Ján Ondrušek created CXF-5679:
---------------------------------
Summary: WS-S after upgrade fails with
org.apache.ws.security.WSSecurityException: The signature or decryption was
invalid
Key: CXF-5679
URL: https://issues.apache.org/jira/browse/CXF-5679
Project: CXF
Issue Type: Bug
Components: WS-* Components
Affects Versions: 2.7.10, 2.7.9
Reporter: Ján Ondrušek
After upgrading CXF from version 2.7.5 to 2.7.9 or higher, we experienced this
issue. Worked well with 2.7.5 and earlier.
Request (our business data stripped and replaced with dummy ns1):
{code:xml}
<soapenv:Envelope xmlns:ns1="http://example/soap";
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/";>
<soapenv:Header>
<wsse:Security soapenv:mustUnderstand="1"
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";>
<ds:Signature Id="SIG-33"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
<ds:SignedInfo>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";>
<ec:InclusiveNamespaces
PrefixList="ns1 soapenv"
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"; />
</ds:CanonicalizationMethod>
<ds:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"; />
<ds:Reference URI="#id-22">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";>
<ec:InclusiveNamespaces PrefixList="ns1"
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"; />
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"; />
<ds:DigestValue>VF0g31FSsHWpdMN7lGVgQA1li4c=</ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#TS-32">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";>
<ec:InclusiveNamespaces PrefixList="wsse ns1 soapenv"
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"; />
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"; />
<ds:DigestValue>4yW2ssYnI+QB40HBdWexy80+GNo=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>QGIDsbR//zUyjUD36LtkiMJsIiT1vYionG8Y0blqif2QKrMB2AHnr9KXiYy7MbcdMaTVxn6gmKGN
7bRjE6MX1VVf9ZPem5SfasHYQ6wS7l/I1NGUyGw227cv1AceDPje05Wjk5vmN9G1dKvbfECJhBLA
7/OBAxJI+TYmYe94cu8=</ds:SignatureValue>
<ds:KeyInfo
Id="KI-6788C4A756C88F8773139703929455550">
<wsse:SecurityTokenReference
wsu:Id="STR-6788C4A756C88F8773139703929455551">
<ds:X509Data>
<ds:X509IssuerSerial>
<ds:X509IssuerName>CN=clientuser</ds:X509IssuerName>
<ds:X509SerialNumber>1288174342</ds:X509SerialNumber>
</ds:X509IssuerSerial>
</ds:X509Data>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
<wsu:Timestamp wsu:Id="TS-32">
<wsu:Created>2014-04-09T10:28:14.554Z</wsu:Created>
<wsu:Expires>2014-04-09T10:33:14.554Z</wsu:Expires>
</wsu:Timestamp>
</wsse:Security>
</soapenv:Header>
<soapenv:Body wsu:Id="id-22"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";>
<ns1:hello></ns1:hello>
</soapenv:Body>
</soapenv:Envelope>
{code}
Response:
{code:xml}
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/";>
<soap:Body>
<soap:Fault>
<faultcode
xmlns:ns1="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";>ns1:FailedCheck</faultcode>
<faultstring>The signature or decryption was
invalid</faultstring>
</soap:Fault>
</soap:Body>
</soap:Envelope>
{code}
Log:
{noformat}
o.a.c.w.s.wss4j.WSS4JInInterceptor -
org.apache.ws.security.WSSecurityException: The signature or decryption was
invalid
o.a.c.w.s.wss4j.WSS4JInInterceptor - #011at
org.apache.ws.security.processor.SignatureProcessor.handleToken(SignatureProcessor.java:19
o.a.c.w.s.wss4j.WSS4JInInterceptor - #011at
org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:396)
o.a.c.w.s.wss4j.WSS4JInInterceptor - #011at
org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:
o.a.c.w.s.wss4j.WSS4JInInterceptor - #011at
org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:
o.a.c.w.s.wss4j.WSS4JInInterceptor - #011at
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:272)
o.a.c.w.s.wss4j.WSS4JInInterceptor - #011at
org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:12
o.a.c.w.s.wss4j.WSS4JInInterceptor - #011at
org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:
o.a.c.w.s.wss4j.WSS4JInInterceptor - #011at
org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.jav
o.a.c.w.s.wss4j.WSS4JInInterceptor - #011at
org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:222)
o.a.c.w.s.wss4j.WSS4JInInterceptor - #011at
org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:153)
o.a.c.w.s.wss4j.WSS4JInInterceptor - #011at
org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:167)
o.a.c.w.s.wss4j.WSS4JInInterceptor - #011at
org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.jav
o.a.c.w.s.wss4j.WSS4JInInterceptor - #011at
org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:206)
o.a.c.w.s.wss4j.WSS4JInInterceptor - #011at
javax.servlet.http.HttpServlet.service(HttpServlet.java:641)
o.a.c.w.s.wss4j.WSS4JInInterceptor - #011at
org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:262)
o.a.c.w.s.wss4j.WSS4JInInterceptor - #011at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.ja
o.a.c.w.s.wss4j.WSS4JInInterceptor - #011at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
{noformat}
--
This message was sent by Atlassian JIRA
(v6.2#6252)
