How to Handle Soap Request without header information?


We are using a third party WSDL which does not have the authentication information hence when we are consuming and running the connector it is throwing the below error .

Error: Inbound SOAP Message - Session Token is missing or invalid or has expired

However when we are adding the below XML tags in the request and submitting it using SOAPUi it is working fine.

It seems we need to create a java service to add this header information in the webservice.

Can someone please help us what needs to be done to use the webservice.If we can have some inbuilt service to pass the header information?



Are you adding these tags in the Body or the header of the SOAP message? Refer to the WmPublic/pub.soap.utils for adding header/body entries.

You will have to create a security handler and then set the rght policy file, in this case i believe it is “Consumer policy for username”. Refer to the 8-0-SP1_Web_Services_Developers_Guide.pdf on page 134 for more information.


Small description of the problem and how we have solved it:

  1. 1st of all – we have had problem org.apache.axis2.AxisFault: Peer sent alert: Alert Fatal: unexpected message
    We’ve been focusing on https certificates. I’ve tried to configure multiple things like auth/transport/serverCerts/privateKey, auth/transport/serverCerts/certChain, auth/message/partnerCert etc.

We have had recently similar issue on Itella connection and there we have had 2 errors: Peer sent alert: Alert Fatal: handshake failure
And when we have used not valid certificate: Peer sent alert: Alert Fatal: decrypt error

For Itella it was cause due to authentication problem. They are only allowing users with register keys to authenticate.

In here we have had different problem. I’ve been searching for unexpected message error, but I couldn’t find anything.
Finally I’ve notice that they are using TSL 1.2 and that was the problem. The only thing that we needed to change is one variable in the webservice connector when we are invoking pub.client:soapClient. There is useJSSE parameter that by default is not set and then by default it is using TSL 1.0. Only what we needed to do is to change it to yes and then it was working.

  1. As the MZ was always working without user/password we though it would be good to introduce this as we already done some changes there. So Edgar has enabled it on his side… and here was new problem. Error that we’ve got is:
    Soap fault code: ns1:SecurityError
    Soap fault string: A security error was encountered when verifying the message

We’ve got same from SoapUI … and then Edgar told that after he has changed WSS-Password Type to PasswordText it was working fine from SoapUI.

I’ve notice that in that case SopaUI is generating Soap Header:
<wsse:Security soapenv:mustUnderstand=“1” xmlns:wsse=“” xmlns:wsu=“”>
<wsse:UsernameToken wsu:Id=“UsernameToken-F59E28CD405D48E2A715288733021296”>
<wsse:Password Type=“”>Testme1!</wsse:Password>
<wsse:Nonce EncodingType=“”>kNfRe+a/AXrcft6gz9tvzw==</wsse:Nonce>

I’ve seen that before in some cases – and I know that we need to apply policies to the webservice to get it. However I wasn’t able to find any example in current version. Seems like we have used that before only.
Also I wasn’t able to find “Policies tab” in webservice descriptor … I’ve spend some time for that. I was looking at views, properties etc … couldn’t see it. Finally after I’ve almost gave up I’ve notice that there are on the bottom tabs like operation, binders, header and … policies ?
Unfortunately, by default SAG is not providing policy with PasswordText and the old one that we used to have – hasn’t been working anymore.

Finally based on the old policies and changing new one – I’ve created new policy that finally was working. However I’ve had one more error for which I wasn’t able to find any solution in empower:
(IS.SERVER) [ISC.0077.9998] 2018-06-12 18:40:00.007 ERROR: Exception → org.apache.axis2.AxisFault: No user value in the rampart configuration policy

That is not documented anywhere …
The issue is that in this case we need to map user and password into auth/message instead of auth/transport. After that finally I’ve got success answer

I’m writing this to document what has been done, what issues we have had and how it has been resolved – just in case someone in future will have similar issues.
The policies files that I’ve created:
<wsp:Policy wsu:Id=“Username_PasswordText” Name=“Username_PasswordText” xmlns:wsu=“” xmlns:wsp=“”>
<sp:SignedSupportingTokens xmlns:sp=“XML Namespace Document for WS-Security-Policy 1.2”>
<sp:UsernameToken sp:IncludeToken=“” PasswordType=“Text”/>

The policies are not located under / config/wss/policies
In previous version it was under /config/policy

After adding policies – the server doesn’t need to be restarted. It is checking that automatically.