[
https://issues.apache.org/jira/browse/CXF-3240?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12980166#action_12980166
]
Glen Mazza commented on CXF-3240:
---------------------------------
Your question is really much better placed on the CXF-User's list, which far
more people read and can help out on.
What I recommend is changing the soap:mustUnderstand="1" to
soap:mustUnderstand="0" and see if the SOAP call will work that way(*); also to
find out from your web service provider (WSP) whether they will accept
soap:mustUnderstand="1". I was on a project once where the WSP sloppily
wouldn't accept mustUnderstand="1" (they saw it as a performance hit, if I
understand correctly, but it's really useful IMO as a safety check) and so we
couldn't use it. You can do this test my using soapUI or modifying the header
to remove this attribute (providing removing the attribute will not break any
signatures) by using Interceptors or Handlers[1].
(*) if it *does* work if you remove mustUnderstand, also confirm that the SOAP
call will fail if you put in buggy/bogus/false authentication info, if the call
does not fail then there's a real security problem with the WSP.
[1] http://www.jroller.com/gmazza/entry/blog_article_index (links 1 and 2 under
assorted topics)
> The header 'Security' from the namespace
> 'http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd'
> was not understood by the recipient of this message, causing the message to
> not be processed.
> --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>
> Key: CXF-3240
> URL: https://issues.apache.org/jira/browse/CXF-3240
> Project: CXF
> Issue Type: Bug
> Components: WS-* Components
> Affects Versions: 2.2.9
> Environment: JDK 1.6, Eclipse Ganymede
> Reporter: Asif Ali Mohammed
> Priority: Blocker
> Fix For: 2.2.9
>
>
> Hi,
> I have written a webservice client for a secured webservice. Im able to build
> the request along with signed header which takes security information from a
> .jks file. But in the response Im gettng the following error.
> ######################################################
> Exception in thread "main" javax.xml.ws.soap.SOAPFaultException: The header
> 'Security' from the namespace
> 'http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd'
> was not understood by the recipient of this message, causing the message to
> not be processed. This error typically indicates that the sender of this
> message has enabled a communication protocol that the receiver cannot
> process. Please ensure that the configuration of the client's binding is
> consistent with the service's binding.
> at
> org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:146)
> at $Proxy61.getAccountBalancesByUser(Unknown Source)
> at IAccountsService_Client.main(Unknown Source)
> Caused by: org.apache.cxf.binding.soap.SoapFault: The header 'Security' from
> the namespace
> 'http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd'
> was not understood by the recipient of this message, causing the message to
> not be processed. This error typically indicates that the sender of this
> message has enabled a communication protocol that the receiver cannot
> process. Please ensure that the configuration of the client's binding is
> consistent with the service's binding.
> at
> org.apache.cxf.binding.soap.interceptor.Soap11FaultInInterceptor.unmarshalFault(Soap11FaultInInterceptor.java:75)
> at
> org.apache.cxf.binding.soap.interceptor.Soap11FaultInInterceptor.handleMessage(Soap11FaultInInterceptor.java:46)
> at
> org.apache.cxf.binding.soap.interceptor.Soap11FaultInInterceptor.handleMessage(Soap11FaultInInterceptor.java:35)
> at
> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:243)
> at
> org.apache.cxf.interceptor.AbstractFaultChainInitiatorObserver.onMessage(AbstractFaultChainInitiatorObserver.java:99)
> at
> org.apache.cxf.binding.soap.interceptor.CheckFaultInterceptor.handleMessage(CheckFaultInterceptor.java:69)
> at
> org.apache.cxf.binding.soap.interceptor.CheckFaultInterceptor.handleMessage(CheckFaultInterceptor.java:34)
> at
> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:243)
> at org.apache.cxf.endpoint.ClientImpl.onMessage(ClientImpl.java:700)
> at
> org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponseInternal(HTTPConduit.java:2261)
> at
