axis2 + rampart：必须理解标题安全检查失败 [英] axis2+rampart: Must Understand check failed for header Security

问题描述

在服务器内部错误的情况下，我遇到了axis2 + rampart WS-Security响应问题。
当服务器返回200 OK时，一切似乎都没问题。如果具有适当的时间戳，签名和解密函数响应XML，则通过rampart检查响应。但是当服务器返回500内部服务器错误时，axis2 / rapart抛出异常：

I have problem with axis2+rampart WS-Security response in case of server internal error. When server returns "200 OK" all seems ok. Response is checked by rampart if it has proper timestamp, signature and decrypts function response XML. But when server returns "500 Internal Server Error" axis2/rapart throws exception:

ERROR Thread-11 org.apache.axis2.engine.AxisEngine - Must Understand check failed for header

我认为答案有问题并经过测试用soapUI。安全和解密形式都有类似的响应。这些响应仅因HTTP状态，指示错误的XML响应代码和SOAP标记的情况而不同。如果反应良好，则

I thought there is something wrong with answer and tested it with soapUI. There comes similar response both in secured and decrypted form. Those responses differ only by HTTP status, XML response code indicating error, and case of SOAP tags. In case of good response there is

<SOAP-ENV:Envelope ...

如果出现错误：

<soap:Envelope ...

其余结构，包括 mustUnderstand = 1是相同的。

Rest of the structure, including mustUnderstand="1" is the same.

在 axis2.xml 我配置 InFlow 和 InFaultFlow 与订单相同：

In axis2.xml I configured InFlow and InFaultFlow to be the same with order:

<phase name="Addressing">...</phase>
<phase name="Security"/>
<phase name="PreDispatch"/>

我启用了对我的客户的追踪，如果有好的回应，我看到：

I enabled tracing of my client and in case of good reponse I see:

DEBUG Thread-11 org.apache.rampart.RampartEngine - Enter process(MessageContext msgCtx)
DEBUG Thread-11 org.apache.axis2.engine.Phase - [MessageContext: logID=urn:uuid:UUID] Invoking Handler 'SecurityInHandler' in Phase 'Security'
...there is decrypted message
DEBUG Thread-11 org.apache.rampart.handler.WSDoAllReceiver - WSDoAllReceiver: exit invoke()
DEBUG Thread-11 org.apache.axis2.engine.Phase - [MessageContext: logID=urn:uuid:UUID] Checking post-conditions for phase "Security"
DEBUG Thread-11 org.apache.axis2.engine.Phase - [MessageContext: logID=urn:uuid:UUID] Checking pre-condition for Phase "PreDispatch"
...

在出现错误的情况下没有这样的痕迹：

There is no such trace in the case of error:

DEBUG Thread-11 org.apache.rampart.RampartEngine - Enter process(MessageContext msgCtx)
DEBUG Thread-11 org.apache.axis2.engine.Phase - [MessageContext: logID=urn:uuid:UUID] Checking post-conditions for phase "Security"
DEBUG Thread-11 org.apache.axis2.engine.Phase - [MessageContext: logID=urn:uuid:UUID] Checking pre-condition for Phase "PreDispatch"
...
DEBUG Thread-11 org.apache.axis2.engine.Phase - [MessageContext: logID=urn:uuid:UUID] Checking post-conditions for phase "soapmonitorPhase"
DEBUG Thread-11 org.apache.axis2.engine.AxisEngine - MustUnderstand header not processed or registered as understood{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security
DEBUG Thread-11 org.apache.axis2.i18n.ProjectResourceBundle - org.apache.axis2.i18n.resource::handleGetObject(mustunderstandfailed)
ERROR Thread-11 org.apache.axis2.engine.AxisEngine - Must Understand check failed for header http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd : Security
org.apache.axis2.AxisFault: Must Understand check failed for header http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd : Security
at org.apache.axis2.engine.AxisEngine.checkMustUnderstand(AxisEngine.java:97)
at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:163)
at org.apache.axis2.description.OutInAxisOperationClient.handleResponse(OutInAxisOperation.java:364)
at org.apache.axis2.description.OutInAxisOperationClient.send(OutInAxisOperation.java:417)
at org.apache.axis2.description.OutInAxisOperationClient.executeImpl(OutInAxisOperation.java:229)
at org.apache.axis2.client.OperationClient.execute(OperationClient.java:165)

没有 SecurityInHandler 调用。

我希望看到解密的消息就像是soapUI中的200 OK状态或类似状态。
任何想法我的配置有什么问题？

I would like to see decrypted message just like in case of "200 OK" status or like in soapUI. Any ideas what is wrong with my configuration?

编辑

我已经检查过，只有在500 Internal Server Error的情况下我才会收到这样的错误。如果服务器回答200 OK和相同的加密内容，那么axis2就可以解密它了！

I have checked that I got such error only in case of "500 Internal Server Error". If server reply with "200 OK" and the same encrypted content then axis2 is able to decrypt it!

推荐答案

我会自己回答：

我搜索了Rampart来源，看看 SecurityInHandler 在哪里。它位于 META-INF / module.xml 的 \\ t652art-1.5.1.mar ，但仅限于< InFlow> 部分。我将其复制到< InFaultFlow> 并且它有效！现在我的< InFaultFlow> 部分如下所示：

I searched Rampart sources to see where SecurityInHandler is. It was in META-INF/module.xml of rampart-1.5.1.mar, but only in <InFlow> section. I copied it to <InFaultFlow> and it works! Now my <InFaultFlow> section looks like:

<InFaultFlow>
    <handler name="PolicyBasedSecurityInHandler" class="org.apache.rampart.handler.RampartReceiver">
        <order phase="Security" phaseFirst="true"/>
    </handler>
    <handler name="SecurityInHandler" class="org.apache.rampart.handler.WSDoAllReceiver">
        <order phase="Security"/>
    </handler>
    <handler name="PostDispatchVerificationHandler" class="org.apache.rampart.handler.PostDispatchVerificationHandler">
        <order phase="Dispatch" phaseLast="true"/>
    </handler>
</InFaultFlow> 

这篇关于axis2 + rampart：必须理解标题安全检查失败的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！