This site contains the documentation that is relevant to older WSO2 product versions and offerings.
For the latest WSO2 documentation, visit https://wso2.com/documentation/.
Sample 153: Routing Messages that Arrive to a Proxy Service without Processing Security Headers
Note that WSO2 EI is shipped with the following changes to what is mentioned in this documentation:
<PRODUCT_HOME>/
repository/samples/
directory that includes all Integration profile samples is changed to<EI_HOME>/
samples/service-bus/
.<PRODUCT_HOME>/
repository/samples/resources/
directory that includes all artifacts related to the Integration profile samples is changed to<EI_HOME>/
samples/service-bus/resources/
.
Introduction
This sample demonstrates how you can route messages that arrive to a proxy service without processing the MustUnderstand
 headers.
In this sample the proxy service will receive a secure message with the MustUnderstand
 header. Since the element enableSec
is not present in the proxy configuration, the ESB will not engage Apache Rampart on this proxy service. It is expected that a MustUnderstand
 failure exception should occur at the AxisEngine
 before the message reaches the ESB, but here since the ESB handles this message and gets it in by setting all the headers that are MustUnderstand
 and not processed to the processed state, this will enable the ESB to route the messages without processing the security headers.
Prerequisites
- For a list of general prerequisites, see Prerequisites to start ESB samples.
- This sample uses Apache Rampart as the back-end security implementation. Therefore, you need to download and install the unlimited strength policy files for your JDK before using Apache Rampart. Follow the steps below to download and install the unlimited strength policy files:
Go to http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html, and download the unlimited strength JCE policy files for your JDK version.
- Uncompress and extract the downloaded ZIP file. This creates a directory named JCE that contains theÂ
local_policy.jar
 andÂUS_export_policy.jar
 files. - In your Java installation directory, go to theÂ
jre/lib/security
 directory, and make a copy of the existingÂlocal_policy.jar
 andÂUS_export_policy.jar
 files. Next, replace the original policy files with the policy files that you extracted in the previous step.
Building the sample
The XML configuration for this sample is as follows:Â
<definitions xmlns="http://ws.apache.org/ns/synapse"> <proxy name="StockQuoteProxy"> <target> <inSequence> <property name="preserveProcessedHeaders" value="true"/> <send> <endpoint> <address uri="http://localhost:9000/services/SecureStockQuoteService"/> </endpoint> </send> </inSequence> <outSequence> <send/> </outSequence> </target> <publishWSDL uri="file:repository/samples/resources/proxy/sample_proxy_1.wsdl"/> </proxy> </definitions>
This configuration file  synapse_sample_153.xmlÂ
is available in the <ESB_HOME>/repository/samplesÂ
directory.
To build the sample
Start the ESB with the sample 153 configuration. For instructions on starting a sample ESB configuration, see Starting the ESB with a sample configuration.
The operation log keeps running until the server starts, which usually takes several seconds. Wait until the server has fully booted up and displays a message similar to "WSO2 Carbon started in n seconds."Start the Axis2 server. For instructions on starting the Axis2 server, see Starting the Axis2 server.
Deploy the back-end service Â
SecureStockQuoteService
. For instructions on deploying sample back-end services, see Deploying sample back-end services.
Note
When you run this sample, the bouncyCastle.jar
file that is used for encryption does not load into the axis2 client. This is due to an issue with the axis2Client shipped with WSO2 Enterprise Integrator. Therefore, before running the client, you need to copy the bcprov-jdk15on.jar
file from the <EI_HOME>/repository/axis2/client/lib
directory to the <EI_HOME>/wso2/components/plugins
directory.
Executing the sample
The sample client used here is the Stock Quote Client, which can operate in several modes. For further details on this sample client and its operation modes, see Stock Quote Client.
To execute the sample client
Run the following command from theÂ
<ESB_HOME>/samples/axis2Client
 directory.Âant stockquote -Dtrpurl=http://localhost:8280/services/StockQuoteProxy -Dpolicy=./../../repository/samples/resources/policy/client_policy_3.xml
This sends a stock quote request to the proxy service and also signs and encrypts the request by specifying the client side security policy.
Analyzing the output
By analyzing the debug log output or the TCPMon output, you will see that the request received by the proxy service is signed and encrypted.
You can look up the WSDL of the proxy service by requesting the URL http://localhost:8280/services/StockQuoteProxy?wsdl , in order to confirm that the security policy attachments are not available and that security is not engaged.
When sending the message to the backend service, you can verify that the security headers were present as in the original message to the ESB from the client, and that the response received does use WS-Security and forwards the message back to the client without any modification. Since the message inside the ESB is signed and encrypted and can only be forwarded to a secure service, you will see that this is not a security loophole.