Hi Massimiliano,
Please correct me if I am wrong. As it seems to me, there is still a
possibility that you response from the server to have a security header in the
response.
In the In flow of the server , the message path is
(client) -> rampart receiver -> MyTokenRequestDispatcher
In the Out flow of the sever, the message path is
MyTokenRequestDispatcher -> rampart sender -> (client)
As it seems, you are printing the soap envelope from the
MyTokenRequestDispatcher.
As you can see from above, Rampart Sender is not yet invoked when you print the
response. So if you have Rampart engaged in the server side there is
still a chance that
there can be security header with must understand set to true in the
response according
to the configuration you have. Can you capture the soap request and
the response from the TCP Monitor ? Then we will be able to see the
complete soap envelope coming out of the server.
Thanks,
Nandana
On 1/5/08, Massimiliano Masi <[EMAIL PROTECTED]> wrote:
> Hi Nandana,
>
> Quoting Nandana Mihindukulasooriya <[EMAIL PROTECTED]>:
> > It seems you are getting this must understand check fail error because
> you
> > are getting a security
> > header with a must understand true, in the response you get from the
> service
> > and not in the
> > request that you create. Can please a take look at that and the security
> > configuration of the service
> > for the out flow ?
>
> I rewrote the STSMessageReceiver. This is the incoming envelope:
>
> 13:11:08,189 DEBUG -
> com.spirit.XUA.utils.MyTokenRequestDispatcher.handle(MyTokenRequestDispatcher.java:44)
> - *********************** TokenRequestDispatcher
> received
> <?xml version='1.0' encoding='utf-8'?><soapenv:Envelope
> xmlns:soapenv="http://www.w3.org/2003/05/soap-envelope";
> xmlns:wsa="http://www.w3.org/2005/08/addressing";><soapenv:Header><wsse:Security
> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
> mustUnderstand="0"
> /><wsa:To>https://localhost/SpiritXUAServer/services/IdentityProviderIBMLike</wsa:To><wsa:MessageID>urn:uuid:9840EA3FD9E92DCF421199535065940</wsa:MessageID><wsa:Action>http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue</wsa:Action></soapenv:Header><soapenv:Body><wst:RequestSecurityToken
> xmlns:wst="http://schemas.xmlsoap.org/ws/2005/02/trust";><wst:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Issue</wst:RequestType><wsp:AppliesTo
> xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy";><EndpointReference><Address>http://localhost:8080/XDS/12/registry</Address></EndpointReference></wsp:AppliesTo><wst:Lifetime><wsu:Created
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";>2008-01-05T12:11:05.779Z</wsu:Created><wsu:Expires
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";>2008-01-05T12:16:05.779Z</wsu:Expires></wst:Lifetime><wst:TokenType>urn:oasis:names:tc:SAML:2.0:assertion</wst:TokenType><wst:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Issue</wst:RequestType><wsp:AppliesTo
> xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy";><wsa:EndpointReference><wsa:Address>http://ihe.connecthaton.2008.XUA/X-ServiceProvider-NA2008</wsa:Address></wsa:EndpointReference></wsp:AppliesTo><wst:Base><wsse:UsernameToken
>
> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";><wsse:Username>Xuagood^User</wsse:Username><wsse:Password>xua</wsse:Password></wsse:UsernameToken></wst:Base></wst:RequestSecurityToken></soapenv:Body></soapenv:Envelope>
>
>
> and this is the outgoing envelope:
>
> 13:11:16,185 DEBUG -
> com.spirit.XUA.utils.MyTokenRequestDispatcher.handle(MyTokenRequestDispatcher.java:66)
> - *********************** TokenRequestDispatcher sent
> out
> <?xml version='1.0' encoding='utf-8'?><soapenv:Envelope
> xmlns:soapenv="http://www.w3.org/2003/05/soap-envelope";><soapenv:Body><wst:RequestSecurityTokenResponse
> xmlns:wst="http://schemas.xmlsoap.org/ws/2005/02/trust";><wst:TokenType>oasis:names:tc:SAML:2.0:assertion</wst:TokenType><wst:RequestedAttachedReference><wsse:SecurityTokenReference
> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";><wsse:Reference
> URI="#_7cec639dfaf8da1ff680853f79fd2c18"
> ValueType="oasis:names:tc:SAML:2.0:assertion"
> /></wsse:SecurityTokenReference></wst:RequestedAttachedReference><wsp:AppliesTo
> xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy";><wsa:EndpointReference
> xmlns:wsa="http://www.w3.org/2005/08/addressing";><wsa:Address>http://ihe.connecthaton.2008.XUA/X-ServiceProvider-NA2008</wsa:Address></wsa:EndpointReference></wsp:AppliesTo><wst:RequestedSecurityToken><saml:Assertion
> xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
> ID="_7cec639dfaf8da1ff680853f79fd2c18"
> IssueInstant="2008-01-05T12:11:15.427Z" Version="2.0"><saml:Issuer
> Format="urn:oasis:names:SAML:2.0:nameid-format:entity"
> SPNameQualifier="spirit-idp" SPProvidedID="spirit-idp">Address:
> https://localhost/SpiritXUAServer/services/IdentityProviderIBMLike</saml:Issuer><ds:Signature
>
> xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
> <ds:SignedInfo>
> <ds:CanonicalizationMethod
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"; />
> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1";
> />
> <ds:Reference URI="#_7cec639dfaf8da1ff680853f79fd2c18">
> <ds:Transforms>
> <ds:Transform
> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"; />
> <ds:Transform
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#WithComments";><ec:InclusiveNamespaces
> xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"; PrefixList="ds saml"
> /></ds:Transform>
> </ds:Transforms>
> <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"; />
> <ds:DigestValue>eOsEzD+7x0vh4T3Xz1LB+wNYLxb+dfD5VlINPB3NZqs=</ds:DigestValue>
> </ds:Reference>
> </ds:SignedInfo>
> <ds:SignatureValue>
> GFurmnokKM99DPG9etErMUPI85jidXpbA3TfnEA3cp1mn92lW5McbIw3t85ZXqIPGI/SavsieBxh
> 3/piRuyMDyKYVxe/luExPGErk9yZLFTsfRoi1KmTwCpLMa2GBOZ8d926j9jlEdNxYRhCaPcCCE7H
> IOx1cKSqJVKWhVv236E=
> </ds:SignatureValue>
> </ds:Signature><saml:Subject><saml:NameID>Xuagood^User</saml:NameID><saml:SubjectConfirmation
> Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"
> /></saml:Subject><saml:Conditions NotBefore="2008-01-05T12:11:15.427Z"
> NotOnOrAfter="2008-01-05T13:11:15.427Z"><saml:AudienceRestriction><saml:Audience>http://ihe.connecthaton.2008.XUA/X-ServiceProvider-NA2008</saml:Audience></saml:AudienceRestriction></saml:Conditions><saml:AuthnStatement
> AuthnInstant="2008-01-05T12:11:15.427Z"
> SessionNotOnOrAfter="2008-01-05T13:11:15.427Z"><saml:AuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef></saml:AuthnContext></saml:AuthnStatement></saml:Assertion></wst:RequestedSecurityToken><wst:Status><wst:Code>http://schemas.xmlsoap.org/ws/2005/02/trust/status/valid</wst:Code></wst:Status></wst:RequestSecurityTokenResponse></soapenv:Body></soapenv:Envelope>
>
>
> and just after this, I get:
>
> Must Understand check failed for header
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
> :
> Security
>
> As you can see, there is no mustUnderstand="1". I've no idea on how to
> proceed...
>
> This is the complete stack trace:
>
> 13:11:16,569 ERROR [STDERR] org.apache.axis2.AxisFault: Must
> Understand check failed for header
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
> :
> Security
> 13:11:16,571 ERROR [STDERR] at
> org.apache.axis2.engine.AxisEngine.checkMustUnderstand(AxisEngine.java:86)
> 13:11:16,572 ERROR [STDERR] at
> org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:135)
> 13:11:16,572 ERROR [STDERR] at
> org.apache.axis2.description.OutInAxisOperationClient.handleResponse(OutInAxisOperation.java:336)
> 13:11:16,573 ERROR [STDERR] at
> org.apache.axis2.description.OutInAxisOperationClient.send(OutInAxisOperation.java:389)
> 13:11:16,573 ERROR [STDERR] at
> org.apache.axis2.description.OutInAxisOperationClient.executeImpl(OutInAxisOperation.java:211)
> 13:11:16,574 ERROR [STDERR] at
> org.apache.axis2.client.OperationClient.execute(OperationClient.java:163)
> 13:11:16,575 ERROR [STDERR] at
> org.apache.axis2.client.ServiceClient.sendReceive(ServiceClient.java:528)
> 13:11:16,575 ERROR [STDERR] at
> com.spirit.XUA.utils.MySTSClient.requestSecurityTokenWithSSL(MySTSClient.java:222)
> 13:11:16,577 ERROR [STDERR] at
> com.spirit.XUA.utils.XUAAssertions.getAuthenticatedViaWSTrustAsPlain(XUAAssertions.java:553)
> 13:11:16,577 ERROR [STDERR] at
> com.tmed.report.xds.io.XUAHandler.askNewAssertion(XUAHandler.java:90)
> 13:11:16,578 ERROR [STDERR] at com.tmed.report.Login.doGet(Login.java:83)
> 13:11:16,578 ERROR [STDERR] at com.tmed.report.Login.doPost(Login.java:128)
> 13:11:16,579 ERROR [STDERR] at
> javax.servlet.http.HttpServlet.service(HttpServlet.java:710)
> 13:11:16,579 ERROR [STDERR] at
> javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
> 13:11:16,580 ERROR [STDERR] at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
> 13:11:16,580 ERROR [STDERR] at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
> 13:11:16,581 ERROR [STDERR] at
> org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
> 13:11:16,581 ERROR [STDERR] at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
> 13:11:16,582 ERROR [STDERR] at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
> 13:11:16,582 ERROR [STDERR] at
> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:230)
> 13:11:16,583 ERROR [STDERR] at
> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175)
> 13:11:16,583 ERROR [STDERR] at
> org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:179)
> 13:11:16,583 ERROR [STDERR] at
> org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:84)
> 13:11:16,584 ERROR [STDERR] at
> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
> 13:11:16,585 ERROR [STDERR] at
> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
> 13:11:16,585 ERROR [STDERR] at
> org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:157)
> 13:11:16,585 ERROR [STDERR] at
> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
> 13:11:16,586 ERROR [STDERR] at
> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:262)
> 13:11:16,586 ERROR [STDERR] at
> org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
> 13:11:16,588 ERROR [STDERR] at
> org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
> 13:11:16,588 ERROR [STDERR] at
> org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:446)
> 13:11:16,589 ERROR [STDERR] at java.lang.Thread.run(Thread.java:613)
>
>
> Thank you,
>
> Massimiliano
>
>
>
> ----------------------------------------------------------------
> This message was sent using IMP, the Internet Messaging Program.
>
>
>
