[
https://issues.apache.org/jira/browse/CXF-5679?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13964428#comment-13964428
]
Colm O hEigeartaigh commented on CXF-5679:
------------------------------------------
How are you configuring your client + service, is it via a WS-SecurityPolicy or
by specifying "actions"? Could you attach whatever configuration you are using
here? Also, if you could attach the debug server log, as this will tell me
where signature validation is failing.
Colm.
> WS-S after upgrade fails with org.apache.ws.security.WSSecurityException: The
> signature or decryption was invalid
> -----------------------------------------------------------------------------------------------------------------
>
> Key: CXF-5679
> URL: https://issues.apache.org/jira/browse/CXF-5679
> Project: CXF
> Issue Type: Bug
> Components: WS-* Components
> Affects Versions: 2.7.9, 2.7.10
> Reporter: Ján Ondrušek
> Labels: security
>
> After upgrading CXF from version 2.7.5 to 2.7.9 or higher, we experienced
> this issue. Worked well with 2.7.5 and earlier.
> Request (our business data stripped and replaced with dummy ns1):
> {code:xml}
> <soapenv:Envelope xmlns:ns1="http://example/soap";
> xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/";>
> <soapenv:Header>
> <wsse:Security soapenv:mustUnderstand="1"
>
> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
>
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";>
> <ds:Signature Id="SIG-33"
> xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
> <ds:SignedInfo>
> <ds:CanonicalizationMethod
>
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";>
> <ec:InclusiveNamespaces
> PrefixList="ns1 soapenv"
>
> xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"; />
> </ds:CanonicalizationMethod>
> <ds:SignatureMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"; />
> <ds:Reference URI="#id-22">
> <ds:Transforms>
> <ds:Transform
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";>
>
> <ec:InclusiveNamespaces PrefixList="ns1"
>
> xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"; />
> </ds:Transform>
> </ds:Transforms>
> <ds:DigestMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"; />
>
> <ds:DigestValue>VF0g31FSsHWpdMN7lGVgQA1li4c=</ds:DigestValue>
> </ds:Reference>
> <ds:Reference URI="#TS-32">
> <ds:Transforms>
> <ds:Transform
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";>
>
> <ec:InclusiveNamespaces PrefixList="wsse ns1 soapenv"
>
> xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"; />
> </ds:Transform>
> </ds:Transforms>
> <ds:DigestMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"; />
>
> <ds:DigestValue>4yW2ssYnI+QB40HBdWexy80+GNo=</ds:DigestValue>
> </ds:Reference>
> </ds:SignedInfo>
>
> <ds:SignatureValue>QGIDsbR//zUyjUD36LtkiMJsIiT1vYionG8Y0blqif2QKrMB2AHnr9KXiYy7MbcdMaTVxn6gmKGN
>
> 7bRjE6MX1VVf9ZPem5SfasHYQ6wS7l/I1NGUyGw227cv1AceDPje05Wjk5vmN9G1dKvbfECJhBLA
> 7/OBAxJI+TYmYe94cu8=</ds:SignatureValue>
> <ds:KeyInfo
> Id="KI-6788C4A756C88F8773139703929455550">
> <wsse:SecurityTokenReference
>
> wsu:Id="STR-6788C4A756C88F8773139703929455551">
> <ds:X509Data>
> <ds:X509IssuerSerial>
>
> <ds:X509IssuerName>CN=clientuser</ds:X509IssuerName>
>
> <ds:X509SerialNumber>1288174342</ds:X509SerialNumber>
> </ds:X509IssuerSerial>
> </ds:X509Data>
> </wsse:SecurityTokenReference>
> </ds:KeyInfo>
> </ds:Signature>
> <wsu:Timestamp wsu:Id="TS-32">
>
> <wsu:Created>2014-04-09T10:28:14.554Z</wsu:Created>
>
> <wsu:Expires>2014-04-09T10:33:14.554Z</wsu:Expires>
> </wsu:Timestamp>
> </wsse:Security>
> </soapenv:Header>
> <soapenv:Body wsu:Id="id-22"
>
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";>
> <ns1:hello></ns1:hello>
> </soapenv:Body>
> </soapenv:Envelope>
> {code}
> Response:
> {code:xml}
> <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/";>
> <soap:Body>
> <soap:Fault>
> <faultcode
>
> xmlns:ns1="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";>ns1:FailedCheck</faultcode>
> <faultstring>The signature or decryption was
> invalid</faultstring>
> </soap:Fault>
> </soap:Body>
> </soap:Envelope>
> {code}
> Log:
> {noformat}
> o.a.c.w.s.wss4j.WSS4JInInterceptor -
> org.apache.ws.security.WSSecurityException: The signature or decryption was
> invalid
> o.a.c.w.s.wss4j.WSS4JInInterceptor - #011at
> org.apache.ws.security.processor.SignatureProcessor.handleToken(SignatureProcessor.java:19
> o.a.c.w.s.wss4j.WSS4JInInterceptor - #011at
> org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:396)
> o.a.c.w.s.wss4j.WSS4JInInterceptor - #011at
> org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:
> o.a.c.w.s.wss4j.WSS4JInInterceptor - #011at
> org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:
> o.a.c.w.s.wss4j.WSS4JInInterceptor - #011at
> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:272)
> o.a.c.w.s.wss4j.WSS4JInInterceptor - #011at
> org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:12
> o.a.c.w.s.wss4j.WSS4JInInterceptor - #011at
> org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:
> o.a.c.w.s.wss4j.WSS4JInInterceptor - #011at
> org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.jav
> o.a.c.w.s.wss4j.WSS4JInInterceptor - #011at
> org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:222)
> o.a.c.w.s.wss4j.WSS4JInInterceptor - #011at
> org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:153)
> o.a.c.w.s.wss4j.WSS4JInInterceptor - #011at
> org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:167)
> o.a.c.w.s.wss4j.WSS4JInInterceptor - #011at
> org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.jav
> o.a.c.w.s.wss4j.WSS4JInInterceptor - #011at
> org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:206)
> o.a.c.w.s.wss4j.WSS4JInInterceptor - #011at
> javax.servlet.http.HttpServlet.service(HttpServlet.java:641)
> o.a.c.w.s.wss4j.WSS4JInInterceptor - #011at
> org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:262)
> o.a.c.w.s.wss4j.WSS4JInInterceptor - #011at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.ja
> o.a.c.w.s.wss4j.WSS4JInInterceptor - #011at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
> {noformat}
--
This message was sent by Atlassian JIRA
(v6.2#6252)
