[Architecture] WS-Security mustUnderstand attribute not initialised correctly

Thilina Mahesh Buddhika thilinab at wso2.com
Tue Feb 2 14:48:57 EST 2010


Hi Dmitry,

Sorry for not noticing your forum post.

I just checked the Axis2 code which checks the "mustUnderstand" attribute of
SOAP header blocks. Extraction of this "mustUnderstand" attribute is done by
Axiom. These logics seems fine, but I will try to reproduce your scenario
and fix if there is an issue.

Since you have written a handler to print "mustUnderstand" attribute, it is
possible to extend it bit further to set the security header as processed.
If it is set as "processed", AxisEngine will not check the mustUnderstand
attribute.  So this would be a possible workaround for this issue for the
time being.

You can call the "setProcessed()" in the security header block.

Eg:- secHeaderBlock.setProcessed();

Let us know if you further encounter issues with this approach.
Hope this helps.

Thanks.
/thilina

On Tue, Feb 2, 2010 at 11:19 PM, Dmitry Lukyanov <dlukyanov at ukr.net> wrote:

> Hello,
>
> I post the question on the forum, but it stays unanswered almost three
> weeks.
> http://wso2.org/forum/thread/9130
>
> Here are the new details and facts.
> I made those tests today on WSAS 3.1.3
>
> Steps:
>
> 1. extract  the wsas 3.1.3 and start it
> 2. use soapui client to call pre-installed HelloService, but specify the
> security header
> 2.1.  Note: HelloService is unsecured
> 2.2.  header must contain attribute mustUnderstand="0"
> <soap:Header>
>  <wsse:Security soap:mustUnderstand="0"
>  xmlns:wsse="
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
> ">
>    <wsu:Timestamp wsu:Id="Timestamp-4"
>    xmlns:wsu="
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
> ">
>      <wsu:Created>2010-02-02T16:12:20Z</wsu:Created>
>    </wsu:Timestamp>
>    <wsse:UsernameToken wsu:Id="UsernameToken-3"
>    xmlns:wsu="
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
> ">
>      <wsse:Username>admin</wsse:Username>
>      <wsse:Password Type="
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText
> ">admin</wsse:Password>
>    </wsse:UsernameToken>
>  </wsse:Security>
> </soap:Header>
> --
> Expected result:
>
> According to W3C (
> http://www.w3.org/TR/2000/NOTE-SOAP-20000508/#_Toc478383500),
> the service must return the correct result because soap:mustUnderstand="0"
> was specified for the security header,
>
> But the actual result is exception:
> org.apache.axis2.AxisFault: Must Understand check failed for header
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd: Security
>        at
> org.apache.axis2.engine.AxisEngine.checkMustUnderstand(AxisEngine.java:102)
>        at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:168)
>        ...
> --
> I sure this is a bug on the level of parsing headers of the incoming soap
> message.
>
> How did I check it:
>
> I create a simple handler that prints a mustUnderstand attribute value of
> all header blocks:
>
> public class GetMustUnderstand extends
> org.apache.axis2.handlers.AbstractHandler {
>    public InvocationResponse invoke(MessageContext msgContext) throws
> AxisFault {
>        //Setting mustUnderstand equal to true;
>        SOAPEnvelope env = msgContext.getEnvelope();
>        SOAPHeader header = env.getHeader();
>        if(header != null){
>            for(Iterator itr = header.getChildElements(); itr.hasNext();){
>                SOAPHeaderBlock headerBlock = (SOAPHeaderBlock) itr.next();
>                System.out.println(""+this.getName()+":
> "+headerBlock.getQName().getLocalPart()+"="+headerBlock.getMustUnderstand());
>            }
>        }
>        return InvocationResponse.CONTINUE;
>    }
> }
>
> And add it at the very beginning of the InFlow in the axis2.xml:
>    <phaseOrder type="InFlow">
>        <!--  System pre defined phases       -->
>        <phase name="Transport">
>            <handler name="GetMustUnderstand-01"
> class="org.abi.axis.handler.GetMustUnderstand"/>
>            <handler name="RequestURIBasedDispatcher"
>            ...
>
> All the time I have in the server console this:
> GetMustUnderstand-01: Security=true
>
> At the end of the InFlow phase, if there are any non-processed headers with
> mustUnderstand=true,
> axis engine will throw exception mentioned above.
> --
> I kindly asking to register and correct this error for WSAS, DataServices,
> and other carbone platformes.
> --
> Regards,
>  Dmitry
>
>
> _______________________________________________
> Architecture mailing list
> Architecture at wso2.org
> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
>



-- 
Thilina Mahesh Buddhika
WSO2 Inc. ; http://wso2.com
http://blog.thilinamb.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.wso2.org/pipermail/architecture/attachments/20100203/25c28b91/attachment.html>


More information about the Architecture mailing list