> org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponse(HTTPConduit.java:2134)
> at
> org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1988)
> at
> org.apache.cxf.io.CacheAndWriteOutputStream.postClose(CacheAndWriteOutputStream.java:47)
> at
> org.apache.cxf.io.CachedOutputStream.close(CachedOutputStream.java:188)
> at
> org.apache.cxf.transport.AbstractConduit.close(AbstractConduit.java:66)
> at org.apache.cxf.transport.http.HTTPConduit.close(HTTPConduit.java:639)
> at
> org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(MessageSenderInterceptor.java:62)
> at
> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:243)
> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:487)
> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:313)
> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:265)
> at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:73)
> at
> org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:124)
> ... 2 more
> ########################################################
> The client program is :
> public final class IAccountsService_Client {
> public static void main(String args[]) throws Exception {
>
> IAccountsService accountsService = getServicePortType();
>
> org.apache.cxf.endpoint.Client client =
> org.apache.cxf.frontend.ClientProxy.getClient(accountsService);
> org.apache.cxf.endpoint.Endpoint cxfEndpoint = client.getEndpoint();
>
> Map<String,Object> outProps = getOutInterceptorProps();
>
> WSS4JOutInterceptor wssOut = new WSS4JOutInterceptor(outProps);
> cxfEndpoint.getOutInterceptors().add(wssOut);
>
>
> java.lang.String userGuid = "f9f24f385d1b8cba373ad33eb015f98Z";
> ArrayOfstring accountNumbers = new ArrayOfstring();
> accountNumbers.getString().add("18630464");
> accountNumbers.getString().add("10003314");
> accountNumbers.getString().add("18602340");
>
> UserAccountBalances _return =
> accountsService.getAccountBalancesByUser(userGuid, accountNumbers,
> SourceType.ALL);
>
>
> }
>
> private static IAccountsService getServicePortType(){
>
> JaxWsProxyFactoryBean factory = new JaxWsProxyFactoryBean();
> //enable logging of outbound(request) and inbound(response)
> soap messages
> factory.getInInterceptors().add(new LoggingInInterceptor());
> factory.getOutInterceptors().add(new LoggingOutInterceptor());
> factory.setServiceClass(IAccountsService.class);
>
> factory.setAddress("http://uss1udp001ampvb.ampf.com:29039/tr/iWealthAcctService";);
> return (IAccountsService) factory.create();
> }
>
>
> private static Map<String, Object> getOutInterceptorProps(){
> Map<String,Object> outProps = new HashMap<String,Object>();
> // how to configure the properties is outlined below;
> outProps.put(WSHandlerConstants.ACTION, WSHandlerConstants.SIGNATURE);
> outProps.put(WSHandlerConstants.USER, "clientPortal_e3");
> outProps.put(WSHandlerConstants.PASSWORD_TYPE, WSConstants.PW_TEXT);
> outProps.put(WSHandlerConstants.PW_CALLBACK_CLASS,
> KeystorePasswordCallback.class.getName());
> outProps.put(WSHandlerConstants.SIG_PROP_FILE, "crypto.properties");
> return outProps;
> }
> ########################################################
> Request XML :
> INFO: Outbound Message
> ---------------------------
> ID: 1
> Address: http://uss1udp001ampvb.ampf.com:29039/tr/iWealthAcctService
> Encoding: UTF-8
> Content-Type: text/xml
> Headers:
> {SOAPAction=["https://iWealth.thomson.com/Services/2010/03/IAccountsService/GetAccountBalancesByUser";],
> Accept=[*/*]}
> Payload: <soap:Envelope
> xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/";><soap:Header><wsse:Security
>
> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
> soap:mustUnderstand="1"><ds:Signature
> xmlns:ds="http://www.w3.org/2000/09/xmldsig#"; Id="Signature-1">
> <ds:SignedInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
> <ds:CanonicalizationMethod xmlns:ds="http://www.w3.org/2000/09/xmldsig#";
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";></ds:CanonicalizationMethod>
> <ds:SignatureMethod xmlns:ds="http://www.w3.org/2000/09/xmldsig#";
> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1";></ds:SignatureMethod>
> <ds:Reference xmlns:ds="http://www.w3.org/2000/09/xmldsig#"; URI="#id-2">
> <ds:Transforms xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
> <ds:Transform xmlns:ds="http://www.w3.org/2000/09/xmldsig#";
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";></ds:Transform>
