I have problem with axis2+rampart WS-Security response in case of server internal error.
When server returns “200 OK” all seems ok. Response is checked by rampart if it has proper timestamp, signature and decrypts function response XML. But when server returns “500 Internal Server Error” axis2/rapart throws exception:
ERROR Thread-11 org.apache.axis2.engine.AxisEngine - Must Understand check failed for header
I thought there is something wrong with answer and tested it with soapUI. There comes similar response both in secured and decrypted form. Those responses differ only by HTTP status, XML response code indicating error, and case of SOAP tags. In case of good response there is
<SOAP-ENV:Envelope ...
In case of error:
<soap:Envelope ...
Rest of the structure, including mustUnderstand="1" is the same.
In axis2.xml I configured InFlow and InFaultFlow to be the same with order:
<phase name="Addressing">...</phase>
<phase name="Security"/>
<phase name="PreDispatch"/>
I enabled tracing of my client and in case of good reponse I see:
DEBUG Thread-11 org.apache.rampart.RampartEngine - Enter process(MessageContext msgCtx)
DEBUG Thread-11 org.apache.axis2.engine.Phase - [MessageContext: logID=urn:uuid:UUID] Invoking Handler 'SecurityInHandler' in Phase 'Security'
...there is decrypted message
DEBUG Thread-11 org.apache.rampart.handler.WSDoAllReceiver - WSDoAllReceiver: exit invoke()
DEBUG Thread-11 org.apache.axis2.engine.Phase - [MessageContext: logID=urn:uuid:UUID] Checking post-conditions for phase "Security"
DEBUG Thread-11 org.apache.axis2.engine.Phase - [MessageContext: logID=urn:uuid:UUID] Checking pre-condition for Phase "PreDispatch"
...
There is no such trace in the case of error:
DEBUG Thread-11 org.apache.rampart.RampartEngine - Enter process(MessageContext msgCtx)
DEBUG Thread-11 org.apache.axis2.engine.Phase - [MessageContext: logID=urn:uuid:UUID] Checking post-conditions for phase "Security"
DEBUG Thread-11 org.apache.axis2.engine.Phase - [MessageContext: logID=urn:uuid:UUID] Checking pre-condition for Phase "PreDispatch"
...
DEBUG Thread-11 org.apache.axis2.engine.Phase - [MessageContext: logID=urn:uuid:UUID] Checking post-conditions for phase "soapmonitorPhase"
DEBUG Thread-11 org.apache.axis2.engine.AxisEngine - MustUnderstand header not processed or registered as understood{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security
DEBUG Thread-11 org.apache.axis2.i18n.ProjectResourceBundle - org.apache.axis2.i18n.resource::handleGetObject(mustunderstandfailed)
ERROR Thread-11 org.apache.axis2.engine.AxisEngine - Must Understand check failed for header http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd : Security
org.apache.axis2.AxisFault: Must Understand check failed for header http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd : Security
at org.apache.axis2.engine.AxisEngine.checkMustUnderstand(AxisEngine.java:97)
at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:163)
at org.apache.axis2.description.OutInAxisOperationClient.handleResponse(OutInAxisOperation.java:364)
at org.apache.axis2.description.OutInAxisOperationClient.send(OutInAxisOperation.java:417)
at org.apache.axis2.description.OutInAxisOperationClient.executeImpl(OutInAxisOperation.java:229)
at org.apache.axis2.client.OperationClient.execute(OperationClient.java:165)
There is no SecurityInHandler invocation.
I would like to see decrypted message just like in case of “200 OK” status or like in soapUI.
Any ideas what is wrong with my configuration?
EDIT
I have checked that I got such error only in case of “500 Internal Server Error”. If server reply with “200 OK” and the same encrypted content then axis2 is able to decrypt it!
I will answer myself:
I searched Rampart sources to see where
SecurityInHandleris. It was inMETA-INF/module.xmloframpart-1.5.1.mar, but only in<InFlow>section. I copied it to<InFaultFlow>and it works! Now my<InFaultFlow>section looks like: