This documentation is for WSO2 Enterprise Service Bus version 4.7.0 . View documentation for the latest release.
Skip to end of metadata
Go to start of metadata

Objective: Routing the messages arrived to a Proxy Service without processing the MustUnderstand headers (Security header).

<definitions xmlns="">
    <proxy name="StockQuoteProxy">
                        <address uri="http://localhost:9000/services/SecureStockQuoteService"/>
        <publishWSDL uri="file:repository/samples/resources/proxy/sample_proxy_1.wsdl"/>

The Proxy Service will receive secure messages with security headers which are MustUnderstand. But hence element "enableSec" is not present in the proxy configuration ESB will not engage that Apache Rampart on this Proxy Service. It is expected that an MustUnderstand failure exception on the AxisEngine would occur before the message arrives ESB. But ESB handles this message and gets it in by setting all the headers which are MustUnderstand and not processed to processed state. This will enable ESB to route the messages without reading the Security headers (just routing the messages from client to service, both of which are secure). To execute the client, send a stock quote request to the Proxy Service, sign and encrypt the request by specifying the client side security policy as follows:

ant stockquote -Dtrpurl=http://localhost:8280/services/StockQuoteProxy -Dpolicy=./../../repository/samples/resources/policy/client_policy_3.xml

By following through the debug logs or TCPMon output you could see that the request received by the Proxy Service was signed and encrypted. Also looking up the WSDL of the Proxy Service by requesting the URL http://localhost:8280/services/StockQuoteProxy?wsdl reveals the security policy attachments are not there and security is not engaged. When sending the message to the backend service, you could verify that the security headers were there as in the original message to ESB from client and that the response received does use WS-Security, and forwarded back to the client without any modification. You should note that this won't be a security hole because the message inside ESB is signed and encrypted and can only be forwarded to a secure service to be useful.

  • No labels