> </ds:Transforms>
> <ds:DigestMethod xmlns:ds="http://www.w3.org/2000/09/xmldsig#";
> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1";></ds:DigestMethod>
> <ds:DigestValue
> xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>oCglj+hmoQBUz+yqCDDg6FmPXzc=</ds:DigestValue>
> </ds:Reference>
> </ds:SignedInfo>
> <ds:SignatureValue xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
> CjPQCsoPsyfiiACZdkqx+LBeGkz1teu52Rf/BoTVBWTieh12fo7X0qznSN1AHEYiZCgXvuwdQkcn
> ewUl2vFTj3g/btkHUX8Epgp5X/u2X5Aunk7ZdliGTxZ0Fyv2LAduzDiJim15ti3UBitRqU39iBWk
> inx1jBpbgTeBI33acng=
> </ds:SignatureValue>
> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";
> Id="KeyId-E8E2BE415B08955AA412947515791042">
> <wsse:SecurityTokenReference
> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
>
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
> wsu:Id="STRId-E8E2BE415B08955AA412947515791043"><ds:X509Data
> xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
> <ds:X509IssuerSerial xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
> <ds:X509IssuerName
> xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>OU=www.verisign.com/CPS
> Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server
> CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network</ds:X509IssuerName>
> <ds:X509SerialNumber
> xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>169372247684920926775018956902222426627</ds:X509SerialNumber>
> </ds:X509IssuerSerial>
> </ds:X509Data></wsse:SecurityTokenReference>
> </ds:KeyInfo>
> </ds:Signature></wsse:Security></soap:Header><soap:Body
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
> wsu:Id="id-2"><GetAccountBalancesByUser
> xmlns="https://iWealth.thomson.com/Services/2010/03";
> xmlns:ns2="http://schemas.datacontract.org/2004/07/TFOnline.Services.Accounts.DataContracts";
> xmlns:ns3="http://schemas.microsoft.com/2003/10/Serialization/Arrays";
> xmlns:ns4="http://schemas.datacontract.org/2004/07/Microsoft.Practices.EnterpriseLibrary.Validation.Integration.WCF";
>
> xmlns:ns5="http://www.microsoft.com/practices/EnterpriseLibrary/2007/01/wcf/validation";
>
> xmlns:ns6="http://schemas.microsoft.com/2003/10/Serialization/";><userGuid>f9f24f385d1b8cba373ad33eb015f98Z</userGuid><accountNumbers><ns3:string>18630464</ns3:string><ns3:string>10003314</ns3:string><ns3:string>28827094</ns3:string><ns3:string>18692571</ns3:string><ns3:string>10020272</ns3:string><ns3:string>79136285</ns3:string><ns3:string>38920300</ns3:string><ns3:string>16605981</ns3:string><ns3:string>18602340</ns3:string><ns3:string>10033541</ns3:string><ns3:string>10867300</ns3:string><ns3:string>18602340</ns3:string></accountNumbers><sourceType>All</sourceType></GetAccountBalancesByUser></soap:Body></soap:Envelope>
> ################################################################
> Response XML:
> INFO: Inbound Message
> ----------------------------
> ID: 1
> Response-Code: 500
> Encoding: ISO-8859-1
> Content-Type: text/xml
> Headers: {content-type=[text/xml], X-AspNet-Version=[2.0.50727],
> connection=[Keep-Alive], X-Backside-Transport=[FAIL FAIL],
> transfer-encoding=[chunked], Date=[Tue, 11 Jan 2011 13:13:00 GMT],
> Warning=[214 TR_AccountsService_XMLFW DataPower Transformation Applied],
> Via=[1.1 TR_AccountsService_XMLFW], X-Client-IP=[159.202.161.253],
> Server=[Microsoft-IIS/6.0], X-Powered-By=[ASP.NET], Cache-Control=[private]}
> Payload: <?xml version="1.0" encoding="UTF-8"?>
> <s:Envelope
> xmlns:s="http://schemas.xmlsoap.org/soap/envelope/";><s:Body><s:Fault><faultcode>s:MustUnderstand</faultcode><faultstring
> xml:lang="en-US">The header 'Security' from the namespace
> 'http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd'
> was not understood by the recipient of this message, causing the message to
> not be processed. This error typically indicates that the sender of this
> message has enabled a communication protocol that the receiver cannot
> process. Please ensure that the configuration of the client's binding is
> consistent with the service's binding.
> </faultstring></s:Fault></s:Body></s:Envelope>
> ###############################################################
> Please help me as this has become a blocking issue for my project.
> Thanks in advance,
> Asif ali Mohammed.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
