OWSM-Policy Does Not Delete Security-Header
Last updated on NOVEMBER 22, 2016
Applies to:Oracle Web Services Manager - Version 126.96.36.199.0 and later
Information in this document applies to any platform.
A chain of service calls fails occasionally on individual nodes of the cluster:
A business application (BA) calls a composite, which, in turn calls another composite. Between the BA and the first Composite, OWSM client and service policies are used with custom policy assertions. The response is not affected by the policy; that means it should not contain any WS-Security-Headers.
The call between the first and second Composite is secured by SAML client and service policies. The second composite should receive a response that contains a wsse:Security element in the SOAP-Header. OWSM presumably processes and removes the element from the header.
The header of the response from the first composite to be passed to the BA contains only the default WSA-Headers of SOA Suite (wsa:MessageID, wsa:ReplyTo, and wsa:FaultTo). This header is understood by the BA. However, there can be occasions where the second composite receives the response, but does not remove the wsse:Security element from the SOAP-Header and this is then propagated to the calling BA.
Since the element contains the env:mustUnderstand-attribute, the BA raises an exception because it does not understand the WS-Security header.
Further analysis reveals that the problem occurs only with calls to a particular operation of the composite and only on a single node. It appears that the occurrence of the problem correlates with deployment of composites:
A few composites were deployed and each node was restarted individually afterwards. However, the affected composite was part of the deployment. Also in the past, it was noticed that the faulty behavior was during tests after deploying SOA artifacts to the cluster. It seems that somehow, the SOA Suite/OWSM merges the header of the responses.
The issue does not occur on every node and it can be resolved with a restart of the affected node. The error received is:
Sign In with your My Oracle Support account
Don't have a My Oracle Support account? Click to get started
My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms