10

I'm using SOAPUI tool to access JAX-WS web services deployed in Weblogic 10.3.2

Request:

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ws="http://ws.pc3.polk.com/">
    <soapenv:Header>
        <wsse:Security soapenv:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
        <wsu:Timestamp wsu:Id="Timestamp-1" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
            <wsu:Created>2010-12-03T21:10:43Z</wsu:Created>
            <wsu:Expires>2010-12-03T21:44:03Z</wsu:Expires>
        </wsu:Timestamp>
        <wsu:Timestamp wsu:Id="Timestamp-60" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
            <wsu:Created>2010-12-03T20:10:39Z</wsu:Created>
            <wsu:Expires>2010-12-03T20:43:59Z</wsu:Expires>
        </wsu:Timestamp>
        <wsse:UsernameToken wsu:Id="UsernameToken-59" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
            <wsse:Username>rwerqre</wsse:Username>
            <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">ewrqwrwerqer</wsse:Password>
            <wsse:Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">Nmw0ksmiOX+hkiSoWb2Rjg==</wsse:Nonce>
            <wsu:Created>2010-12-03T20:10:39.649Z</wsu:Created>
        </wsse:UsernameToken>
    </wsse:Security>
    </soapenv:Header>
   <soapenv:Body>
      <ws:getMetadata/>
   </soapenv:Body>
</soapenv:Envelope>

Response:

<S:Envelope xmlns:S="http://schemas.xmlsoap.org/soap/envelope/">
   <S:Body>
      <SOAP-ENV:Fault xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
         <faultcode>SOAP-ENV:MustUnderstand</faultcode>
         <faultstring>MustUnderstand headers:[{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security] are not understood</faultstring>
      </SOAP-ENV:Fault>
   </S:Body>
</S:Envelope>
David Buck
  • 3,752
  • 35
  • 31
  • 35
Roman Kagan
  • 10,440
  • 26
  • 86
  • 126

5 Answers5

10

You can configure a dummy SOAPHandler for {http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security that would mark this header as 'understood'.

Or you could change the SOAP request (on the caller side) to set mustUnderstand="0" in the security header.

Example security SOAP header with mustUnderstand="0":

<S:Header xmlns:S="http://schemas.xmlsoap.org/soap/envelope/">
   <wsse:Security S:mustUnderstand="0" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
      <wsse:UsernameToken>
         <wsse:Username>USERNAME</wsse:Username>
         <wsse:Password wsse:Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">PASSWORD</wsse:Password>
      </wsse:UsernameToken>
   </wsse:Security>
</S:Header>
eebbesen
  • 5,070
  • 8
  • 48
  • 70
rustyx
  • 80,671
  • 25
  • 200
  • 267
  • 1
    I would love to see more details on "configure a dummy SOAPHandler for {http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security that would mark this header as 'understood'." – Jono Feb 10 '14 at 21:15
  • 1
    I'd also like to see such a dummy SOAP Handler – Frizz Jun 26 '14 at 07:28
  • 4
    Just implement a [SOAPHandler](http://docs.oracle.com/javaee/5/api/javax/xml/ws/handler/soap/SOAPHandler.html) that returns `{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security` from `getHeaders()` but whose `handle..` methods do nothing (return true). That's it. – rustyx Jun 27 '14 at 12:36
  • In my case even call is not coming `SOAPHandler`, its going away from `SoapMessageDispatcher` of `handleHeaders()`. Could you please guide https://stackoverflow.com/questions/60260277/could-not-handle-mustunderstand-headers-http-docs-oasis-open-org-wss-2004-01 – PAA Feb 19 '20 at 11:23
7

After much research, this article solves this issue.

http://dwuysan.wordpress.com/2012/04/02/jax-ws-wsimport-and-the-error-mustunderstand-headers-not-understood/#comment-215

user1250852
  • 191
  • 1
  • 3
  • 7
3

As per WS security specification: The processor MUST, after decrypting the encrypted header block, process the decrypted header block according to the SOAP processing guidelines. The receiver MUST raise a fault if any content required to adequately process the header block remains encrypted or if the decrypted SOAP header is not understood and the value of the S12:mustUnderstand or S11:mustUnderstand attribute on the decrypted header block is true. Note that in order to comply with SOAP processing rules in this case, the processor must roll back any persistent effects of processing the security header, such as storing a received token. So please check Configuration of CallbackHandlers.

Jitendra Vispute
  • 709
  • 8
  • 18
  • 2
    Ah, overarchitected specifications standing in the way of getting things done, once again. – aroth Apr 12 '16 at 07:23
2

Issue is with the Handlers. You need to add following in handler implementation 

public Set<QName> getHeaders() {
    final QName securityHeader = new QName(
        "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd",
        "Security",
        "wsse");

    final HashSet headers = new HashSet();
    headers.add(securityHeader);
    return headers;
}
mrigank sharma
  • 21
  • 2
  • Could you please guide here: https://stackoverflow.com/questions/60260277/could-not-handle-mustunderstand-headers-http-docs-oasis-open-org-wss-2004-01 ? – PAA Feb 19 '20 at 12:05
-2

In SOAP UI Navigator,

right-click your project->Show Project View->WS-Security Configurations->Outgoing WS-Security Configurations Uncheck Must Understand, and then send request.

Gokul
  • 1
  • 1