Axis 2 and Rampart- why does service return wsse:Security header in request?

I'm connecting to a secure service.

I have a SOAP UI project configured to use a jks file to provide the certificate, along with appropriate security settings to allow me to get a valid response.

I've have used AXIS 2 and Rampart to create a SOAP request from a JAVA project. Using TCPMon I've managed to grab the SOAP request.

When the request runs in the JAVA project, I just get the response:

org.apache.axis2.AxisFault: Missing wsse:Security header in request

but if I take the same request, captured in TCPMon and put it in a SOAP UI project, I get a response successfully.

Anyone got any ideas?

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">  <soapenv:Header>  
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"  
soapenv:mustUnderstand="1">  
  <wsu:Timestamp xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"  
  wsu:Id="Timestamp-1">  
    <wsu:Created>2012-06-01T15:09:12.520Z</wsu:Created>  
    <wsu:Expires>2012-06-01T15:14:12.520Z</wsu:Expires>  
  </wsu:Timestamp>  
  <wsse:BinarySecurityToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"  
  EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"  
  ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"  
  wsu:Id="CertId-ECDB0E....01">  
  MIID4DCCA0mgAwIBAgIBFjAN....</wsse:BinarySecurityToken>  
  <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"  
  Id="Signature-2">  
    <ds:SignedInfo>  
      <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />  
      <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />  
      <ds:Reference URI="#Id-15..93">  
        <ds:Transforms>  
          <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />  
        </ds:Transforms>  
        <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />  
        <ds:DigestValue>  
        3wgvhJ8SI2soC..IA=</ds:DigestValue>  
      </ds:Reference>  
      <ds:Reference URI="#Timestamp-1">  
        <ds:Transforms>  
          <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />  
        </ds:Transforms>  
        <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />  
        <ds:DigestValue>  
        VlzDT69YEl..qTlbj0=</ds:DigestValue>  
      </ds:Reference>  
    </ds:SignedInfo>  
    <ds:SignatureValue>  
    ZCRypw/..=</ds:SignatureValue>  
    <ds:KeyInfo Id="KeyId-ECD..2">  
      <wsse:SecurityTokenReference xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"  
      wsu:Id="STRId-ECDB0E6..6193">  
        <wsse:Reference URI="#CertId-ECDB0E..01"  
        ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" />  
      </wsse:SecurityTokenReference>  
    </ds:KeyInfo>  
  </ds:Signature>  
</wsse:Security></soapenv:Header><soapenv:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="Id-15..3"><ns2:ProductSearchV2Request xmlns:ns2="http://product.webservice.sxc.com">   
  <ns2:Strength>900</ns2:Strength>  
  <ns2:MaximumResultSetInd>true</ns2:MaximumResultSetInd>  
  <ns2:MaximumResultSet>100</ns2:MaximumResultSet>  
</ns2:ProductSearchV2Request>  

This is the WS-POLICY document that I'm using:

<?xml version="1.0" encoding="UTF-8"?>  
<!--  
 !  
 ! Copyright 2006 The Apache Software Foundation.  
 !  
 ! Licensed under the Apache License, Version 2.0 (the "License");  
 ! you may not use this file except in compliance with the License.  
 ! You may obtain a copy of the License at  
 !  
 !      http://www.apache.org/licenses/LICENSE-2.0  
 !  
 ! Unless required by applicable law or agreed to in writing, software  
 ! distributed under the License is distributed on an "AS IS" BASIS,  
 ! WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.  
 ! See the License for the specific language governing permissions and  
 ! limitations under the License.  
 !-->  
<wsp:Policy wsu:Id="SigOnly"  
            xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"  
            xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">  
    <wsp:ExactlyOne>  
        <wsp:All>  
            <sp:AsymmetricBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">  
                <wsp:Policy>  
                    <sp:InitiatorToken>  
                        <wsp:Policy>  
                            <sp:X509Token  
                                    sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">  
                                <wsp:Policy>  
                                    <sp:RequireThumbprintReference/>  
                                    <sp:WssX509V3Token10/>  
                                </wsp:Policy>  
                            </sp:X509Token>  
                        </wsp:Policy>  
                    </sp:InitiatorToken>  
                    <sp:RecipientToken>  
                        <wsp:Policy>  
                            <sp:X509Token  
                                    sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never">  
                                <wsp:Policy>  
                                    <sp:RequireThumbprintReference/>  
                                    <sp:WssX509V3Token10/>  
                                </wsp:Policy>  
                            </sp:X509Token>  
                        </wsp:Policy>  
                    </sp:RecipientToken>  
                    <sp:AlgorithmSuite>  
                        <wsp:Policy>  
                            <sp:TripleDesRsa15/>  
                        </wsp:Policy>  
                    </sp:AlgorithmSuite>  
                    <sp:Layout>  
                        <wsp:Policy>  
                            <sp:Strict/>  
                        </wsp:Policy>  
                    </sp:Layout>  
                    <sp:IncludeTimestamp/>  
                    <sp:OnlySignEntireHeadersAndBody/>  
                </wsp:Policy>  
            </sp:AsymmetricBinding>  
            <sp:Wss10 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">  
                <wsp:Policy>  
                    <sp:MustSupportRefKeyIdentifier/>  
                    <sp:MustSupportRefIssuerSerial/>  
                </wsp:Policy>  
            </sp:Wss10>  
            <sp:SignedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">  
                <sp:Body/>  
            </sp:SignedParts>  
            <ramp:RampartConfig xmlns:ramp="http://ws.apache.org/rampart/policy">  
                <ramp:user>ctr</ramp:user>  
                <ramp:encryptionUser>ctr</ramp:encryptionUser>  
                <ramp:passwordCallbackClass>com.gtnet.rampart.PWCBHandler  
                </ramp:passwordCallbackClass>  

