Sample 153: Routing the Messages without Processing the Security Headers

<definitions xmlns="http://ws.apache.org/ns/synapse"> <proxy name="StockQuoteProxy"> <target> <inSequence> <property name="preserveProcessedHeaders" value="true"/> <send> <endpoint> <address uri="http://localhost:9000/services/SecureStockQuoteService"/> </endpoint> </send> </inSequence> <outSequence> <send/> </outSequence> </target> <publishWSDL uri="file:repository/conf/sample/resources/proxy/sample_proxy_1.wsdl"/> </proxy> </definitions>

Objective

Demonstrate the ability of Synapse to pass SOAP messages through without removing already processed headers

Pre-requisites

  • Download and install the Java Cryptography Extension (JCE) unlimited strength policy files for your JDK
  • Deploy the SecureStockQuoteService in the sample Axis2 server and start Axis2
  • Start Synapse using the configuration numbered 153 (repository/conf/sample/synapse_sample_153.xml)
    Unix/Linux: sh synapse.sh -sample 153
    Windows: synapse.bat -sample 153

Executing the Client

In this sample the proxy service will receive secured messages with security headers which are flagged 'MustUnderstand'. But since the element 'enableSec' is not present in the proxy configuration, Synapse will not engage Apache Rampart on this proxy service. It is expected that a MustUnderstand failure exception on the AxisEngine would occur before the message arrives at mediation engine. But Synapse handles this message and gets it through by setting all the MustUnderstand headers which are not processed as processed. This will enable Synapse to route the messages without reading the Security headers (just routing the messages from client to service, both of which are secured). To execute the client, send a stock quote request to the proxy service, and sign and encrypt the request by specifying the client side security policy as follows:

ant stockquote -Dtrpurl=http://localhost:8280/services/StockQuoteProxy -Dpolicy=./../../repository/conf/sample/resources/policy/client_policy_3.xml

By following through the debug logs or TCPMon output, you can see that the request received by the proxy service was signed and encrypted. Also, looking up the WSDL of the proxy service by requesting the URL http://localhost:8280/services/StockQuoteProxy?wsdl reveals that the security policy attachments are not there and security is not engaged. When sending the message to the backend service, you can verify that the security headers were there as in the original message to Synapse from client, and that the response received does use WS-Security, and forwarded back to the client without any modification. You should note that this won't be a security hole because the message inside Synapse is signed and encrypted and can only be forwarded to a secure service.

Back to Catalog