Thursday, October 6, 2011

Calling an OWSM protected service with Axis2 and Rampart

In a previous blogpost I used Axis 1.4 in combination with WSS4J 1.5 and because Axis 1.4 is getting old so I tried the same with Axis 2 and Rampart which uses WSSJ. For all the security details like the username and how to generate certificates you can check see my previous post.

Just like the Axis 1.4 post I will call a OSB service which has an oracle/wss10_username_token_with_message_protection_service_policy OWSM server policy.

Before we start we need to download axis2 and the matching Rampart version, I use in this blogpost the 1.60 versions of axis2 and Rampart.  Copy the Rampart jars to the axis lib folder and the Rampart modules to the axis2 modules folder.

Download the WSDL with it's XSDs from the Web Service.

After that use this ANT build file to generate a ADB web service proxy client. The wsdl I used has the Customer.wsdl as name.
This OWSM policy have different signing and encryption options on the message of the request / response. So we need to move the right WS security policies / assertions from the Customer WSDL to a Request and Response policy file.

Here is the Request Policy which matches with the oracle/wss10_username_token_with_message_protection_service_policy Server policy. I also added the Rampart Configuration which contains references to the keystore and the username I used. Add the sp:AsymmetricBinding, sp:SignedSupportingTokens and the sp:SignedParts & sp:EncryptedParts of the request from the customer wsdl to this policy file.
We also need to do this for the Response. Add the sp:AsymmetricBinding and the sp:SignedParts & sp:EncryptedParts of the response from the customer wsdl to this policy file.
Because we are using a keystore and a username token ( which got passwords ) we need to add a Password Callback class.
And here the test client which loads the Axis2 configuration with the Addressing and Rampart modules and also loads the Request and Response policy.
Here you can download my code at


  1. How did you create the request and response policy files? I am trying to configure the same, but using the wss11_username_token_with_message_protection_server_policy.

    1. Hi,

      I think the wss11 policies can be tricky , can you try the wss10 policies first.


    2. Thanks for the reply. I switched to the wss10 policies (and have realized how to generate the request / response policies from the generate stubs), but I am getting the following exception:

      Exception in thread "main" org.apache.axis2.AxisFault: A required header representing a Message Addressing Property is not present
      at org.apache.axis2.addressing.AddressingFaultsHelper.triggerAddressingFault(
      at org.apache.axis2.addressing.AddressingFaultsHelper.triggerMessageAddressingRequiredFault(
      at org.apache.axis2.handlers.addressing.AddressingInHandler.checkForMandatoryHeaders(
      at org.apache.axis2.handlers.addressing.AddressingInHandler.extractAddressingInformation(
      at org.apache.axis2.handlers.addressing.AddressingInHandler.doInvoke(
      at org.apache.axis2.handlers.AbstractTemplatedHandler.invoke(
      at org.apache.axis2.engine.Phase.invokeHandler(
      at org.apache.axis2.engine.Phase.invoke(
      at org.apache.axis2.engine.AxisEngine.invoke(
      at org.apache.axis2.engine.AxisEngine.receive(
      at org.apache.axis2.description.OutInAxisOperationClient.handleResponse(
      at org.apache.axis2.description.OutInAxisOperationClient.send(
      at org.apache.axis2.description.OutInAxisOperationClient.executeImpl(
      at org.apache.axis2.client.OperationClient.execute(
      at EmailSOAServiceStub.sendEmail(
      at SOATestClient.main(

      Any ideas?

    3. Hi,

      it seems like it missing the addressing element in the header or encryption failed first.

      good luck

    4. For some reason Oracle doesn't send back a valid Ws-Addressing header.
      If you look at the response message, you'll see the mandatory wsa:Action header is missing. e.g.



      The relevant section of the WS-Addressing spec is here:

      On the oracle side, try adding the oracle/no_addressing_policy

    5. Hi t-rane,

      Can you please suggest how to generate Request / Response policy files using generated stubs from Axis2?