                <ramp:signatureCrypto>  
                    <ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin">  
                        <ramp:property name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property>  
                        <ramp:property name="org.apache.ws.security.crypto.merlin.file">build\resources\qa.jks</ramp:property>  
                        <ramp:property name="org.apache.ws.security.crypto.merlin.keystore.password">123123</ramp:property>  
                    </ramp:crypto>  
                </ramp:signatureCrypto>  
            </ramp:RampartConfig>  

        </wsp:All>  
    </wsp:ExactlyOne>  
</wsp:Policy>  

Thanks Alan


It looks as if the error isn't with the outbound request, but with handling the response. The response doesn't have a security header and when we're trying to unencrypt it, an exception occurs.

I need to somehow change my Rampart configuration to only do outbound security, not inbound

I'll report back :)


Ok the problem was that once Rampart is engaged, it expects the response to have the same security header. The way I solved the problem was by removing the handler to the Inflow security in the Rampart.mar file.

I'm not sure if this is the best fix, but it worked for us.

To remove the inflow handler: Unpack the rampart.mar file

Comment out the Inflow section

Zip up the META_INF folder. Then rename the .zip file to be .mar

Now when you use this as there are no handlers defined for inflow, it will just use the standard Axis2 response handler.

I guess if you had several projects using Rampart where some had the security header in the response and some didn't you would need a different approach.


Another approach is detailed here. It's probably a better approach :

http://blog.rampartfaq.com/2009/11/how-to-generate-non-secure-response-to.html

Exception:

org.apache.axis2.AxisFault: Missing wsse:Security header in request at org.apache.rampart.handler.RampartReceiver.setFaultCodeAndThrowAxisFault(RampartReceiver.java:180) at org.apache.rampart.handler.RampartReceiver.invoke(RampartReceiver.java:99) at org.apache.axis2.engine.Phase.invoke(Phase.java:318) at org.apache.axis2.engine.AxisEngine.invoke(AxisEngine.java:251) at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:160) at org.apache.axis2.description.OutInAxisOperationClient.handleResponse(OutInAxisOperation.java:364) at org.apache.axis2.description.OutInAxisOperationClient.send(OutInAxisOperation.java:417) at org.apache.axis2.description.OutInAxisOperationClient.executeImpl(OutInAxisOperation.java:229)

Rampart exception when response from secured backend service , GitHub is home to over 50 million developers working together to host and Rampart exception when response from secured backend service returns HTTP 500 #4155 AxisEngine.invoke(AxisEngine.java:261) at org.apache.axis2.​engine. RampartException: Missing wsse:Security header in request at  2 Axis 2 and Rampart- why does service return wsse:Security header in request? Jun 1 '12 1 How do I get a whole TD to be clickable when using a background in a sub div Dec 7 '18


After navigating a lot, and reading the same pages several times, I finally got a solution that satisfied me.

From previous post I Quote: "Ok the problem was that once Rampart is engaged, it expects the response to have the same security header." (as the request) This is absolutely true!

