Ruwan I think its enough to set the anonymous one as long as we send it. That might just fix everything.
Paul On Sun, Jun 8, 2008 at 2:22 PM, Ruwan Linton <[EMAIL PROTECTED]> wrote: > Hi Jeff and Paul, > > I was able to reproduce the issue, basically whatever we specify as the > ReplyTo header Addressing module changes it to anonymous for the outbound > message and neglects sending it. So setting the ReplyTo header is not > effective for the moment. Jeff, could you please file a JIRA for this. At > the same time I had a look at what Paul proposed and it seems to work but > still it is just the anonymous address but not the one we set. You could use > the property mediator at the axis2-client scope to set this property as > follows to include the anonymous header; > > <syn:property name="includeOptionalHeaders" value="true" > scope="axis2-client"/> > > Or if you use separateListener attribute to true with the enableAddressing > tag then you can see the non anonymous ReplyTo header is being sent to the > service. > > I will look for a solution to this issue ASAP. Thanks Jeff for pointing this > out. > > Thanks, > Ruwan > > On Sun, Jun 8, 2008 at 1:40 PM, Paul Fremantle <[EMAIL PROTECTED]> wrote: > >> Jeff >> >> Thanks for the feedback. Please can you submit your code as a sample? >> We will definitely try to fix the bug. I agree rampart should not be >> causing addressing headers to appear. The reason that the anonymous >> header is being stripped out is because the WS-A spec says that no >> reply-to is equivalent to anonymous, so there is a bug in Amazon. >> However, there is a way in Axis2 to turn this behaviour off. >> >> options.setProperty(AddressingConstants.INCLUDE_OPTIONAL_HEADERS, >> Boolean.TRUE); >> >> So another way to sort that out will be to set that property on the Axis2 >> MC. >> >> Paul >> >> On Sun, Jun 8, 2008 at 6:24 AM, Jeff Davis <[EMAIL PROTECTED]> wrote: >> > Turns out my work-around really didn't solve the problem (because >> > Axis/Rampart is anticipating a WS-Addressing reply, and since I've >> stripped >> > it out downstream, I'd have to add it back manually). >> > >> > The crux of the issue is that I cannot figure out how to added this: >> > >> > <wsa:ReplyTo><wsa:Address>http://www.w3.org/2005/08/addressing/anonymous >> > </wsa:Address></wsa:ReplyTo> >> > >> > To my WS-Addressing part of my SOAP header. >> > >> > I believe it ought to be present, but it's not, as I've confirmed through >> > TCPMon. I've tried everything I can think of to get it to appear, but >> thus >> > far have had no luck. >> > >> > Thanks, >> > >> > jeff >> > >> > On Sat, Jun 7, 2008 at 9:23 PM, Jeff Davis <[EMAIL PROTECTED]> wrote: >> > >> >> Maybe it's not a bug but a feature request :-). >> >> >> >> I see two issues: >> >> >> >> 1) WS-Security automatically adds undesirable WS-Addressing elements >> (IMO, >> >> this should only happen when enableAddressing is specified). I don't see >> >> anything in the WS-Security spec that indicates WS-Addressing is >> required. I >> >> don't see a way to turn this behavior off in Synapse, without resorting >> to a >> >> workaround such as I demonstrated (i.e., chaining together 2 sequences, >> >> within one removing the undesirable WS-Addressing elements). >> >> >> >> 2) I didn't see a a way to add the ReplyTo WS-Addressing element (and >> it's >> >> child node Address) using the header mechanism (or property, for that >> >> matter). This was the crux of my issue, as, for some reason, Amazon >> expected >> >> a ReplyTo. I suspect this is probably easily possible, but just wasn't >> able >> >> to figure it out. >> >> >> >> Btw, I was able to successfully interact with Amazon's SimpleDB now! I >> hope >> >> to writeup a blog entry on my findings (I am actually also writing the >> book >> >> called Open Source SOA from Manning, and I am including a big chapter on >> >> Synapse, which I am a huge fan of). >> >> >> >> To be honest, a lot of this WS-Security stuff is rather new to me, so >> I'm >> >> feverishly trying to get a handle on it (the Manning book SOA Security >> has >> >> been a big help). I have used PasswordDigest mechanism a lot, but not >> that >> >> signing with x509 certs as much. >> >> >> >> jeff >> >> >> >> >> >> On Sat, Jun 7, 2008 at 8:42 PM, Ruwan Linton <[EMAIL PROTECTED]> >> >> wrote: >> >> >> >>> Hi Jeff, >> >>> >> >>> What is the bug from your POV? I am sorry, I don't see a bug here..... >> >>> >> >>> Well you could go ahead and file a JIRA so that we can evaluate what is >> >>> the >> >>> issue that you have faced and see whether is there something wrong with >> >>> Synapse, but I assume this is rather a configuration error. >> >>> >> >>> Thanks, >> >>> Ruwan >> >>> >> >>> >> >>> On Sun, Jun 8, 2008 at 7:45 AM, Jeff Davis <[EMAIL PROTECTED]> wrote: >> >>> >> >>> > As a follow-up, I was running it through tcpmon, which is why it had >> the >> >>> > strange address. >> >>> > >> >>> > Yes, I am running the latest 1.2 build from the URL provided me last >> >>> > Thursday, I believe. >> >>> > >> >>> > Should I submit this is a bug? >> >>> > >> >>> > On Sat, Jun 7, 2008 at 8:11 PM, Ruwan Linton <[EMAIL PROTECTED] >> > >> >>> > wrote: >> >>> > >> >>> > > Hi Jeff, >> >>> > > >> >>> > > If you enable addressing to the outbound message then synapse >> should >> >>> be >> >>> > > sending the ReplyTo header as appropriate. May be amazon is not >> >>> accepting >> >>> > > anonymous ReplyTo headers, so assuming that you are using the 1.2 >> >>> build >> >>> > > here >> >>> > > is the proposed solution to this; >> >>> > > >> >>> > > <definitions xmlns="http://ws.apache.org/ns/synapse";> >> >>> > > <localEntry key="sec_policy" >> >>> > > src="file:repository/conf/sample/resources/policy/amazon.xml"/> >> >>> > > >> >>> > > <in> >> >>> > > <send> >> >>> > > <endpoint name="secure"> >> >>> > > <address uri="http://localhost:8086";> >> >>> > > <enableSec policy="sec_policy"/> >> >>> > > <enableAddressing separateListener="true"/> >> >>> > > </address> >> >>> > > </endpoint> >> >>> > > </send> >> >>> > > </in> >> >>> > > <out> >> >>> > > <header name="wsse:Security" action="remove" xmlns:wsse=" >> >>> > > http://www.w3.org/2005/08/addressing"/> >> >>> > > <send/> >> >>> > > </out> >> >>> > > </definitions> >> >>> > > >> >>> > > The above configuration should work, but please note that you need >> to >> >>> > > change >> >>> > > the address uri of the endpoint in the above configuration from " >> >>> > > http://localhost:8086"; to "AMAZON_URL" >> >>> > > >> >>> > > If this is not working could you please attach the TCPMon out put >> of >> >>> the >> >>> > > outbound message which is going to AMAZON (after changing important >> >>> > > information) and the message received from AMAZON. If you don't >> want >> >>> to >> >>> > > post >> >>> > > it publicly you may send it to me (mailto:[EMAIL PROTECTED] < >> >>> [EMAIL PROTECTED] >> >>> > >) >> >>> > > >> >>> > > Thanks, >> >>> > > Ruwan >> >>> > > >> >>> > > On Sun, Jun 8, 2008 at 7:01 AM, Jeff Davis <[EMAIL PROTECTED]> >> >>> wrote: >> >>> > > >> >>> > > > I did a little research, and I haven't seen anything in the >> standard >> >>> > that >> >>> > > > indicates WS-Security requires WS-Addressing. Unfortunately, it >> >>> > doesn't >> >>> > > > appear as though setting the header has any impact (further, if >> it >> >>> did, >> >>> > > the >> >>> > > > ReplyTo has a child element for the Address, so not sure how that >> >>> would >> >>> > > be >> >>> > > > added). Here's my configuration: >> >>> > > > >> >>> > > > <definitions xmlns="http://ws.apache.org/ns/synapse";> >> >>> > > > <localEntry key="sec_policy" >> >>> > > > src="file:repository/conf/sample/resources/policy/amazon.xml"/> >> >>> > > > >> >>> > > > <in> >> >>> > > > <header name="ReplyTo" action="set" value=""/> >> >>> > > > <send> >> >>> > > > <endpoint name="secure"> >> >>> > > > <address uri="http://localhost:8086";> >> >>> > > > <enableSec policy="sec_policy"/> >> >>> > > > <enableAddressing/> >> >>> > > > </address> >> >>> > > > </endpoint> >> >>> > > > </send> >> >>> > > > </in> >> >>> > > > <out> >> >>> > > > <send/> >> >>> > > > </out> >> >>> > > > </definitions> >> >>> > > > >> >>> > > > In lieu of the above header, I also tried: >> >>> > > > >> >>> > > > <header name="wsse:Security" action="remove" >> >>> > > > xmlns:wsse="http://www.w3.org/2005/08/addressing"/> >> >>> > > > >> >>> > > > (I also tried removing the <enableAddressing/> node for each >> test). >> >>> > > > >> >>> > > > To recap my issue, it seems as though Amazon AWS (at least for >> >>> SimpleDB >> >>> > > > service) requires the ReplyTo WS-Addressing element, if >> >>> WS-Addressing >> >>> > is >> >>> > > > used. I haven't found a way to remove WS-Addressing generated >> >>> > > automatically >> >>> > > > by Synapse when WS-Security is used, and I haven't figure out how >> to >> >>> > add >> >>> > > > ReplyTo (and it's child Address node) to the outbound message. >> >>> > > > >> >>> > > > Anyone have any work-arounds? Maybe I'll try chaining together >> some >> >>> > > things >> >>> > > > to see if I can devise something. >> >>> > > > >> >>> > > > Thanks, >> >>> > > > >> >>> > > > jeff >> >>> > > > >> >>> > > > >> >>> > > > On Sat, Jun 7, 2008 at 9:25 AM, Asankha C. Perera < >> [EMAIL PROTECTED] >> >>> > >> >>> > > > wrote: >> >>> > > > >> >>> > > > > Hi Jeff >> >>> > > > > >> >>> > > > >> To be honest, I'm not entirely certain how to add it in the >> >>> Header >> >>> > > > >> mediator, >> >>> > > > >> as you allude to. I did try various permutations of using the >> >>> > property >> >>> > > > and >> >>> > > > >> header nodes within the <in>, but nothing ever appeared. >> >>> > > > >> >> >>> > > > >> >> >>> > > > > I am sorry.. I had made a mistake in my reply earlier.. to set >> the >> >>> > > > ReplyTo >> >>> > > > > header to something, you will use "<header name="ReplyTo" >> >>> > value="..."/> >> >>> > > > > format.. If you are familiar with using TCPMon, you can place >> it >> >>> > > between >> >>> > > > > your service and Amazon and route the message through it to get >> a >> >>> > trace >> >>> > > > of >> >>> > > > > the messages. This will help you and us to solve any problems. >> >>> > > > > >> >>> > > > >> Obviously, Amazon's service is not entirely compliant with the >> >>> > > > WS-Security >> >>> > > > >> standards. Even in their section under WS-Security SOAP, they >> >>> state >> >>> > > that >> >>> > > > >> "if >> >>> > > > >> you're using WS-Addressing, we recommend you also sign the >> Action >> >>> > and >> >>> > > To >> >>> > > > >> header elements" (I haven't figured out how to do that yet, >> but >> >>> I'll >> >>> > > dig >> >>> > > > >> into that). >> >>> > > > >> >> >>> > > > >> >> >>> > > > > If you are ok to share your configuration/scenario with us or >> let >> >>> us >> >>> > > try >> >>> > > > > some simple sample to reproduce the issue you are facing, one >> of >> >>> the >> >>> > > > > developers would be able to tell you exactly whats wrong, and >> what >> >>> > you >> >>> > > > could >> >>> > > > > do to get past the problem >> >>> > > > > >> >>> > > > > asankha >> >>> > > > > >> >>> > > > >> >>> > > >> >>> > > >> >>> > > >> >>> > > -- >> >>> > > Ruwan Linton >> >>> > > http://www.wso2.org - "Oxygenating the Web Services Platform" >> >>> > > >> >>> > >> >>> >> >>> >> >>> >> >>> -- >> >>> Ruwan Linton >> >>> http://www.wso2.org - "Oxygenating the Web Services Platform" >> >>> >> >> >> >> >> > >> >> >> >> -- >> Paul Fremantle >> Co-Founder and CTO, WSO2 >> Apache Synapse PMC Chair >> OASIS WS-RX TC Co-chair >> >> blog: http://pzf.fremantle.org >> [EMAIL PROTECTED] >> >> "Oxygenating the Web Service Platform", www.wso2.com >> > > > > -- > Ruwan Linton > http://www.wso2.org - "Oxygenating the Web Services Platform" > -- Paul Fremantle Co-Founder and CTO, WSO2 Apache Synapse PMC Chair OASIS WS-RX TC Co-chair blog: http://pzf.fremantle.org [EMAIL PROTECTED] "Oxygenating the Web Service Platform", www.wso2.com
