WSO2 ESB WS-Security with MTOM

Question

Having WSO2 ESB 4.9.0, is it possible to enable the client WS-Security, set-up a policy for the endpoint, where the external (backend) service returns the MTOM attachment?

requirement: the external backend service requires the request to be signed and returns (optionally) MTOM response, which is not signed (plain).

As soon the Rampart module is engaged and an inbound policy is in force, the response doesn't get through a simple proxy with following exception:

Caused by: org.apache.ws.security.WSSecurityException: Error in converting SOAP Envelope to Document; nested exception is:
        org.apache.axiom.om.OMException: javax.xml.stream.XMLStreamException: Expected xop:Include as the sole child of an element information item (see section 3.2 of http://www.w3.org/TR/xop10/)
        at org.apache.rampart.util.Axis2Util.getDocumentFromSOAPEnvelope(Axis2Util.java:149)
        at org.apache.rampart.RampartMessageData.<init>(RampartMessageData.java:268)
        ... 11 more
Caused by: org.apache.axiom.om.OMException: javax.xml.stream.XMLStreamException: Expected xop:Include as the sole child of an element information item (see section 3.2 of http://www.w3.org/TR/xop10/)
        at org.apache.axiom.om.impl.builder.StAXOMBuilder.next(StAXOMBuilder.java:296)
        at org.apache.axiom.om.impl.llom.OMSerializableImpl.build(OMSerializableImpl.java:78)
        at org.apache.axiom.om.impl.llom.OMElementImpl.build(OMElementImpl.java:722)
        at org.apache.rampart.util.Axis2Util.getDocumentFromSOAPEnvelope(Axis2Util.java:84)
        ... 12 more
Caused by: javax.xml.stream.XMLStreamException: Expected xop:Include as the sole child of an element information item (see section 3.2 of http://www.w3.org/TR/xop10/)
        at org.apache.axiom.util.stax.xop.XOPDecodingStreamReader.next(XOPDecodingStreamReader.java:187)
        at org.apache.axiom.om.impl.builder.StAXOMBuilder.parserNext(StAXOMBuilder.java:681)
        at org.apache.axiom.om.impl.builder.StAXOMBuilder.next(StAXOMBuilder.java:214)
        ... 15 more

However - there is the Include element:

<inc:Include href="cid:30545cee-7014-4149-8b77-7014e3e12a8c@xxxxxxx" xmlns:inc="http://www.w3.org/2004/08/xop/include"/>

Trying to test the service locally (creating a mockup service similar to the external service) I've got an exception:

Caused by: org.apache.axiom.om.OMException: Part content ID cannot be blank for non root MIME parts
        at org.apache.axiom.attachments.Attachments.getNextPartDataHandler(Attachments.java:648)
        at org.apache.axiom.attachments.Attachments.getDataHandler(Attachments.java:350)

which I assume is related to the issue https://wso2.org/jira/browse/ESBJAVA-3585. Is it related or I have wrong mockup service? Does MTOM works with security policy enabled?

score 0 · Answer 1 · answered Jun 06 '16 at 07:58

Seems there are two issues involved:

Caused by: javax.xml.stream.XMLStreamException: Expected xop:Include as the sole child of an element information item (see section 3.2 of http://www.w3.org/TR/xop10/)

This is caused by the "pretty print" feature of the backend service. Axis 2 enforces the specification strictly, where the xop:Include element must be the sole and only child, therefore no whitespaces are allowed.

org.apache.axiom.om.OMException: Part content ID cannot be blank for non root MIME parts

This seems to be a bug, not yet solved at this time. https://wso2.org/jira/browse/ESBJAVA-3585

Workaround could be change the message type to text/xml (effectively inserting base64 payload to the XML element), good for small/reasonable attachment sizes.

If the attachments can be bigger or the load is high, it is to be considered to store the attachment as a file and pass back only the file name.

WSO2 ESB WS-Security with MTOM

1 Answers1