My Oracle Support Banner

Web service client handler with SAML token is not called when security policy is applied (Doc ID 1286684.1)

Last updated on JANUARY 29, 2022

Applies to:

Oracle WebLogic Server - Version 10.3 and later
Information in this document applies to any platform.

Symptoms

When trying to use Webservice client handler as a way to insert a SAML token to the SOAP header for Webservice authentication, it is noticed that if security policy is applied to the Webservice, then the client handler is not called.  The below exception is thrown on client side instead:

java.rmi.RemoteException: SOAPFaultException - FaultCode [{http://schemas.xmlsoap.org/soap/envelope/}Server] FaultString [Unable to add security token for identity] FaultActor [null]No Detail; nested exception is:


There is no workaround for this issue.

Steps to replicate the issue:

  • Use clientgen with clientChainFile attribute to generate client stub for Webservice.
  • Apply the following security policy, sample as below:
<?xml version="1.0"?>

<wsp:Policy
 xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
 xmlns:wssp="http://www.bea.com/wls90/security/policy"
 xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
 xmlns:wls="<a href="http://www.bea.com/wls90/security/policy/wsee#part">"
 ... ... ...
 <wssp:Identity>
   <wssp:SupportedTokens>    
     <wssp:SecurityToken TokenType="<a href="http://docs.oasis-open.org/wss/2004/01/oasis-2004-01-saml-token-profile-1.0#SAMLAssertionID">"
        ... ... ...
       <wssp:Claims>
         <wssp:ConfirmationMethod>sender-vouches</wssp:ConfirmationMethod>
         <wssp:TokenLifeTime>3600</wssp:TokenLifeTime>
       </wssp:Claims>
    </wssp:SecurityToken>    
   </wssp:SupportedTokens>
 </wssp:Identity>
</wsp:Policy>

 

  • Then, write test client to invoke the above Webservice, and the below SOAP fault will be thrown:
java.rmi.RemoteException: SOAPFaultException - FaultCode [{http://schemas.xmlsoap.org/soap/envelope/}Server] FaultString [Unable to add security token for identity] FaultActor [null]No Detail; nested exception is:
weblogic.wsee.jaxrpc.soapfault.WLSOAPFaultException: Unable to add security token for identity

 

  • Remove the security policy from the webservice.  Run the test client again, and it will work.

Changes

 

Cause

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!


In this Document
Symptoms
Changes
Cause
Solution


My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.