On Fri, 24 Feb 2006, Dittmann, Werner wrote: > Yes, pertty printing after Signature definitly invalidates the > Signature. > > Regards, > Werner
OK, that's useful to know; thanks. But I thought that the canonicalization of the message, before signature and again when the signature is checked, is supposed to avoid this. Maybe Axis doesn't do the canonicalization? > > ________________________________ > > Von: Benjamin BALET [mailto:[EMAIL PROTECTED] > Gesendet: Freitag, 24. Februar 2006 11:15 > An: fx-dev@ws.apache.org > Betreff: WSE / WSS4J / X509 secure Webservice > > > > Hello, > > > > Anyone succeed to make work a .Net WebService client WSE > > with WSS4J ? > > > > On the server my WSDD config is: > > > > <deployment xmlns="http://xml.apache.org/axis/wsdd/"; > xmlns:java="http://xml.apache.org/axis/wsdd/providers/java";> > > <globalConfiguration> > > <parameter name="enableNamespacePrefixOptimization" > value="false" /> > > <parameter name="disablePrettyXML" value="true"/> > > <requestFlow> > > <handler > type="java:org.apache.ws.axis.security.WSDoAllReceiver"> > > <parameter name="passwordCallbackClass" > value="com.hp.ov.temip.ws.handler.PWCallback"/> > > <parameter name="action" > value="UsernameTokenSignature UsernameToken Encrypt Timestamp"/> > > <parameter name="decryptionPropFile" > value="security.properties" /> > > </handler> > > </requestFlow> > > </globalConfiguration> > > </deployment> > > > > On client's side, I developped with WSE 3.0 Policy framework > > The following SecureMessage overriden function: > > > > public override void SecureMessage(SoapEnvelope > envelope, Security security) > > { > > //Must Understand Headers > > security.MustUnderstand = true; > > security.Timestamp.TtlInSeconds = 60; > > > > //User Name Token > > UsernameToken userToken = new > UsernameToken(m_strUsername, m_strPassword, > PasswordOption.SendPlainText); > > security.Tokens.Add(userToken); > > > > X509SecurityToken token = null; > > try > > { > > token = GetSecurityToken("CN=10.67.212.35"); > > } > > catch (Exception ex) > > { > > throw new Exception("Certificate not found : " + > ex.Message); > > } > > > > //Define a custom X509 token > > ISecurityTokenManager stm = > SecurityTokenManager.GetSecurityTokenManagerByTokenType(WSTrust.TokenTyp > es.X509v3); > > X509SecurityTokenManager x509tm = stm as > X509SecurityTokenManager; > > x509tm.DefaultKeyAlgorithm = "RSA15"; > > x509tm.DefaultSessionKeyAlgorithm = "TripleDES"; > > > > //security.Elements.Add(new EncryptedData(token)); > //De-comment this line will encrypt the Body > > // Add the token to the SOAP header. > > security.Tokens.Add(token); > //Insert the token being used into header > > > > //Add Message Signature > > MessageSignature sig = new > MessageSignature(userToken); > > sig.SignatureOptions = > SignatureOptions.IncludeSoapBody; > > security.Elements.Add(sig); > > > > //Insert the encrypted UsernameToken > > security.Elements.Add(new EncryptedData(token, "#" + > userToken.Id)); > > } > > > > Into TOMCAT logs, I can notice that WSS4J is able to: > > - retrieve my certificate with its public key > > - Decrypt the UserNameToken > > But the signature verification fails, some say that it could be > due > > to a pretty-print component that alters the SOAP message after > > the signature, if so, how to deactivate such pretty-printer ? > > > > __________________ > > Benjamin BALET > > Capgemini France > > http://bbalet.free.fr/ > > > > This message contains information that may be privileged or confidential > and is the property of the Capgemini Group. It is intended only for the > person to whom it is addressed. If you are not the intended recipient, > you are not authorized to read, print, retain, copy, disseminate, > distribute, or use this message or any part thereof. If you receive this > message in error, please notify the sender immediately and delete all > copies of this message. > > > > Guy Rixon [EMAIL PROTECTED] Institute of Astronomy Tel: +44-1223-337542 Madingley Road, Cambridge, UK, CB3 0HA Fax: +44-1223-337523
