axis2+rampart:必须了解标题安全检查失败
在服务器内部错误的情况下,我对 axis2+rampart WS-Security 响应有问题。 当服务器返回“200 OK”时,一切似乎都正常。 Rampart 检查响应是否具有正确的时间戳、签名并解密函数响应 XML。但是当服务器返回“500内部服务器错误”时,axis2/rapart抛出异常:
ERROR Thread-11 org.apache.axis2.engine.AxisEngine - Must Understand check failed for header
我认为答案有问题并用soapUI进行了测试。无论是安全形式还是解密形式,都会有类似的响应。这些响应仅在 HTTP 状态、指示错误的 XML 响应代码以及 SOAP 标记的大小写方面有所不同。如果响应良好,则会出现
<SOAP-ENV:Envelope ...
如果出现错误:
<soap:Envelope ...
结构的其余部分(包括 mustUnderstand="1")是相同的。
在axis2.xml中,我将InFlow和InFaultFlow配置为与顺序相同:
<phase name="Addressing">...</phase>
<phase name="Security"/>
<phase name="PreDispatch"/>
我启用了对我的客户端的跟踪,如果响应良好,我请参阅:
DEBUG Thread-11 org.apache.rampart.RampartEngine - Enter process(MessageContext msgCtx)
DEBUG Thread-11 org.apache.axis2.engine.Phase - [MessageContext: logID=urn:uuid:UUID] Invoking Handler 'SecurityInHandler' in Phase 'Security'
...there is decrypted message
DEBUG Thread-11 org.apache.rampart.handler.WSDoAllReceiver - WSDoAllReceiver: exit invoke()
DEBUG Thread-11 org.apache.axis2.engine.Phase - [MessageContext: logID=urn:uuid:UUID] Checking post-conditions for phase "Security"
DEBUG Thread-11 org.apache.axis2.engine.Phase - [MessageContext: logID=urn:uuid:UUID] Checking pre-condition for Phase "PreDispatch"
...
在错误的情况下没有这样的跟踪:
DEBUG Thread-11 org.apache.rampart.RampartEngine - Enter process(MessageContext msgCtx)
DEBUG Thread-11 org.apache.axis2.engine.Phase - [MessageContext: logID=urn:uuid:UUID] Checking post-conditions for phase "Security"
DEBUG Thread-11 org.apache.axis2.engine.Phase - [MessageContext: logID=urn:uuid:UUID] Checking pre-condition for Phase "PreDispatch"
...
DEBUG Thread-11 org.apache.axis2.engine.Phase - [MessageContext: logID=urn:uuid:UUID] Checking post-conditions for phase "soapmonitorPhase"
DEBUG Thread-11 org.apache.axis2.engine.AxisEngine - MustUnderstand header not processed or registered as understood{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security
DEBUG Thread-11 org.apache.axis2.i18n.ProjectResourceBundle - org.apache.axis2.i18n.resource::handleGetObject(mustunderstandfailed)
ERROR Thread-11 org.apache.axis2.engine.AxisEngine - Must Understand check failed for header http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd : Security
org.apache.axis2.AxisFault: Must Understand check failed for header http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd : Security
at org.apache.axis2.engine.AxisEngine.checkMustUnderstand(AxisEngine.java:97)
at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:163)
at org.apache.axis2.description.OutInAxisOperationClient.handleResponse(OutInAxisOperation.java:364)
at org.apache.axis2.description.OutInAxisOperationClient.send(OutInAxisOperation.java:417)
at org.apache.axis2.description.OutInAxisOperationClient.executeImpl(OutInAxisOperation.java:229)
at org.apache.axis2.client.OperationClient.execute(OperationClient.java:165)
没有 SecurityInHandler 调用。
我希望看到解密的消息,就像肥皂UI 中的“200 OK”状态或类似情况一样。 有什么想法我的配置有什么问题吗?
编辑
我已经检查过,只有在“500内部服务器错误”的情况下才会出现此类错误。如果服务器回复“200 OK”和相同的加密内容,则 axis2 能够解密它!
I have problem with axis2+rampart WS-Security response in case of server internal error.