I feel that the best approach is found in the following link: http://xacmlinfo.org/2012/11/09/disabling-ws-security-for-in-or-out-messages-in-axis2/

However, in my case, I didn't want to make a new module, so I decided to emulate the module in my code. I tried to explain it in three steps.

  1. (First) I used a default policy (take from the previous link), as a method in my code. (It's worked for Axis 1.6.2 and the compatible version of Rampart)

private String getPolicy() { return "xml for policy" }

Important the method must return the following xml as String (better reading)

<wsp:Policy wsu:Id="emptryPolicy" 
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsp:ExactlyOne>
<wsp:All>
<sp:TransportBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"> 
<wsp:Policy>
</wsp:Policy>
</sp:TransportBinding>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
  1. (Second) I created a Policy (object) based on the previous method.

InputStream stream = new ByteArrayInputStream(getPolicy().getBytes());

Policy p = PolicyEngine.getPolicy(stream);

  1. (Third) I used the properties of KEY_RAMPART_IN_POLICY and KEY_RAMPART_OUT_POLICY.

Stub._getServiceClient().getOptions().setProperty(RampartMessageData.KEY_RAMPART_OUT_POLICY, the security policy of the web service);

Stub._getServiceClient().getOptions().setProperty(RampartMessageData.KEY_RAMPART_IN_POLICY, p);

Important The security policy of the web service, depends on the security that the web service uses... If your provider supplied the policy in the wsdl, you would not have to struggle with this... but in other cases, you just use the Rampart Policies. In the rampart site, are examples described very clear for each type of security policy. (UsernameToken Authentication, AsymmetricBinding, etc.)

This example fashions a request with security and response without security. It Works for me!

Re: "Missing wsse:Security header in request" exception., This service is based on the latest Rampart > and Axis2 SNAPSHOT version as suggested in the forum. However, when I > tried to call this  I have a web service using AXIS2 with WS-Security provided by RAMPART. I'm using OAS as application server and HTTPS for the transport protocol. The client application has a RAMPART policy that sings and encrypts data before sending the request to the server.


In my case same problem but i got success response by changing the soap request version name space uri in the stub. i have change the name space uri from "http://www.w3.org/2003/05/soap-envelope" to "http://schemas.xmlsoap.org/soap/envelope/".

Java Web services: Axis2 WS-Security basics, Learn how to add the Rampart security module to Apache Axis2 and start SOAP-based Web services can use widely supported WS-Security and function of sending a username and password on a service request. It uses a SOAP message-header element to attach the security return PolicyEngine. How to pass HTTP request to Web-Service. ajax,web-services,liferay,liferay-6,portlet. Suggesting to rethink your problem. A servlet request object does not make any sense as parameter for a web service call. Those are two totally different frameworks. A servlet request only makes sense within the processing of a servlet and is defined within


Advanced Reporting Guide for MicroStrategy 9. 3. 1, An additional example of using REST functions that can support both basic and For the example above, this requests data on the state of Virginia. This function uses Axis2/C to invoke web services and uses Rampart/C to support WS-Security SoapCustomHeader, $ SoapPay/oad) Where: ' URI is the Internet address  Now, we will look at how we can engage Rampart to the Web service and apply the security policy. This is done completly using the service descriptor. We don't have to modify the source of the Web service to secure it. First, we engage the Rampart module to the Web service adding <module ref="rampart"/> element to the service descriptor.


Advanced Reporting Guide for MicroStrategy 9.5, An additional example of using REST functions that can support both basic •​ContentType is theInternet media type to use for the web form accessedby the request for provides web services authentication,as defined in the WS Security standard. Thisfunction uses Axis2/C toinvoke web services anduses Rampart/​C to  Hi again Scott, Do you hav any idea when you can think about this. I would need this for = a project and would be happy to do it - but then I would like to do it=20 in a way you are happy with it too :-) Ingo F Ingo Fischer wrote: > Hi Scott >=20 > Hi ! >=20 >> This concept is good overall.


Advanced Reporting Guide for MicroStrategy Analytics Enterprise, that example,the parameterURI provides theURLto access the web service as well is the Internet media type to use for the web form accessed by the request for data. provides web services authentication, as defined in the WS Security standard. This function uses Axis2/C to invoke webservicesanduses Rampart/​C to  A SOAP HTTP request specifies at least two HTTP headers: Content-Type and Content-Length. SMTP is asynchronous and is used in last resort or particular cases. Java implementations of SOAP usually provide a specific binding for the JMS (Java Messaging System) protocol.