[Architecture] WS-Security mustUnderstand attribute not initialised correctly

Dmitry Lukyanov dlukyanov at ukr.net
Tue Feb 2 12:49:46 EST 2010


Hello,

I post the question on the forum, but it stays unanswered almost three weeks.
http://wso2.org/forum/thread/9130

Here are the new details and facts.
I made those tests today on WSAS 3.1.3 

Steps:

1. extract  the wsas 3.1.3 and start it
2. use soapui client to call pre-installed HelloService, but specify the security header
2.1.  Note: HelloService is unsecured
2.2.  header must contain attribute mustUnderstand="0"
<soap:Header>
  <wsse:Security soap:mustUnderstand="0"  
  xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
    <wsu:Timestamp wsu:Id="Timestamp-4"
    xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
      <wsu:Created>2010-02-02T16:12:20Z</wsu:Created>
    </wsu:Timestamp>
    <wsse:UsernameToken wsu:Id="UsernameToken-3"
    xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
      <wsse:Username>admin</wsse:Username>
      <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">admin</wsse:Password>
    </wsse:UsernameToken>
  </wsse:Security>
</soap:Header>
--
Expected result:

According to W3C (http://www.w3.org/TR/2000/NOTE-SOAP-20000508/#_Toc478383500),
the service must return the correct result because soap:mustUnderstand="0" was specified for the security header,

But the actual result is exception:
org.apache.axis2.AxisFault: Must Understand check failed for header http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd : Security
        at org.apache.axis2.engine.AxisEngine.checkMustUnderstand(AxisEngine.java:102)
        at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:168)
        ...
--
I sure this is a bug on the level of parsing headers of the incoming soap message.

How did I check it:

I create a simple handler that prints a mustUnderstand attribute value of all header blocks:

public class GetMustUnderstand extends org.apache.axis2.handlers.AbstractHandler {
    public InvocationResponse invoke(MessageContext msgContext) throws AxisFault {
        //Setting mustUnderstand equal to true;
        SOAPEnvelope env = msgContext.getEnvelope();
        SOAPHeader header = env.getHeader();
        if(header != null){
            for(Iterator itr = header.getChildElements(); itr.hasNext();){
                SOAPHeaderBlock headerBlock = (SOAPHeaderBlock) itr.next();
               	System.out.println(""+this.getName()+": "+headerBlock.getQName().getLocalPart()+"="+headerBlock.getMustUnderstand());
            }
        }
        return InvocationResponse.CONTINUE;
    }
}

And add it at the very beginning of the InFlow in the axis2.xml:
    <phaseOrder type="InFlow">
        <!--  System pre defined phases       -->
        <phase name="Transport">
            <handler name="GetMustUnderstand-01" class="org.abi.axis.handler.GetMustUnderstand"/>
            <handler name="RequestURIBasedDispatcher"
            ...

All the time I have in the server console this:
GetMustUnderstand-01: Security=true

At the end of the InFlow phase, if there are any non-processed headers with mustUnderstand=true,
axis engine will throw exception mentioned above.
--
I kindly asking to register and correct this error for WSAS, DataServices, and other carbone platformes. 
--
Regards,
  Dmitry





More information about the Architecture mailing list