When server returns "200 OK" all seems ok. Response is checked by rampart if it has proper timestamp, signature and decrypts function response XML. But when server returns "500 Internal Server Error" axis2/rapart throws exception:
ERROR Thread-11 org.apache.axis2.engine.AxisEngine - Must Understand check failed for header
I thought there is something wrong with answer and tested it with soapUI. There comes similar response both in secured and decrypted form. Those responses differ only by HTTP status, XML response code indicating error, and case of SOAP tags. In case of good response there is
<SOAP-ENV:Envelope ...
In case of error:
<soap:Envelope ...
Rest of the structure, including mustUnderstand="1" is the same.
In axis2.xml I configured InFlow and InFaultFlow to be the same with order:
<phase name="Addressing">...</phase>
<phase name="Security"/>
<phase name="PreDispatch"/>
I enabled tracing of my client and in case of good reponse I see:
DEBUG Thread-11 org.apache.rampart.RampartEngine - Enter process(MessageContext msgCtx)
DEBUG Thread-11 org.apache.axis2.engine.Phase - [MessageContext: logID=urn:uuid:UUID] Invoking Handler 'SecurityInHandler' in Phase 'Security'
...there is decrypted message
DEBUG Thread-11 org.apache.rampart.handler.WSDoAllReceiver - WSDoAllReceiver: exit invoke()
DEBUG Thread-11 org.apache.axis2.engine.Phase - [MessageContext: logID=urn:uuid:UUID] Checking post-conditions for phase "Security"
DEBUG Thread-11 org.apache.axis2.engine.Phase - [MessageContext: logID=urn:uuid:UUID] Checking pre-condition for Phase "PreDispatch"
...
There is no such trace in the case of error:
DEBUG Thread-11 org.apache.rampart.RampartEngine - Enter process(MessageContext msgCtx)
DEBUG Thread-11 org.apache.axis2.engine.Phase - [MessageContext: logID=urn:uuid:UUID] Checking post-conditions for phase "Security"
DEBUG Thread-11 org.apache.axis2.engine.Phase - [MessageContext: logID=urn:uuid:UUID] Checking pre-condition for Phase "PreDispatch"
...
DEBUG Thread-11 org.apache.axis2.engine.Phase - [MessageContext: logID=urn:uuid:UUID] Checking post-conditions for phase "soapmonitorPhase"
DEBUG Thread-11 org.apache.axis2.engine.AxisEngine - MustUnderstand header not processed or registered as understood{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security
DEBUG Thread-11 org.apache.axis2.i18n.ProjectResourceBundle - org.apache.axis2.i18n.resource::handleGetObject(mustunderstandfailed)
ERROR Thread-11 org.apache.axis2.engine.AxisEngine - Must Understand check failed for header http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd : Security
org.apache.axis2.AxisFault: Must Understand check failed for header http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd : Security
at org.apache.axis2.engine.AxisEngine.checkMustUnderstand(AxisEngine.java:97)
at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:163)
at org.apache.axis2.description.OutInAxisOperationClient.handleResponse(OutInAxisOperation.java:364)
at org.apache.axis2.description.OutInAxisOperationClient.send(OutInAxisOperation.java:417)
at org.apache.axis2.description.OutInAxisOperationClient.executeImpl(OutInAxisOperation.java:229)
at org.apache.axis2.client.OperationClient.execute(OperationClient.java:165)
There is no SecurityInHandler invocation.
I would like to see decrypted message just like in case of "200 OK" status or like in soapUI.
Any ideas what is wrong with my configuration?
EDIT
I have checked that I got such error only in case of "500 Internal Server Error". If server reply with "200 OK" and the same encrypted content then axis2 is able to decrypt it!
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
我会回答自己:
我搜索了 Rampart 源代码以查看
SecurityInHandler在哪里。它位于rampart-1.5.1.mar的META-INF/module.xml中,但仅位于I will answer myself:
I searched Rampart sources to see where
SecurityInHandleris. It was inMETA-INF/module.xmloframpart-1.5.1.mar, but only in<InFlow>section. I copied it to<InFaultFlow>and it works! Now my<InFaultFlow>section looks like: