[
https://issues.apache.org/jira/browse/WSS-508?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14109681#comment-14109681
]
Marc Giger commented on WSS-508:
--------------------------------
Gene, I couldn't reproduce the issue here, even not with a IBM JDK1.6 (and
xerces 2.8.1). It looks like the DOM updates (inserting the signature tree) on
the consumer side are not entirely reflected internally so that the C14N code
doesn't find the given prefixes (which are evaluated by WSS4J). This can be
seen by the missing namespaces on the c14nized SignedInfo on the consumer side.
It works fine for XML-Parts that aren't modified e.g. the body or the whole
message on the producer side (on the producer side, the message is just parsed
but not modified structurally). At the moment it looks like a DOM issue to me,
since WSS4J is able to evaluate the correct prefixes but santuario isn't
although both are using the same document instance. Are you using a SOAPMessage
object on the consumer side?
Marc
> When using "add inclusive prefixes" and EXC C14N - signature cannot be
> validated
> --------------------------------------------------------------------------------
>
> Key: WSS-508
> URL: https://issues.apache.org/jira/browse/WSS-508
> Project: WSS4J
> Issue Type: Bug
> Components: WSS4J Core
> Affects Versions: 2.0.0, 2.0.1
> Environment: WAS 7.x, IBM JDK 1.6, WebSphere JAX-WS stack, MS Windows.
> Reporter: Gene B.
> Assignee: Colm O hEigeartaigh
> Attachments: log 01 - signature verification failed with
> InclusiveNamespaces PrefixList.txt, log 02 - signature verification ok -
> signed by SOAP UI.txt, log_03a - consumer - sign message use
> InclusiveNamespaces prefix list.txt, log_03b - provider - signature
> verification failed.txt, request1-printedby-provider-signedby-soapui.xml,
> request1-printedby-provider-signedby-wss4j.xml
>
>
> Security implemented using WSS4J securement/validation action approach. We
> are trying to sign the body.
> The provider is a JAX-WS service running on WebSphere JAX-WS stack. Custom
> handler uses WSS4j to validate security.
> The consumer is a WebSphere JAX-WS dispatch client – also attaching custom
> security handler.
> Signature can be validated on the provider side when EXC C14N
> canonicalization is specified with BST compliance flag relaxed. That is
> because when we chose to add “InclusiveNamespaces” “PrefixList” on the
> consumer side, verification fails. When the same test is done with the SOAP
> UI – signature verifies Ok – so I am blaming the consumer – the signing
> process - not verification process.
> I am attaching a log file which shows verification failure when the
> InclusiveNamespaces option is used. If not for this option – this
> verification would’ve been a success.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
