I believe it's a WSS4J/Axis issue and I have encountered the problem as well. The basic issue is that when Axis processes the message during XML serialization and deserialization, it does not necessarily preserve XML canonicalization. The problem is that signature verification doesn't happen until after this change happens, so the signature check could fail on the changed XML.
In your case I'm guessing what is happening is that the ds prefix is being removed during Axis processing: <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"; xmlns:ds="http://www.w3.org/2000/09/xmldsig#"; /> is getting changed to <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"; xmlns="http://www.w3.org/2000/09/xmldsig#"; /> but since the first version is already in canonical form, the prefix needs to stay. There's a JIRA bug report about this for Axis (http://issues.apache.org/jira/browse/AXIS-1624), that appears to still be open. If we could find a resolution, it would help me out as well. David Yves Langisch said: > All, > > Following issue I just posted to the WSE newsgroup. I post it to this > list too since I have no idea if this is a WSS4J or WSE 2.0 issue? Does > anyone have done similar experiences with WSE <-> WSS4J? > > ---> > We run a Java-based (Axis with WSS4J) webservice and we have both Java > and > .NET (C#) clients. While encryption is no problem for all client-server > combinations we have problems with signature validation from C# > requests. The > strange thing is that we have a MS-box with the C#-client which requests > can > be successfuly validated by the Java end point and on the other (with > the > same exe-File) box it doesn't work. After seeing that I tried to find > the > difference between these two C# clients. The only difference I could > find is > in the request is in the CanonicalizationMethod-element (prefix and > namespace > (re-)definition; is already defined as default namespace in the > Signature-element): > > this one works: > ....<Signature xmlns="http://www.w3.org/2000/09/xmldsig#";> > <SignedInfo> > <CanonicalizationMethod > Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"; /> > <SignatureMethod > Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"; />.... > > this one fails: > ....<Signature xmlns="http://www.w3.org/2000/09/xmldsig#";> > <SignedInfo> > <ds:CanonicalizationMethod > Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"; > xmlns:ds="http://www.w3.org/2000/09/xmldsig#"; /> > <SignatureMethod > Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"; />.... > > I'm absolutely not sure if this is causing the problem but at least this > is > a difference between the two boxes/clients that should not occur. > Following > the versions we use (on both c#-clients): > > - .NET 1.1 SP1 > - WSE 2.0 SP2 > - WinXP SP2 > > Any ideas? Thanks > Yves > >
