
      wsu:Id="STRId-ECDB0E6..6193">  
        <wsse:Reference URI="#CertId-ECDB0E..01"  
        ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" />  
      </wsse:SecurityTokenReference>  
    </ds:KeyInfo>  
  </ds:Signature>  
</wsse:Security></soapenv:Header><soapenv:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="Id-15..3"><ns2:ProductSearchV2Request xmlns:ns2="http://product.webservice.sxc.com">   
  <ns2:Strength>900</ns2:Strength>  
  <ns2:MaximumResultSetInd>true</ns2:MaximumResultSetInd>  
  <ns2:MaximumResultSet>100</ns2:MaximumResultSet>  
</ns2:ProductSearchV2Request>


    This is the WS-POLICY document that I'm using:

    <?xml version="1.0" encoding="UTF-8"?>  
<!--  
 !  
 ! Copyright 2006 The Apache Software Foundation.  
 !  
 ! Licensed under the Apache License, Version 2.0 (the "License");  
 ! you may not use this file except in compliance with the License.  
 ! You may obtain a copy of the License at  
 !  
 !      http://www.apache.org/licenses/LICENSE-2.0  
 !  
 ! Unless required by applicable law or agreed to in writing, software  
 ! distributed under the License is distributed on an "AS IS" BASIS,  
 ! WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.  
 ! See the License for the specific language governing permissions and  
 ! limitations under the License.  
 !-->  
<wsp:Policy wsu:Id="SigOnly"  
            xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"  
            xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">  
    <wsp:ExactlyOne>  
        <wsp:All>  
            <sp:AsymmetricBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">  
                <wsp:Policy>  
                    <sp:InitiatorToken>  
                        <wsp:Policy>  
                            <sp:X509Token  
                                    sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">  
                                <wsp:Policy>  
                                    <sp:RequireThumbprintReference/>  
                                    <sp:WssX509V3Token10/>  
                                </wsp:Policy>  
                            </sp:X509Token>  
                        </wsp:Policy>  
                    </sp:InitiatorToken>  
                    <sp:RecipientToken>  
                        <wsp:Policy>  
                            <sp:X509Token  
                                    sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never">  
                                <wsp:Policy>  
                                    <sp:RequireThumbprintReference/>  
                                    <sp:WssX509V3Token10/>  
                                </wsp:Policy>  
                            </sp:X509Token>  
                        </wsp:Policy>  
                    </sp:RecipientToken>  
                    <sp:AlgorithmSuite>  
                        <wsp:Policy>  
                            <sp:TripleDesRsa15/>  
                        </wsp:Policy>  
                    </sp:AlgorithmSuite>  
                    <sp:Layout>  
                        <wsp:Policy>  
                            <sp:Strict/>  
                        </wsp:Policy>  
                    </sp:Layout>  
                    <sp:IncludeTimestamp/>  
                    <sp:OnlySignEntireHeadersAndBody/>  
                </wsp:Policy>  
            </sp:AsymmetricBinding>  
            <sp:Wss10 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">  
                <wsp:Policy>  
                    <sp:MustSupportRefKeyIdentifier/>  
                    <sp:MustSupportRefIssuerSerial/>  
                </wsp:Policy>  
            </sp:Wss10>  
            <sp:SignedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">  
                <sp:Body/>  
            </sp:SignedParts>  
            <ramp:RampartConfig xmlns:ramp="http://ws.apache.org/rampart/policy">  
                <ramp:user>ctr</ramp:user>  
                <ramp:encryptionUser>ctr</ramp:encryptionUser>  
                <ramp:passwordCallbackClass>com.gtnet.rampart.PWCBHandler  
                </ramp:passwordCallbackClass>  

                <ramp:signatureCrypto>  
                    <ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin">  
                        <ramp:property name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property>  
                        <ramp:property name="org.apache.ws.security.crypto.merlin.file">build\resources\qa.jks</ramp:property>  
                        <ramp:property name="org.apache.ws.security.crypto.merlin.keystore.password">123123</ramp:property>  
                    </ramp:crypto>  
                </ramp:signatureCrypto>  
            </ramp:RampartConfig>  

        </wsp:All>  
    </wsp:ExactlyOne>  
</wsp:Policy>

    Thanks Alan

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Axis2 always receives null parameters even if SOAP request is sent correctly?
Unable to access axis2 over https
Adding User/Password to SOAPHeader for WebService client call with AXIS2
Axis2 Webservice Fault - The service cannot be found for the endpoint reference
How to print SOAP message contents when using Apache Axis
Can you run soap over HTTPS?
SOAP Webservice call from Java gives "Object reference not set to an instance of an object"
Unable to connect to WSDL
Backwards compatibility and Web Services
How to test https rest webservice in postman