Hello everyone,
there seems to be a serious problem with XmlUtils.toString(Doc) and
WSS4J. When you convert a document to its XML representation and then
back to a document again, it can't be validated by WSS4J anymore. This
happens e.g. when receiving a SOAP message via the MiniServlet.
I've written a JUnit test to show the problem:
-------------------------------------------------------------------------------------------
public final void testSignatureToString() throws IOException,
SAXException,
SignatureNotFoundException {
/* Create valid signed example
-------------------------------------- */
Document request =
createExampleRequestWithoutSignature
(this.exampleRequestWithoutSignature);
Document response = this.secureHandler.addSignature(request);
String responseString = XmlUtils.toString(response);
/*
------------------------------------------------------------------ */
/* Check example
---------------------------------------------------- */
boolean check = this.signer.checkSignature(response);
Assert.assertTrue("Signature is valid!", check);
/*
------------------------------------------------------------------ */
/* Create a copy (e.g. receive example via Webservice
--------------- */
Document newResponse = XmlUtils.createDocument(responseString);
String newResponseString = XmlUtils.toString(newResponse);
Assert.assertTrue("Strings are equal", newResponseString
.equals(responseString));
/*
------------------------------------------------------------------ */
/*
------------------------------------------------------------------ */
check = this.signer.checkSignature(newResponse);
Assert.assertTrue("Signature is valid", check); // this fails!!!
/*
------------------------------------------------------------------ */
}
-------------------------------------------------------------------------------------------
The solution here is to use XMLUtils.PrettyDocumentToString(Doc) [1]
instead of XmlUtils.toString(Doc):
-------------------------------------------------------------------------------------------
public final void testSignatureToString() throws IOException,
SAXException,
SignatureNotFoundException {
/* Create valid signed example
-------------------------------------- */
Document request =
createNspExampleRequestWithoutSignature
(this.nspExampleRequestWithoutSignature);
this.secureHandler.setAddSignatureFlag(true);
Document response = this.secureHandler.addSignature(request);
String responseString =
XMLUtils.PrettyDocumentToString(response);
/*
------------------------------------------------------------------ */
/* Check example
---------------------------------------------------- */
boolean check = this.signer.checkSignature(response);
Assert.assertTrue("Signature is valid!", check);
/*
------------------------------------------------------------------ */
/* Create a copy (e.g. receive example via Webservice
--------------- */
Document newResponse = XmlUtils.createDocument(responseString);
String newResponseString =
XMLUtils.PrettyDocumentToString(newResponse);
String newResponseString2 = XmlUtils.toString(newResponse);
System.out.println("Test1: ---------");
System.out.println(newResponseString);
System.out.println("Test2: ---------");
System.out.println(newResponseString2);
Assert.assertTrue("Strings are equal", newResponseString
.equals(responseString));
/*
------------------------------------------------------------------ */
/*
------------------------------------------------------------------ */
check = this.signer.checkSignature(newResponse);
Assert.assertTrue("Signature is valid", check);
/*
------------------------------------------------------------------ */
}
-------------------------------------------------------------------------------------------
Regards, Alex
[1]
http://ws.apache.org/wss4j/apidocs/org/apache/ws/security/util/XMLUtils.html#PrettyDocumentToString(org.w3c.dom.Document)
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
