Error Handling In WLS 9 Policies Behaves Differently In WLS 10.3.4 and WLS 10.3.6 (Doc ID 1630920.1)

Last updated on JUNE 09, 2016

Applies to:

Oracle WebLogic Server - Version 10.3.4 to 10.3.6
Information in this document applies to any platform.

Symptoms

The way errors are handled when calling a web service that is secured (with X509) through WLS 9 policies has changed between WLS 10.3.4 and WLS 10.3.6.

WLS 10.3.6 simply gives an internal server exception whereas WLS 10.3.4 gives a clear indication of what exactly went wrong. 

This can be verified by defining a very simple echo service which is secured using some custom WLS 9 policies. If you call that service with the right certificate, you get a reply as expected. However, when you perform a call with a problematic request, the behavior differs.

On WLS 10.3.4, this is what you get:


1) Call to secured service without passing a certificate

<env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/">
<env:Header/>
<env:Body>
<env:Fault>
<faultcode>env:Server</faultcode>
<faultstring>No Security header in message but required by policy.</faultstring>
</env:Fault>
</env:Body>
</env:Envelope>


2) The same call but with an invalid certificate:

<env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/">
<env:Header/>
<env:Body>
<env:Fault xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<faultcode>wsse:InvalidSecurityToken</faultcode>
<faultstring>Security token failed to validate. weblogic.xml.crypto.wss.SecurityTokenValidateResult@11266c84[status: false][msg [
[
<CERTIFICATE_INFO (ommitted because irrelevant)>
]]</faultstring>
</env:Fault>
</env:Body>
</env:Envelope>


3) The same call with a valid certificate but unknown user
<env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/">
<env:Header/>
<env:Body>
<env:Fault xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<faultcode>wsse:FailedAuthentication</faultcode>
<faultstring>Failed to derive subject from token.javax.security.auth.login.FailedLoginException: [Security:090304]Authentication Failed: User localhost javax.security.auth.login.FailedLoginException: [Security:090302]Authentication Failed: User localhost denied</faultstring>
</env:Fault>
</env:Body>
</env:Envelope>

 

If you run the above scenarios on identically configured WLS 10.3.6, you will always get the following:


<env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/">
<env:Header/>
<env:Body>
<env:Fault>
<faultcode>env:Server</faultcode>
<faultstring>Unknown exception, internal system processing error.</faultstring>
</env:Fault>
</env:Body>
</env:Envelope>


As you can see this is completely different behavior and a lot less informative than what we see in WLS 10.3.4.

Cause

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms