Web Services Security Guides › CA SiteMinder® Agent for JBoss › Troubleshooting

Troubleshooting

Messages Are Not in the Expected Format Upon WSS Agent JAX-RPC Handler Authentication Failure

Symptom:

Upon an authentication failure, messages returned by the WSS Agent JAX-RPC Handler do not result in the expected "Authentication Failure" message. Instead, JBoss returns the following message:

<env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/">
   <env:Header/>
   <env:Body>
      <env:Fault>
         <faultcode>env:Server</faultcode>
         <faultstring>JBWS025230: Illegal faultcode '{http://schemas.xmlsoap.org/soap/envelope/}Client.Authentication', allowed values are: [{http://schemas.xmlsoap.org/soap/envelope/}Client, {http://schemas.xmlsoap.org/soap/envelope/}Server, {http://schemas.xmlsoap.org/soap/envelope/}VersionMismatch, {http://schemas.xmlsoap.org/soap/envelope/}MustUnderstand]</faultstring>
      </env:Fault>
   </env:Body>
</env:Envelope>

Solution:

By default, the JAX-RPC Handler provides extensible SOAPFault codes. However, some versions of JBoss can only handle simple SOAPFault codes, resulting in the previous message instead of the expected "Authentication Failure" message. If your version of JBoss does not handle extensible fault codes, configure the WSS Agent JAX-RPC Handler to provide simple fault codes.

Important! Configuring this property breaks SOAPFault on JAX-WS.

Follow these steps:

1. Navigate to the following location:
   • Windows: JBOSS_HOME\bin
   • UNIX: JBOSS_HOME/bin
2. Open the following file in a text editor:
   • Windows: standalone.conf.bat
   • UNIX: standalone.conf
3. Add the following line:

   javax.xml.soap.SOAPFactory=org.jboss.ws.core.soap.SOAPFactoryImpl
   

4. Save your changes.
5. To apply the changes, restart the JBoss Application Server.

WSS Agent Fails to Generate Signed SAML Session Ticket Responses

Symptom:

The WSS Agent fails to generate signed SAML Session Ticket responses, producing the following error message:

[ERROR] stack.jbws.RequestHandlerImpl 8A2AF0AB-705F-08EF-DD11-2AA1C4AADF50 - Error processing web service request
org.jboss.ws.WSException: ava.lang.ArrayIndexOutOfBoundsException

This error is because the generated SAML Session Ticket response results in an HTTP header larger than the JBoss default size limit of 4096.

Solution:

Increase the value of the maxHttpHeaderSize parameter in the JBoss server.xml file from 4096 to a value large enough to accommodate the generated header (for example, 8192).

The server.xml file is located in JBOSS_HOME\server\default\deploy\jbossweb.sar.

Note: For JBoss 5.1.2, increase the value of the maxHttpHeaderSize parameter in the HTTP/1.1 Connector and the AJP 1.3 Connector sections. For example:

<!-- A HTTP/1.1 Connector on port 8080 -->
<Connector protocol="HTTP/1.1" port="8080" address="${jboss.bind.address}" 
connectionTimeout="20000" redirectPort="8443" maxHttpHeaderSize="32768"/>

<!-- A AJP 1.3 Connector on port 8009 -->
<Connector protocol="AJP/1.3" port="8009" address="${jboss.bind.address}"
redirectPort="8443" maxHttpHeaderSize="32768" />