Setting up Ws-SecureConversation

Submitted by mikle on March 29, 2008 - 04:35. Forums :

Project: WSO2 WSAS

I would like to use Ws-Secureconversation to sign messages (I will be using one-way SSL to encrypt)

I have setup the security configuration (no9) and keystore in the management console.. but i can't figure out the next step..

According to this Axis2 book that I am using, the policies need to be placed in the WSDL so that the axis2 codegen will include the policy information in the stub...

I also noticed that in the example (WS-security)...a policyreference was added to the operation - does this apply in this case?

Can someone point me to a good guide or give me some pointers on what needs to be done?

Do I need to make any changes to my WSDL? maybe a reference to the Policy xml doc?

Thanks,

Michael

Bookmark/Search this post with:

Login or register to post comments
Printer friendly version
163 reads

Setting up Ws-SecureConversation

Submitted by nandanam on March 30, 2008 - 22:49.

Hi Michael,

After you successfully apply the security scenario to your service, go the WSDL of the service and you will be able to see that the applied policy is annotated in generated WSDL. You don't need to do this manually.

So now when you are creating the client , ( WSAS has a GUI codegen tool as you may have noticed ) Axis2 code generator make sure that those policies in the WSDL are applied to the generated Stub. However you need to add the Rampart Config assertion to the Stub.

Hope this information helps and if you have further questions please do post.

thanks,

/nandana

AxisFault: Error in extracting message properties

Submitted by mikle on March 30, 2008 - 23:42.

Hi Nandana,

Thanks for your reply. I have managed to setup secure conv - except that I am recieving a tomcat html error in the response for the actual message and "AxisFault: Error in extracting message properties" in the WSAS console. Seems like the server has forgotten the SCT!

Attachments and console extract can be found here:

http://www.nabble.com/axisFault-%22error-in-extracting-message-properties%22-with-SecureConv-SignOnly-WSO2-WSAS-2.2.1-td16384767.html

Thanks,

Mike

problem solved!!!! I had

Submitted by mikle on March 31, 2008 - 01:07.

problem solved!!!!

I had copied-pasted the policy myself into the WSDL & added the policy reference to the <binding> element..

I removed it.. just in case it was conflicting with the policy set by WSAS.. and it started working!!

One more question..and hopefully this will close off the security section in my thesis...

Is it possible to get the cert alias/common name in the skeleton impl when using secureConv? It just hit me that in secureConv, the the SCT is being uised..so this info may not be available..

Thanks,

Mike

clarification

Submitted by nandanam on March 31, 2008 - 01:24.

Is it possible to get the cert alias/common name in the skeleton impl when using secureConv ?

Didn't get the question ? Can you please clarify a bit.

thanks,

/nandana

I would like to get the info

Submitted by mikle on March 31, 2008 - 01:43.

I would like to get the info on the authenticated certficiate so that I can use it in the skeleton business logic.. This seems to be what I need..

http://www.mail-archive.com/axis-user@ws.apache.org/msg21601.html

but i started recieving "Error in extracting Message properties" again after I added the following code to operation:

System.out.println(this.getSecurityInfo(MessageContext.getCurrentMessageContext()));

btw.. it seems the "error in

Submitted by mikle on March 31, 2008 - 01:53.

btw.. it seems the "error in extracting message properties" seems to be quite generic..and includes failures in the service code... I think my original problem may have been related to failues in the axis2 codegen..wsdl2code was giving me "Error renaming file c:\documents and settings\mikle\local settings\temp\32526326442.txt" (something like that)

The error seems to have been caused by the <PolicyReference> element.

More info about the error

Submitted by nandanam on March 31, 2008 - 04:42.

This error occurs in server side , right ? Can you please check whether an Exception thrown from your service code. ( may be catching all excpetions and logging them ). So we can see what really happens. IMO , "error in extracting message properties" may be occuring when the expetion is returned in the out fault flow .

the error was in the

Submitted by mikle on March 31, 2008 - 05:07.

the error was in the getSecurityInfo method..

the SubjectDN was null because the principal is a derived key - derivedkeyid-138534566.

it seems i can't access the cert details when using secureConv.

securityOutHandler like in the outflow

Submitted by mikle on March 31, 2008 - 13:30.

hi Nandana,

You're rigth the problem is in the out fault flow. I confirmed this because i am recieving this error when I intentionally throw a SOAP fault..

I had a look at the flows in the management console.. and noticed there isn't the securityOutHandler like in the outflow.. is that normal?

I also noticed that there have been related JIRAs - but related to problems on the client side..

in TCP mon, the response is a tomcat html error.. so it must be a server side prob

Thanks,

Michael

HTTP/1.1 500 Internal Server Error

Server: Apache-Coyote/1.1

Content-Type: text/html;charset=utf-8

Content-Length: 1000

Date: Mon, 31 Mar 2008 21:23:52 GMT

Connection: close

<html><head><title>Apache Tomcat/5.5.15 - Error report</title><style></style> </head><body><h1>HTTP Status 500 - </h1><HR size="1" noshade="noshade"><p><b>type</b> Status report</p><p><b>message</b> <u></u></p><p><b>description</b> <u>The server encountered an internal error () that prevented it from fulfilling this request.</u></p><HR size="1" noshade="noshade"><h3>Apache Tomcat/5.5.15</h3></body></html>

I tried removing the

Submitted by mikle on April 1, 2008 - 07:16.

I tried removing the security phase from the outFaultFlow.. but WSAS gaev a bunch of errors...

is there a quick fix for this prob?

Thanks,

Michael

UPDATE - WSAS Management Console Tracer

Submitted by mikle on April 1, 2008 - 10:14.

I have enabled the Tracer in the WSAS console and the soap fault was captured.. so the problem is somewhere between the tracer and the actual response dispatch

SOAP 1.1 or SOAP 1.2 ??

Submitted by nandanam on April 1, 2008 - 20:08.

Hi Micheal,

Are you using SOAP 1.1 ? Can you please try the same scenario with SOAP 1.2 ??

/nandana

I'm using soap 1.1 - will

Submitted by mikle on April 1, 2008 - 21:54.

I'm using soap 1.1 - will try later today.

Thanks,

Mike

I amended the soap namespace

Submitted by mikle on April 2, 2008 - 07:35.

ok managed to setup soap12...

on the client i am recieving this error instead of nullpointerexception:

"must understand check failed for header: http://doc.oasis-open.org/wss/20040/01/oasis-200401-wss-wssecurity-secext-1.0.xsd: Security "

I am no longer getting "error in extracting message properties on the WSAS server console

in the WSAS Management console tracer I noticed that the soap fault is a fault on the original fault...i am throwing an "AccessDenied_Fault".. which is throwing a general Exception..which is thrown as "UnexpectedFailure_Fault"

"AccessDenied_Fault" and "UnexpectedFailure_Fault" are both custom faults i created..

<?xml version='1.0' encoding='utf-8'?>

   <soapenv:Envelope xmlns:soapenv="http://www.w3.org/2003/05/soap-envelope">

      <soapenv:Body>

         <soapenv:Fault>

            <soapenv:Code>

               <soapenv:Value>soapenv:Receiver</soapenv:Value>

            </soapenv:Code>

            <soapenv:Reason>

               <soapenv:Text xml:lang="en-US">Fault_UnexpectedFailure</soapenv:Text>

            </soapenv:Reason>

            <soapenv:Detail>

               <ns1:UnexpectedFailure xmlns:ns1="http://mch.org/ClearingHouse/ECPSchema">

                  <ns1:Msg>Fault_AccessDenied.</ns1:Msg>

                  <ns1:StackTrace>org.mch.clearinghouse.ClearingHouseServiceImpl.getChequeImages(ClearingHouseServiceImpl.java:708)org.mch.clearinghouse.ClearingHouseServiceMessageReceiverInOut.invokeBusinessLogic(ClearingHouseServiceMessageReceiverInOut.java:366)org.apache.axis2.receivers.AbstractInOutMessageReceiver.invokeBusinessLogic(AbstractInOutMessageReceiver.java:40)org.apache.axis2.receivers.AbstractMessageReceiver.receive(AbstractMessageReceiver.java:96)org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:148)org.apache.axis2.transport.http.HTTPTransportUtils.processHTTPPostRequest(HTTPTransportUtils.java:275)org.apache.axis2.transport.http.AxisServlet.doPost(AxisServlet.java:121)javax.servlet.http.HttpServlet.service(HttpServlet.java:709)javax.servlet.http.HttpServlet.service(HttpServlet.java:802)org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:252)org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)org.wso2.adminui.AdminUIServletFilter.doFilter(AdminUIServletFilter.java:142)org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213)org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:178)org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126)org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105)org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107)org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148)org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:869)org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:667)org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:527)org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:80)org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:684)java.lang.Thread.run(Thread.java:619)</ns1:StackTrace>

               </ns1:UnexpectedFailure>

            </soapenv:Detail>

         </soapenv:Fault>

      </soapenv:Body>

   </soapenv:Envelope>

soap fault in tcpmon

Submitted by mikle on April 3, 2008 - 03:33.

HTTP/1.1 500 Internal Server Error

Server: Apache-Coyote/1.1

Content-Type: application/soap+xml;charset=UTF-8

Transfer-Encoding: chunked

Date: Thu, 03 Apr 2008 11:31:29 GMT

Connection: close

b12

<?xml version='1.0' encoding='UTF-8'?>

   <soapenv:Envelope xmlns:soapenv="http://www.w3.org/2003/05/soap-envelope">

      <soapenv:Body>

         <soapenv:Fault xmlns:axis2ns3="http://www.w3.org/2003/05/soap-envelope">

            <soapenv:Code>

               <soapenv:Value>axis2ns3:MustUnderstand</soapenv:Value>

            </soapenv:Code>

            <soapenv:Reason>

               <soapenv:Text xml:lang="en-US">Must Understand check failed for header http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd : Security</soapenv:Text>

            </soapenv:Reason>

            <soapenv:Detail>

               <Exception>org.apache.axis2.AxisFault: Must Understand check failed for header http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd : Security   at org.apache.axis2.engine.AxisEngine.checkMustUnderstand(AxisEngine.java:89)   at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:138)   at org.apache.axis2.transport.http.HTTPTransportUtils.processHTTPPostRequest(HTTPTransportUtils.java:275)   at org.apache.axis2.transport.http.AxisServlet.doPost(AxisServlet.java:121)   at javax.servlet.http.HttpServlet.service(HttpServlet.java:709)   at javax.servlet.http.HttpServlet.service(HttpServlet.java:802)   at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:252)   at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)   at org.wso2.adminui.AdminUIServletFilter.doFilter(AdminUIServletFilter.java:142)   at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)   at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)   at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213)   at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:178)   at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126)   at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105)   at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107)   at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148)   at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:869)   at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:667)   at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:527)   at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:80)   at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:684)   at java.lang.Thread.run(Thread.java:619)</Exception>

            </soapenv:Detail>

         </soapenv:Fault>

      </soapenv:Body>

   </soapenv:Envelope>0

I have debugged the service

Submitted by mikle on April 3, 2008 - 04:49.

I have debugged the service without source.. the exception/fault is my custom fault up until WSASServlet.doPost line 152.. after that i lost track