David, Can you or Yves make a local patch against axis latest cvs, confirm the problem and submit the patch via JIRA?
thanks, dims On Tue, 11 Jan 2005 09:15:32 -0500 (EST), David Del Vecchio <[EMAIL PROTECTED]> wrote: > I believe it's a WSS4J/Axis issue and I have encountered the problem as > well. The basic issue is that when Axis processes the message during XML > serialization and deserialization, it does not necessarily preserve XML > canonicalization. The problem is that signature verification doesn't > happen until after this change happens, so the signature check could fail > on the changed XML. > > In your case I'm guessing what is happening is that the ds prefix is being > removed during Axis processing: > > <ds:CanonicalizationMethod > Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"; > xmlns:ds="http://www.w3.org/2000/09/xmldsig#"; /> > > is getting changed to > > <CanonicalizationMethod > Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"; > xmlns="http://www.w3.org/2000/09/xmldsig#"; /> > > but since the first version is already in canonical form, the prefix needs > to stay. There's a JIRA bug report about this for Axis > (http://issues.apache.org/jira/browse/AXIS-1624), that appears to still be > open. If we could find a resolution, it would help me out as well. > > David > > > Yves Langisch said: > > All, > > > > Following issue I just posted to the WSE newsgroup. I post it to this > > list too since I have no idea if this is a WSS4J or WSE 2.0 issue? Does > > anyone have done similar experiences with WSE <-> WSS4J? > > > > ---> > > We run a Java-based (Axis with WSS4J) webservice and we have both Java > > and > > .NET (C#) clients. While encryption is no problem for all client-server > > combinations we have problems with signature validation from C# > > requests. The > > strange thing is that we have a MS-box with the C#-client which requests > > can > > be successfuly validated by the Java end point and on the other (with > > the > > same exe-File) box it doesn't work. After seeing that I tried to find > > the > > difference between these two C# clients. The only difference I could > > find is > > in the request is in the CanonicalizationMethod-element (prefix and > > namespace > > (re-)definition; is already defined as default namespace in the > > Signature-element): > > > > this one works: > > ....<Signature xmlns="http://www.w3.org/2000/09/xmldsig#";> > > <SignedInfo> > > <CanonicalizationMethod > > Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"; /> > > <SignatureMethod > > Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"; />.... > > > > this one fails: > > ....<Signature xmlns="http://www.w3.org/2000/09/xmldsig#";> > > <SignedInfo> > > <ds:CanonicalizationMethod > > Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"; > > xmlns:ds="http://www.w3.org/2000/09/xmldsig#"; /> > > <SignatureMethod > > Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"; />.... > > > > I'm absolutely not sure if this is causing the problem but at least this > > is > > a difference between the two boxes/clients that should not occur. > > Following > > the versions we use (on both c#-clients): > > > > - .NET 1.1 SP1 > > - WSE 2.0 SP2 > > - WinXP SP2 > > > > Any ideas? Thanks > > Yves > > > > > > -- Davanum Srinivas - http://webservices.apache.org/~dims/
