This discussion is archived
11 Replies Latest reply: Jan 12, 2011 12:19 PM by 809104 RSS

OSB MustUnderstand SOAP fault

810488 Newbie
Currently Being Moderated
Hi,

I was trying to apply the oracle Predefined auth.xml WS-policy to the osb proxy service and that will query a web service that is running on separate weblogic server, but I'm getting MustUnderstand SOAP fault does anyone seen this fault in OSB. Do I have to do any configuration changes on WLS?

Proxy configured with:
General tab -> WSDL based proxy service, this wsdl doesn't have ws-policy definitions inside.
Transport tab -> Get all headers = no
HTTP Transport tab -> HTTPS Required = No / Authentication = Basic
Operation tab -> Enforce WS-I Compliance = not checked / Selection Algorithm = SOAP Body Type
Message Content tab -> default settings
Policy -> Added Auth.xml(predefined) policy to request policies.
Security tab -> Process WS-Security header = No / Custom Authentication settings = none

I'm using the following SOAP Message .

when I change the mustunderstand="false" then it goes through.

<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:data="http://eadf.ites.unsw.edu.au/data">
<soap:Header>
     <wsse:Security soap:mustUnderstand="true" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"><wsse:UsernameToken wsu:Id="UsernameToken-3" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
          <wsse:Username>weblogic</wsse:Username>
          <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">weblogic</wsse:Password>
          <wsse:Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">rIlOSF+/OECwu9H/qWujzA==</wsse:Nonce><wsu:Created>2010-11-16T06:12:17.273Z</wsu:Created></wsse:UsernameToken></wsse:Security>
</soap:Header>
<soap:Body>
<data:getPersonCourseRequest>
<data:Request>
<data:Common>
<data:TransactionID>?</data:TransactionID>
<data:UserID>?</data:UserID>
<data:PersonID>2113446</data:PersonID>
</data:Common>
<!--Optional:-->
<data:Filter>
<data:InstitutionCode>UNSWA</data:InstitutionCode>

</data:Filter>
</data:Request>
</data:getPersonCourseRequest>
</soap:Body>
</soap:Envelope>

I'm getting the following error

<env:Envelope xmlns:env="http://www.w3.org/2003/05/soap-envelope">
<env:Header>
<env:NotUnderstood qname="wsse:Security" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"/>
</env:Header>
<env:Body>
<env:Fault>
<env:Code>
<env:Value>env:MustUnderstand</env:Value>
</env:Code>
<env:Reason>
<env:Text xml:lang="en">One or more mandatory SOAP header blocks not understood</env:Text>
</env:Reason>
</env:Fault>
</env:Body>
</env:Envelope>}

Thanks
Vick
  • 1. Re: OSB MustUnderstand SOAP fault
    Anuj Dwivedi Guru
    Currently Being Moderated
    Can you enable "Process WS-Security header" and test again?

    Regards,
    Anuj
  • 2. Re: OSB MustUnderstand SOAP fault
    810488 Newbie
    Currently Being Moderated
    Hi Anuj

    Thanks for your reply.

    I chenged the Process WS-Security Header to yes, but I'm getting the error BEA-386201.

    The proxy service is set to just rout the request to endpoint,

         
         <con:fault      xmlns:con="http://www.bea.com/wli/sb/context">
         <con:errorCode>BEA-386201</con:errorCode>
         <con:reason>
         A web service security fault occurred[{http://www.w3.org/2003/05/soap-envelope}Receiver][Unable to add security token for identity]
         </con:reason>
         <con:details>
         <err:WebServiceSecurityFault      xmlns:err="http://www.bea.com/wli/sb/errors">
         <err:faultcode      xmlns:soap="http://www.w3.org/2003/05/soap-envelope">soap:Receiver</err:faultcode>
         <err:faultstring>
         Unable to add security token for identity
         </err:faultstring>
         </err:WebServiceSecurityFault>
         </con:details>
         <con:location>
         <con:node>RouteNode1</con:node>
         <con:path>request-pipeline</con:path>
         </con:location>
         </con:fault>

    Regards
    Vick

    Edited by: 807485 on Nov 21, 2010 6:01 PM
  • 3. Re: OSB MustUnderstand SOAP fault
    Anuj Dwivedi Guru
    Currently Being Moderated
    I hope you are attaching the policy to the request operation only and NOT to the entire service. Please refer -

    WS-Security and proxy service: Unable to add security token for identity

    Regards,
    Anuj
  • 4. Re: OSB MustUnderstand SOAP fault
    810488 Newbie
    Currently Being Moderated
    Hi Anuj

    Thanks for that it worked when I use the OSB test console. I'm getting the error message when I type in the wrong user, now I'm going to use a Soapui as client to test it. and will let you know how I go

    Regards
    Vick
  • 5. Re: OSB MustUnderstand SOAP fault
    810488 Newbie
    Currently Being Moderated
    Hi

    I was able to use the soapui as a client to test the Auth.xml, but if I type in the wrong username or password I'm only getting the requested payload back on the soapui response. if I wanted to send the meaningful error message to the client like *"Authentication Failed"* how do I do this in the OSB Proxy service? I tried error handler but no luck, Can anyone point me in the write direction?

    Regards
    Vick
  • 6. Re: OSB MustUnderstand SOAP fault
    687626 Expert
    Currently Being Moderated
    If you get an authentication failure, I think the flow will enter the service error handler of the proxy .. Can you try modifying your response here and then do a reply with failure?
  • 7. Re: OSB MustUnderstand SOAP fault
    810488 Newbie
    Currently Being Moderated
    Hi

    I removed the reply with failure action from service error handler and it worked. I could see the SOAP fault message in soapui as shown below, but I don't understand why reply with failure didn't work.

    <env:Envelope xmlns:env="http://www.w3.org/2003/05/soap-envelope">
    <env:Header/>
    <env:Body>
    <env:Fault xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
    <Code xmlns="http://www.w3.org/2003/05/soap-envelope">
    <Value>env:Sender</Value>
    <Subcode>
    <Value>wsse:FailedAuthentication</Value>
    </Subcode>
    </Code>
    <Reason xmlns="http://www.w3.org/2003/05/soap-envelope">
    <Text xml:lang="en-US">Failed to assert identity with UsernameToken.</Text>
    </Reason>
    </env:Fault>
    </env:Body>
    </env:Envelope>

    Regards
    Vick
  • 8. Re: OSB MustUnderstand SOAP fault
    687626 Expert
    Currently Being Moderated
    Is this your custom error message you want to sent back to the client or is it osb generated one?

    If you dont do a reply action flow will enter system error handler which will overwrite whatever response you have set in the service error handler
  • 9. Re: OSB MustUnderstand SOAP fault
    810488 Newbie
    Currently Being Moderated
    This is the OSB generated one, now I have created a custom error msg in the service error handler to raise error and then reply with failure. Hope I'm on the right track.

    Regards
    Vick

    Edited by: 807485 on Nov 23, 2010 8:44 PM
  • 10. Re: OSB MustUnderstand SOAP fault
    687626 Expert
    Currently Being Moderated
    Yes..test it from soap ui .. you should see the custom response
  • 11. Re: OSB MustUnderstand SOAP fault
    809104 Newbie
    Currently Being Moderated
    Hi,

    I have a proxy service which is attached with OWSM policy "wss_username_token_service_policy" instead of Auth Policy in above case.

    When an request is sent with invalid user credentials it is not even going to OSB error handler.

    OWSM directly replying back to client with its error message. I want to send a custom message to client.

    Can anyone help me how i can do this.

    Thanks
    Raj

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points