[jboss-jira] [JBoss JIRA] (WFLY-10336) MustUnderstand headers: [{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security] are not understood.

Daniel Čihák (Jira) issues at jboss.org
Fri Oct 12 04:43:00 EDT 2018 

    [ https://issues.jboss.org/browse/WFLY-10336?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13647140#comment-13647140 ] 

Daniel Čihák commented on WFLY-10336:
-------------------------------------

This issue is more complex. To get rid of the {{SoapFault: MustUnderstand headers}} exception we need to add a message handler implementing {{SOAPHandler}} and configure it in the configuration file annotated in the service EchoService {{@HandlerChain(file = "dummmy-ws-handler.xml")}}. This handler overrides {{getHeaders}} method to process the security header. The handler-chain will now look like
{code:title=dummmy-ws-handler.xml}
    <handler-chain>
        <handler>
            <handler-name>ContextHandler</handler-name>
            <handler-class>org.jboss.as.test.integration.ws.authentication.policy.HeaderWSContextProcessor</handler-class>
        </handler>
        <handler>
            <handler-name>SAML2Handler</handler-name>
            <handler-class>org.picketlink.trust.jbossws.handler.SAML2Handler</handler-class>
        </handler>
    </handler-chain>
{code}

SAML2Handler is used for the security context creation and HeaderWSContextProcessor processes the header. When those two headers are used in the chain and the AuthenticationPolicyContextTestCase is run together with another test (EJBSignTestCase), the second test fails with the {{org.apache.cxf.binding.soap.SoapFault: MustUnderstand headers}}. This behaviour occurs on Wildfly and on IMB JDK.

We also found out when running the tests with a parameter {{-DreuseForks=false}} this issue does not occur any more. The problem might be in the line https://github.com/wildfly/wildfly/blob/master/testsuite/integration/ws/src/test/java/org/jboss/as/test/integration/ws/authentication/policy/AuthenticationPolicyContextTestCase.java#L316 {{assertion = wsClient.issueToken(SAMLUtil.SAML2_TOKEN_TYPE);}}. When this line is omitted the exception stops appearing. We still don't know the solution of this and must abort the investigation for now.

> MustUnderstand headers: [{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security] are not understood.
> -----------------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: WFLY-10336
>                 URL: https://issues.jboss.org/browse/WFLY-10336
>             Project: WildFly
>          Issue Type: Bug
>          Components: Test Suite, Web Services
>         Environment: {noformat}
> Java(TM) SE Runtime Environment (build 8.0.5.11 - pxa6480sr5fp11-20180326_01(SR5 FP11))
> IBM J9 VM (build 2.9, JRE 1.8.0 Linux amd64-64 Compressed References 20180309_380776 (JIT enabled, AOT enabled)
> OpenJ9   - 49fcaf39
> OMR      - 5cbbadf
> IBM      - 4453dac)
> JCL - 20180319_01 based on Oracle jdk8u161-b12
> {noformat}
>            Reporter: Petr Kremensky
>            Assignee: Daniel Čihák
>            Priority: Major
>
> There are test failures running the WildFly Test Suite: Integration - WS on IBM jdk.
> {noformat}
> wildfly/testsuite/integration/ws] $ mvn clean install
> ...
> [INFO]
> [INFO] Results:
> [INFO]
> [ERROR] Errors:
> [ERROR]   EJBSignTestCase.signedRequest:86 » SOAPFault MustUnderstand headers: [{http://...
> [ERROR]   SignTestCase.signedRequest:88 » SOAPFault MustUnderstand headers: [{http://doc...
> [ERROR]   EJBSignEncryptMultipleClientsTestCase.encryptedAndSignedRequestFromAlice:90 » SOAPFault
> [ERROR]   EJBSignEncryptMultipleClientsTestCase.encryptedAndSignedRequestFromJohn:102 » SOAPFault
> [ERROR]   EJBSignEncryptTestCase.encryptedAndSignedRequest:88 » SOAPFault MustUnderstand...
> [ERROR]   SignEncryptMultipleClientsTestCase.encryptedAndSignedRequestFromAlice:91 » SOAPFault
> [ERROR]   SignEncryptMultipleClientsTestCase.encryptedAndSignedRequestFromJohn:103 » SOAPFault
> [ERROR]   SignEncryptTestCase.encryptedAndSignedRequest:90 » SOAPFault MustUnderstand he...
> [ERROR]   WSTrustTestCase.test:318 » SOAPFault MustUnderstand headers: [{http://docs.oas...
> [ERROR]   WSTrustTestCase.testActAs:441 » SOAPFault MustUnderstand headers: [{http://doc...
> [ERROR]   WSTrustTestCase.testBearer:541 » SOAPFault MustUnderstand headers: [{http://do...
> [ERROR]   WSTrustTestCase.testHolderOfKey:491 » SOAPFault MustUnderstand headers: [{http...
> [ERROR]   WSTrustTestCase.testNoClientCallback:383 » SOAPFault MustUnderstand headers: [...
> [ERROR]   WSTrustTestCase.testNoSignatureUsername:414 » SOAPFault MustUnderstand headers...
> [ERROR]   WSTrustTestCase.testOnBehalfOf:468 » SOAPFault MustUnderstand headers: [{http:...
> [ERROR]   WSTrustTestCase.testPicketLink:518 » SOAPFault MustUnderstand headers: [{http:...
> [ERROR]   WSTrustTestCase.testUsingEPR:350 » SOAPFault MustUnderstand headers: [{http://...
> [INFO]
> [ERROR] Tests run: 119, Failures: 0, Errors: 17, Skipped: 0
> {noformat}
> *Caused by*
> {noformat}
> Caused by: org.apache.cxf.binding.soap.SoapFault: MustUnderstand headers: [{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security] are not understood.
>         at org.apache.cxf.binding.soap.interceptor.Soap11FaultInInterceptor.unmarshalFault(Soap11FaultInInterceptor.java:87)
>         at org.apache.cxf.binding.soap.interceptor.Soap11FaultInInterceptor.handleMessage(Soap11FaultInInterceptor.java:53)
>         at org.apache.cxf.binding.soap.interceptor.Soap11FaultInInterceptor.handleMessage(Soap11FaultInInterceptor.java:42)
>         at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:308)
>         at org.apache.cxf.interceptor.AbstractFaultChainInitiatorObserver.onMessage(AbstractFaultChainInitiatorObserver.java:112)
>         at org.apache.cxf.binding.soap.interceptor.CheckFaultInterceptor.handleMessage(CheckFaultInterceptor.java:70)
>         at org.apache.cxf.binding.soap.interceptor.CheckFaultInterceptor.handleMessage(CheckFaultInterceptor.java:35)
>         at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:308)
>         at org.apache.cxf.endpoint.ClientImpl.onMessage(ClientImpl.java:827)
>         at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponseInternal(HTTPConduit.java:1695)
>         at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponse(HTTPConduit.java:1572)
>         at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1373)
>         at org.apache.cxf.transport.AbstractConduit.close(AbstractConduit.java:56)
>         at org.apache.cxf.transport.http.HTTPConduit.close(HTTPConduit.java:673)
>         at org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(MessageSenderInterceptor.java:63)
>         at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:308)
>         at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:533)
>         at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:442)
>         at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:343)
>         at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:296)
>         at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:96)
>         at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:139)
>         ... 129 more
> {noformat}



--
This message was sent by Atlassian Jira
(v7.12.1#712002)

More information about the jboss-jira mailing list