[
https://issues.apache.org/jira/browse/RAMPART-197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12726385#action_12726385
]
Diego Moore commented on RAMPART-197:
-------------------------------------
While I don't have access to source code I've been told by a developer that
this is a major issue with WCF too and there is no known workaround. WCF just
simple does not like the empty security header!
We're using WSF-PHP which in turn uses axis2c and therefore rampartc. A
solution on the server side is to include TimeStamps but we're also having
issues with wsf-php 2.0 and timestamps.
I've checked the spec and can't see anything else that could be added to the
security headers as we're just using username token for authentication.
Can I please suggest that this is changed from a feature to a bug? Otherwise
what's the point of Web Services if it's not interoperable with two other
frameworks (Oracle and WCF) which happen to be widely used throughout...
> Rampart handler not processing empty security header with mustUnderstand="1"
> ----------------------------------------------------------------------------
>
> Key: RAMPART-197
> URL: https://issues.apache.org/jira/browse/RAMPART-197
> Project: Rampart
> Issue Type: Improvement
> Affects Versions: 1.4
> Environment: Oracle application server 10.1.3, embedded OC4J in
> JDeveloper & Eclipse used for testing.
> Reporter: Taariq Levack
> Assignee: Nandana Mihindukulasooriya
> Fix For: 1.4
>
>
> The application server returns a response that contains an empty security
> header and this is not processed by the Rampart handler and a fault is
> generated.
> As per Nandana the solution is to flag the empty header as processed when it
> expects nothing in the security header, for interoperability.
> This is the request header, simple username token....
> <soapenv:Header>
> <wsse:Security
> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
> soapenv:mustUnderstand="1">
> <wsse:UsernameToken
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
> wsu:Id="UsernameToken-3201085">
> <wsse:Username>USERNAME</wsse:Username>
> <wsse:Password
> Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText";>PASSWORD</wsse:Password>
> </wsse:UsernameToken>
> </wsse:Security>
> </soapenv:Header>
> And this is the response header
> <env:Header>
> <wsse:Security
> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
>
> xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
> xmlns:env="http://schemas.xmlsoap.org/soap/envelope/";
> env:mustUnderstand="1"/>
> </env:Header>
> Exception in thread "main" org.apache.axis2.AxisFault: Must Understand check
> failed for header
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
> : Security
> at
> org.apache.axis2.engine.AxisEngine.checkMustUnderstand(AxisEngine.java:102)
> at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:166)
> at
> org.apache.axis2.description.OutInAxisOperationClient.handleResponse(OutInAxisOperation.java:363)
> at
> org.apache.axis2.description.OutInAxisOperationClient.send(OutInAxisOperation.java:416)
> at
> org.apache.axis2.description.OutInAxisOperationClient.executeImpl(OutInAxisOperation.java:228)
> at
> org.apache.axis2.client.OperationClient.execute(OperationClient.java:163)
> at
> org.apache.axis2.client.ServiceClient.sendReceive(ServiceClient.java:548)
> at
> org.apache.axis2.client.ServiceClient.sendReceive(ServiceClient.java:528)
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
