"Missing wsse:Security header in request" when I try posting a SOAP message with Axis2 and Rampart

Question

I feel like I've been looking at this issue forever.

Background: I have to call a secured third party web service. The body and a header block both need to be signed with a client certificate. If I disable Rampart and use tcpmon and capture the outgoing envelope, I can configure SOAPUI to send the message (by configuring SOAPUI to use the cert to sign the important parts discussed earlier). That tells me the message isn't the issue.

If I enable Rampart and capture the outgoing message, it looks correct (the two elements are signed, the security elements are all in place).

I get the following stack when I try calling the service with Rampart:

org.apache.axis2.AxisFault: Missing wsse:Security header in request
    at org.apache.rampart.handler.RampartReceiver.setFaultCodeAndThrowAxisFault(RampartReceiver.java:166)
    at org.apache.rampart.handler.RampartReceiver.invoke(RampartReceiver.java:99)
    at org.apache.axis2.engine.Phase.invoke(Phase.java:318)
    at org.apache.axis2.engine.AxisEngine.invoke(AxisEngine.java:254)
    at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:160)
    at org.apache.axis2.description.OutInAxisOperationClient.handleResponse(OutInAxisOperation.java:364)
    at org.apache.axis2.description.OutInAxisOperationClient.send(OutInAxisOperation.java:417)
    at org.apache.axis2.description.OutInAxisOperationClient.executeImpl(OutInAxisOperation.java:229)
    at org.apache.axis2.client.OperationClient.execute(OperationClient.java:165)
    at org.apache.axis2.axis2userguide.RetrieveCurrentBidResults_v20090801ServiceStub.retrieveCurrentBidResults_v20090801(RetrieveCurrentBidResults_v20090801ServiceStub.java:225)
    at org.transalta.weezer.soap.client.RetrieveCleanBidsClient.main(RetrieveCleanBidsClient.java:64)

and here is the policy.xml file I'm using:

<?xml version="1.0" encoding="UTF-8"?>
<wsp:Policy wsu:Id="SigEncr"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
<wsp:ExactlyOne>
    <wsp:All>
        <sp:AsymmetricBinding
            xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
            <wsp:Policy>
                <sp:InitiatorToken>
                    <wsp:Policy>
                        <sp:X509Token
                            sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
                            <wsp:Policy>
                                <sp:RequireThumbprintReference />
                                <sp:WssX509V1Token10 />
                            </wsp:Policy>
                        </sp:X509Token>
                    </wsp:Policy>
                </sp:InitiatorToken>
                <sp:RecipientToken>
                    <wsp:Policy>
                        <sp:X509Token
                            sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never">
                            <wsp:Policy>
                                <sp:RequireThumbprintReference />
                                <sp:WssX509V3Token10 />
                            </wsp:Policy>
                        </sp:X509Token>
                    </wsp:Policy>
                </sp:RecipientToken>
                <sp:AlgorithmSuite>
                    <wsp:Policy>
                        <sp:TripleDesRsa15 />
                    </wsp:Policy>
                </sp:AlgorithmSuite>
                <sp:Layout>
                    <wsp:Policy>
                        <sp:Strict />
                    </wsp:Policy>
                </sp:Layout>
                <sp:OnlySignEntireHeadersAndBody />
            </wsp:Policy>
        </sp:AsymmetricBinding>
        <sp:Wss10 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
            <wsp:Policy>
                <sp:MustSupportRefKeyIdentifier />
                <sp:MustSupportRefIssuerSerial />
            </wsp:Policy>
        </sp:Wss10>
        <sp:SignedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
            <sp:Body />
            <sp:Header Name="CAISOWSHeader" Namespace="http://www.caiso.com/soa/2006-09-30/CAISOWSHeader.xsd" />
        </sp:SignedParts>
    </wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>

So what I want to know is what the heck is Rampart trying to tell me? I know the component it doesn't think is present IS there.

Answer 1

I solved this by modifying the rampart module to skip the 'security' phase and all phases after for the inflow.

private static void modifyRampartModule(ServiceClient serviceClient) {
    AxisConfiguration axisConfig = serviceClient.getAxisConfiguration();

    List<Phase> phases = axisConfig.getInFlowPhases();
    List<Phase> newPhases = new ArrayList<Phase>();
    for (Phase phase : phases) {
        if (!phase.getName().equalsIgnoreCase("security"))
            newPhases.add(phase);

        if (phase.getName().equalsIgnoreCase("security"))
            break;          
    }
    axisConfig.setInPhasesUptoAndIncludingPostDispatch(newPhases);
}

Answer 2

It is better if you have posted one of the captured request-response messages too. Since you are saying expected elements that are defined in the policy are singed, please check if the TimeStamp element is there in the request message. If the timestamp is there, then it MUST be signed too, in that case this might be the reason for the failure.

Answer 3

I applied the method "modifyRampartModule" of "Tambu", in my code, and it began to work fine. I had tried to do the same through configurations in the axis2.xml, but I should have done something wrong, because for me, didn't work.
The point is that the header must travel in the request and also in the response... but if you have a "Solution Provider", maybe will remove the header from the response... and You will be facing this issue.