SOAP Fault "Access Denied" reported but no access control configured on server endpoint

Dominique Sacre · 2013-05-17T17:42:00+00:00

Summary SOAP Fault "Access Denied" reported but no access control configured on server endpoint Article Number 17785 Environment All Supported Operating Systems Artix 5.1 Artix JAX-WS Runtime Question/Problem Description SOAP Fault "Access Denied" reported but no access control configured on server endpointSOAP header UsernameToken causing the SOAP Fault "Access denied"<soap:Fault> <faultcode>soap:Server</faultcode> <faultstring>Access denied. Refer to the server log using the entry f669e274-5809-4ee7-ab1d-5b8de6c0a6d2 for details describing the reason for the failure.</faultstring> </soap:Fault> Clarifying Information Error Message Defect/Enhancement Number Cause A SOAP Fault stating "Access denied" is reported by Artix 5.1 JAX-WS server when a request arrives with the following SOAP header: <soapenv:Header> <m1:Security xmlns:m1="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:xsi="http://www.w3.org/2001/XMLSchema" soapenv:mustUnderstand="0"> <m1:UsernameToken xsi:type="m1:UsernameTokenType"> <m1:Username>MyUserName</m1:Username> <m1:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText" xsi:type="m1:PasswordString">randompassword</m1:Password> </m1:UsernameToken> </m1:Security> </soapenv:Header> When the password attribute is set within the UsernameToken SOAP header of the incoming request; Artix 5.1 automatically tries to endorse the credentials using com.iona.cxf.security.rt.RequireTLSCredentialEndorser. Resolution If no endorsing action is required, the following configuration will deactivate this feature: <jaxws:endpoint name="{http://apache.org/hello_world_soap_http}SoapPort"> … <jaxws:features> <security:WSSUsernameTokenAuthServerConfig enableAuthorization="false" acquireISFToken="false" credentialEndorser="com.iona.cxf.security.rt.NoOpCredentialEndorser"/> </jaxws:features> </jaxws:endpoint> For further information please see the Artix 5.1 Security Guide, section "Artix Security Service - credentialEndorser attribute" Workaround Notes Attachment Created date: 06 September 2011 Last Modified: 13 February 2013 Last Published: 23 June 2012 First Published date: 10 September 2011 #KnowledgeDocs#Orbix

Summary	SOAP Fault "Access Denied" reported but no access control configured on server endpoint
Article Number	17785
Environment	All Supported Operating Systems Artix 5.1 Artix JAX-WS Runtime
Question/Problem Description	SOAP Fault "Access Denied" reported but no access control configured on server endpoint SOAP header UsernameToken causing the SOAP Fault "Access denied" <soap:Fault> <faultcode>soap:Server</faultcode> <faultstring>Access denied. Refer to the server log using the entry f669e274-5809-4ee7-ab1d-5b8de6c0a6d2 for details describing the reason for the failure.</faultstring> </soap:Fault>
Clarifying Information
Error Message
Defect/Enhancement Number
Cause	A SOAP Fault stating "Access denied" is reported by Artix 5.1 JAX-WS server when a request arrives with the following SOAP header: <soapenv:Header> <m1:Security xmlns:m1="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:xsi="http://www.w3.org/2001/XMLSchema" soapenv:mustUnderstand="0"> <m1:UsernameToken xsi:type="m1:UsernameTokenType"> <m1:Username>MyUserName</m1:Username> <m1:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText" xsi:type="m1:PasswordString">randompassword</m1:Password> </m1:UsernameToken> </m1:Security> </soapenv:Header> When the password attribute is set within the UsernameToken SOAP header of the incoming request; Artix 5.1 automatically tries to endorse the credentials using com.iona.cxf.security.rt.RequireTLSCredentialEndorser.
Resolution	If no endorsing action is required, the following configuration will deactivate this feature: <jaxws:endpoint name="{http://apache.org/hello_world_soap_http}SoapPort"> … <jaxws:features> <security:WSSUsernameTokenAuthServerConfig enableAuthorization="false" acquireISFToken="false" credentialEndorser="com.iona.cxf.security.rt.NoOpCredentialEndorser"/> </jaxws:features> </jaxws:endpoint> For further information please see the Artix 5.1 Security Guide, section "Artix Security Service - credentialEndorser attribute"
Workaround
Notes
Attachment

Created date:	06 September 2011
Last Modified:	13 February 2013
Last Published:	23 June 2012
First Published date:	10 September 2011

#KnowledgeDocs
#Orbix

Sign up

Please log in or register:

Welcome to the Rocket Forum!

Please log in or register:

Scanning file for viruses.

This file cannot be downloaded