I also had problems porting a cxf 2.3.3 webservice using ws-security to cxf 2.4.0. Maybe the solution provided for my issue also solves your problem.
Have a look at https://issues.apache.org/jira/browse/CXF-3514 and try the CXF 2.4.1-SNAPSHOT. Dirk Rudolph -----Ursprüngliche Nachricht----- Von: Ross Lodge [mailto:[email protected]] Gesendet: Mittwoch, 1. Juni 2011 01:41 An: [email protected] Betreff: Problem with WS-Security and CXF 2.4.0 I've been trying to get the new 2.4.0 release to work in a project that I'm using that uses WS-Security and WS-SecurityPolicy in a WSDL-First SOAP service, and I am getting a signature verification failure: Caused by: org.apache.ws.security.WSSecurityException: The signature or > decryption was invalid; nested exception is: > > org.apache.ws.security.WSSecurityException: The signature or decryption was > invalid > > at > org.apache.ws.security.processor.SignatureProcessor.verifyXMLSignature(Signa tureProcessor.java:378) > ~[wss4j-1.6.0.jar:1.6.0] > > at > org.apache.ws.security.processor.SignatureProcessor.handleToken(SignaturePro cessor.java:174) > ~[wss4j-1.6.0.jar:1.6.0] > > at > org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngi ne.java:396) > ~[wss4j-1.6.0.jar:1.6.0] > > at > org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInt erceptor.java:248) > ~[cxf-rt-ws-security-2.4.0.jar:2.4.0] > > ... 35 common frames omitted > > Caused by: org.apache.ws.security.WSSecurityException: The signature or > decryption was invalid > > at > org.apache.ws.security.processor.SignatureProcessor.verifyXMLSignature(Signa tureProcessor.java:375) > ~[wss4j-1.6.0.jar:1.6.0] > > ... 38 common frames omitted > It's quite possible that I'm missing something (e.g. relating to how WSS4J 1.6 needs to be configured vs WSSJ 1.5, for instance), or this could be a bug of some kind. Any help would be appreciated; I've uploaded sample code that exhibits this problem to: http://software-entropy.com/wp-content/uploads/2011/05/ws-security-bug.2.3.4 .zip http://software-entropy.com/wp-content/uploads/2011/05/ws-security-bug.2.4.0 .zip Both of these are simple maven projects based on Glen Mazza's blog-posts about how to build a WS-Security-enabled service with CXF. You'll need to do a "mvn clean install" from the parent module and then first a "mvn jetty:run" (or deploy the war to your favorite container) in the service-war module and, while it's running, a "mvn exec:exec" in the client module. For me, this works fine for the 2.3.4 version of the code, but fails for the 2.4.0 version of the code; everything aside from the CXF dependency version is the same between the two zip files. Thanks. (yes, this is a repost, with a different and potentially easier-to-use example; I've been unable to find a solution for this). Ross M. Lodge
