11 Replies Latest reply: Jan 12, 2011 2:19 PM by 809104 RSS

    OSB MustUnderstand SOAP fault

    810488
      Hi,

      I was trying to apply the oracle Predefined auth.xml WS-policy to the osb proxy service and that will query a web service that is running on separate weblogic server, but I'm getting MustUnderstand SOAP fault does anyone seen this fault in OSB. Do I have to do any configuration changes on WLS?

      Proxy configured with:
      General tab -> WSDL based proxy service, this wsdl doesn't have ws-policy definitions inside.
      Transport tab -> Get all headers = no
      HTTP Transport tab -> HTTPS Required = No / Authentication = Basic
      Operation tab -> Enforce WS-I Compliance = not checked / Selection Algorithm = SOAP Body Type
      Message Content tab -> default settings
      Policy -> Added Auth.xml(predefined) policy to request policies.
      Security tab -> Process WS-Security header = No / Custom Authentication settings = none

      I'm using the following SOAP Message .

      when I change the mustunderstand="false" then it goes through.

      <soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:data="http://eadf.ites.unsw.edu.au/data">
      <soap:Header>
           <wsse:Security soap:mustUnderstand="true" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"><wsse:UsernameToken wsu:Id="UsernameToken-3" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
                <wsse:Username>weblogic</wsse:Username>
                <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">weblogic</wsse:Password>
                <wsse:Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">rIlOSF+/OECwu9H/qWujzA==</wsse:Nonce><wsu:Created>2010-11-16T06:12:17.273Z</wsu:Created></wsse:UsernameToken></wsse:Security>
      </soap:Header>
      <soap:Body>
      <data:getPersonCourseRequest>
      <data:Request>
      <data:Common>
      <data:TransactionID>?</data:TransactionID>
      <data:UserID>?</data:UserID>
      <data:PersonID>2113446</data:PersonID>
      </data:Common>
      <!--Optional:-->
      <data:Filter>
      <data:InstitutionCode>UNSWA</data:InstitutionCode>

      </data:Filter>
      </data:Request>
      </data:getPersonCourseRequest>
      </soap:Body>
      </soap:Envelope>

      I'm getting the following error

      <env:Envelope xmlns:env="http://www.w3.org/2003/05/soap-envelope">
      <env:Header>
      <env:NotUnderstood qname="wsse:Security" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"/>
      </env:Header>
      <env:Body>
      <env:Fault>
      <env:Code>
      <env:Value>env:MustUnderstand</env:Value>
      </env:Code>
      <env:Reason>
      <env:Text xml:lang="en">One or more mandatory SOAP header blocks not understood</env:Text>
      </env:Reason>
      </env:Fault>
      </env:Body>
      </env:Envelope>}

      Thanks
      Vick
        • 1. Re: OSB MustUnderstand SOAP fault
          Anuj Dwivedi--Oracle
          Can you enable "Process WS-Security header" and test again?

          Regards,
          Anuj
          • 2. Re: OSB MustUnderstand SOAP fault
            810488
            Hi Anuj

            Thanks for your reply.

            I chenged the Process WS-Security Header to yes, but I'm getting the error BEA-386201.

            The proxy service is set to just rout the request to endpoint,

                 
                 <con:fault      xmlns:con="http://www.bea.com/wli/sb/context">
                 <con:errorCode>BEA-386201</con:errorCode>
                 <con:reason>
                 A web service security fault occurred[{http://www.w3.org/2003/05/soap-envelope}Receiver][Unable to add security token for identity]
                 </con:reason>
                 <con:details>
                 <err:WebServiceSecurityFault      xmlns:err="http://www.bea.com/wli/sb/errors">
                 <err:faultcode      xmlns:soap="http://www.w3.org/2003/05/soap-envelope">soap:Receiver</err:faultcode>
                 <err:faultstring>
                 Unable to add security token for identity
                 </err:faultstring>
                 </err:WebServiceSecurityFault>
                 </con:details>
                 <con:location>
                 <con:node>RouteNode1</con:node>
                 <con:path>request-pipeline</con:path>
                 </con:location>
                 </con:fault>

            Regards
            Vick

            Edited by: 807485 on Nov 21, 2010 6:01 PM
            • 3. Re: OSB MustUnderstand SOAP fault
              Anuj Dwivedi--Oracle
              I hope you are attaching the policy to the request operation only and NOT to the entire service. Please refer -

              WS-Security and proxy service: Unable to add security token for identity

              Regards,
              Anuj
              • 4. Re: OSB MustUnderstand SOAP fault
                810488
                Hi Anuj

                Thanks for that it worked when I use the OSB test console. I'm getting the error message when I type in the wrong user, now I'm going to use a Soapui as client to test it. and will let you know how I go

                Regards
                Vick
                • 5. Re: OSB MustUnderstand SOAP fault
                  810488
                  Hi

                  I was able to use the soapui as a client to test the Auth.xml, but if I type in the wrong username or password I'm only getting the requested payload back on the soapui response. if I wanted to send the meaningful error message to the client like *"Authentication Failed"* how do I do this in the OSB Proxy service? I tried error handler but no luck, Can anyone point me in the write direction?

                  Regards
                  Vick
                  • 6. Re: OSB MustUnderstand SOAP fault
                    687626
                    If you get an authentication failure, I think the flow will enter the service error handler of the proxy .. Can you try modifying your response here and then do a reply with failure?
                    • 7. Re: OSB MustUnderstand SOAP fault
                      810488
                      Hi

                      I removed the reply with failure action from service error handler and it worked. I could see the SOAP fault message in soapui as shown below, but I don't understand why reply with failure didn't work.

                      <env:Envelope xmlns:env="http://www.w3.org/2003/05/soap-envelope">
                      <env:Header/>
                      <env:Body>
                      <env:Fault xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
                      <Code xmlns="http://www.w3.org/2003/05/soap-envelope">
                      <Value>env:Sender</Value>
                      <Subcode>
                      <Value>wsse:FailedAuthentication</Value>
                      </Subcode>
                      </Code>
                      <Reason xmlns="http://www.w3.org/2003/05/soap-envelope">
                      <Text xml:lang="en-US">Failed to assert identity with UsernameToken.</Text>
                      </Reason>
                      </env:Fault>
                      </env:Body>
                      </env:Envelope>

                      Regards
                      Vick
                      • 8. Re: OSB MustUnderstand SOAP fault
                        687626
                        Is this your custom error message you want to sent back to the client or is it osb generated one?

                        If you dont do a reply action flow will enter system error handler which will overwrite whatever response you have set in the service error handler
                        • 9. Re: OSB MustUnderstand SOAP fault
                          810488
                          This is the OSB generated one, now I have created a custom error msg in the service error handler to raise error and then reply with failure. Hope I'm on the right track.

                          Regards
                          Vick

                          Edited by: 807485 on Nov 23, 2010 8:44 PM
                          • 10. Re: OSB MustUnderstand SOAP fault
                            687626
                            Yes..test it from soap ui .. you should see the custom response
                            • 11. Re: OSB MustUnderstand SOAP fault
                              809104
                              Hi,

                              I have a proxy service which is attached with OWSM policy "wss_username_token_service_policy" instead of Auth Policy in above case.

                              When an request is sent with invalid user credentials it is not even going to OSB error handler.

                              OWSM directly replying back to client with its error message. I want to send a custom message to client.

                              Can anyone help me how i can do this.

                              Thanks
                              Raj