[
https://issues.apache.org/jira/browse/CXF-5679?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Ján Ondrušek updated CXF-5679:
------------------------------
Attachment: log.txt
WS-S DEBUG log
> WS-S after upgrade fails with org.apache.ws.security.WSSecurityException: The
> signature or decryption was invalid
> -----------------------------------------------------------------------------------------------------------------
>
> Key: CXF-5679
> URL: https://issues.apache.org/jira/browse/CXF-5679
> Project: CXF
> Issue Type: Bug
> Components: WS-* Components
> Affects Versions: 2.7.9, 2.7.10
> Reporter: Ján Ondrušek
> Assignee: Colm O hEigeartaigh
> Labels: security
> Attachments: log.txt
>
>
> After upgrading CXF from version 2.7.5 to 2.7.9 or higher, we experienced
> this issue. Worked well with 2.7.5 and earlier.
> Request (our business data stripped and replaced with dummy ns1):
> {code:xml}
> <soapenv:Envelope xmlns:ns1="http://example/soap";
> xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/";>
> <soapenv:Header>
> <wsse:Security soapenv:mustUnderstand="1"
>
> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
>
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";>
> <ds:Signature Id="SIG-33"
> xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
> <ds:SignedInfo>
> <ds:CanonicalizationMethod
>
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";>
> <ec:InclusiveNamespaces
> PrefixList="ns1 soapenv"
>
> xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"; />
> </ds:CanonicalizationMethod>
> <ds:SignatureMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"; />
> <ds:Reference URI="#id-22">
> <ds:Transforms>
> <ds:Transform
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";>
>
> <ec:InclusiveNamespaces PrefixList="ns1"
>
> xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"; />
> </ds:Transform>
> </ds:Transforms>
> <ds:DigestMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"; />
>
> <ds:DigestValue>VF0g31FSsHWpdMN7lGVgQA1li4c=</ds:DigestValue>
> </ds:Reference>
> <ds:Reference URI="#TS-32">
> <ds:Transforms>
> <ds:Transform
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";>
>
> <ec:InclusiveNamespaces PrefixList="wsse ns1 soapenv"
>
> xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"; />
> </ds:Transform>
> </ds:Transforms>
> <ds:DigestMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"; />
>
> <ds:DigestValue>4yW2ssYnI+QB40HBdWexy80+GNo=</ds:DigestValue>
> </ds:Reference>
> </ds:SignedInfo>
>
> <ds:SignatureValue>QGIDsbR//zUyjUD36LtkiMJsIiT1vYionG8Y0blqif2QKrMB2AHnr9KXiYy7MbcdMaTVxn6gmKGN
>
> 7bRjE6MX1VVf9ZPem5SfasHYQ6wS7l/I1NGUyGw227cv1AceDPje05Wjk5vmN9G1dKvbfECJhBLA
> 7/OBAxJI+TYmYe94cu8=</ds:SignatureValue>
> <ds:KeyInfo
> Id="KI-6788C4A756C88F8773139703929455550">
> <wsse:SecurityTokenReference
>
> wsu:Id="STR-6788C4A756C88F8773139703929455551">
> <ds:X509Data>
> <ds:X509IssuerSerial>
>
> <ds:X509IssuerName>CN=clientuser</ds:X509IssuerName>
>
> <ds:X509SerialNumber>1288174342</ds:X509SerialNumber>
> </ds:X509IssuerSerial>
> </ds:X509Data>
> </wsse:SecurityTokenReference>
> </ds:KeyInfo>
> </ds:Signature>
> <wsu:Timestamp wsu:Id="TS-32">
>
> <wsu:Created>2014-04-09T10:28:14.554Z</wsu:Created>
>
> <wsu:Expires>2014-04-09T10:33:14.554Z</wsu:Expires>
> </wsu:Timestamp>
> </wsse:Security>
> </soapenv:Header>
> <soapenv:Body wsu:Id="id-22"
>
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";>
> <ns1:hello></ns1:hello>
> </soapenv:Body>
> </soapenv:Envelope>
> {code}
> Response:
> {code:xml}
> <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/";>
> <soap:Body>
> <soap:Fault>
> <faultcode
>
> xmlns:ns1="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";>ns1:FailedCheck</faultcode>
> <faultstring>The signature or decryption was
> invalid</faultstring>
> </soap:Fault>
> </soap:Body>
> </soap:Envelope>
> {code}
> Log:
> {noformat}
> o.a.c.w.s.wss4j.WSS4JInInterceptor -
> org.apache.ws.security.WSSecurityException: The signature or decryption was
> invalid
> o.a.c.w.s.wss4j.WSS4JInInterceptor - #011at
> org.apache.ws.security.processor.SignatureProcessor.handleToken(SignatureProcessor.java:19
> o.a.c.w.s.wss4j.WSS4JInInterceptor - #011at
> org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:396)
> o.a.c.w.s.wss4j.WSS4JInInterceptor - #011at
> org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:
> o.a.c.w.s.wss4j.WSS4JInInterceptor - #011at
> org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:
> o.a.c.w.s.wss4j.WSS4JInInterceptor - #011at
> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:272)
> o.a.c.w.s.wss4j.WSS4JInInterceptor - #011at
> org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:12
> o.a.c.w.s.wss4j.WSS4JInInterceptor - #011at
> org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:
> o.a.c.w.s.wss4j.WSS4JInInterceptor - #011at
> org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.jav
> o.a.c.w.s.wss4j.WSS4JInInterceptor - #011at
> org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:222)
> o.a.c.w.s.wss4j.WSS4JInInterceptor - #011at
> org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:153)
> o.a.c.w.s.wss4j.WSS4JInInterceptor - #011at
> org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:167)
> o.a.c.w.s.wss4j.WSS4JInInterceptor - #011at
> org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.jav
> o.a.c.w.s.wss4j.WSS4JInInterceptor - #011at
> org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:206)
> o.a.c.w.s.wss4j.WSS4JInInterceptor - #011at
> javax.servlet.http.HttpServlet.service(HttpServlet.java:641)
> o.a.c.w.s.wss4j.WSS4JInInterceptor - #011at
> org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:262)
> o.a.c.w.s.wss4j.WSS4JInInterceptor - #011at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.ja
> o.a.c.w.s.wss4j.WSS4JInInterceptor - #011at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
> {noformat}
--
This message was sent by Atlassian JIRA
(v6.2#6252)
