Hi Colm Thanks for the patch! I tried the 1.6.8-SNAPSHOT and it works now for the request from Weblogic to CXF.
The bad thing is that Weblogic now complains about the response received from CXF. Probably this is now an issue on Weblogic and therefore not the right place here, but at least I give the information for completeness. I already tried to resolve this issue on Weblogic by configuring a CertificateRegistry as proposed in this blog http://fusionsecurity.blogspot.ch/2009/08/so-thats-what-weblogic-certificate.html with no success. Error Stacktrace Weblogic: ####<Nov 19, 2012 8:39:51 AM CET> <Error> <> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <35e64a9808ed1790:3007597b:13b179b1226:-8000-0000000000000004> <1353310791212> <BEA-000000> <CertPathBuilder does not support building cert path from class weblogic.security.pk.X509ThumbprintSelector java.security.InvalidAlgorithmParameterException: [Security:090596]The WebLogicCertPathProvider was passed an unsupported CertPathSelector. at weblogic.security.providers.pk.WebLogicCertPathProviderRuntimeImpl$JDKCertPathBuilder.engineBuild(WebLogicCertPathProviderRuntimeImpl.java:689) at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:238) at com.bea.common.security.internal.legacy.service.CertPathBuilderImpl$CertPathBuilderProviderImpl.build(CertPathBuilderImpl.java:67) at com.bea.common.security.internal.service.CertPathBuilderServiceImpl.build(CertPathBuilderServiceImpl.java:86) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at com.bea.common.security.internal.utils.Delegator$ProxyInvocationHandler.invoke(Delegator.java:57) at $Proxy59.build(Unknown Source) at weblogic.security.service.WLSCertPathBuilderServiceWrapper.build(WLSCertPathBuilderServiceWrapper.java:62) at weblogic.security.service.CertPathManager.build(CertPathManager.java:195) at weblogic.security.service.CertPathManager$JDKCertPathBuilder.engineBuild(CertPathManager.java:265) at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:238) at weblogic.xml.crypto.utils.CertUtils.buildCertPath(CertUtils.java:159) at weblogic.xml.crypto.utils.CertUtils.lookupCertificate(CertUtils.java:124) at weblogic.xml.crypto.utils.CertUtils.lookupCertificate(CertUtils.java:108) at weblogic.xml.crypto.wss11.internal.bst.BSTHandler.lookupCertificate(BSTHandler.java:79) at weblogic.xml.crypto.wss11.internal.bst.BSTHandler.getTokenByKeyId(BSTHandler.java:59) at weblogic.xml.crypto.wss.BinarySecurityTokenHandler.getSecurityToken(BinarySecurityTokenHandler.java:80) at weblogic.xml.crypto.common.keyinfo.KeyResolver.setupKeyProviderFromContext(KeyResolver.java:344) at weblogic.xml.crypto.common.keyinfo.KeyResolver.getKeyFromSTR(KeyResolver.java:295) at weblogic.xml.crypto.common.keyinfo.KeyResolver.select(KeyResolver.java:127) at weblogic.xml.crypto.dsig.SignedInfoImpl.getVerifyKey(SignedInfoImpl.java:227) at weblogic.xml.crypto.dsig.SignedInfoImpl.validateSignature(SignedInfoImpl.java:113) at weblogic.xml.crypto.dsig.XMLSignatureImpl.validate(XMLSignatureImpl.java:265) at weblogic.xml.crypto.wss.SecurityImpl.unmarshalAndProcessSignature(SecurityImpl.java:724) at weblogic.xml.crypto.wss.SecurityImpl.unmarshalAndProcessSignature(SecurityImpl.java:689) at weblogic.xml.crypto.wss.SecurityImpl.unmarshalChildren(SecurityImpl.java:544) at weblogic.xml.crypto.wss.SecurityImpl.unmarshalInternal(SecurityImpl.java:450) at weblogic.xml.crypto.wss.SecurityImpl.unmarshal(SecurityImpl.java:418) at weblogic.xml.crypto.wss11.internal.WSS11Factory.unmarshalAndProcessSecurity(WSS11Factory.java:33) at weblogic.wsee.security.wssp.handlers.WssClientHandler.processInbound(WssClientHandler.java:149) at weblogic.wsee.security.wssp.handlers.WssClientHandler.processResponse(WssClientHandler.java:134) at weblogic.wsee.security.wssp.handlers.WssHandler.handleResponse(WssHandler.java:206) I don't see much difference between a Weblogic generated response and a CXF generated one, besides the fact that in Weblogic the STR inside the KeyInfo is signed, in CXF it's not. But this should not be the problem I guess?! CXF SOAP response: <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"> <soap:Header> <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"; xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; soap:mustUnderstand="1"> <wsu:Timestamp wsu:Id="TS-1"> <wsu:Created>2012-11-16T12:50:55.054Z</wsu:Created> <wsu:Expires>2012-11-16T12:55:55.054Z</wsu:Expires> </wsu:Timestamp> <wsse11:SignatureConfirmation xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd"; Value="WuJ58vqiRvVEO72+2YL421WdYt1J6C3skhl8ih7ky16sSIyfOOTPShzqSSq/Va9BQ1uwplnJfX7io8LM4gw0X5LEAzIeoy2dCeiHA4GY5KiO9K0Sh17gJhZoqR5l17oZrfnJUzXvDGUA5eupnl1BqZ1l0c0PJMslnSavwkcmVSA=" wsu:Id="SC-2" /> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"; Id="SIG-3"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";> <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"; PrefixList="soap" /> </ds:CanonicalizationMethod> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"; /> <ds:Reference URI="#TS-1"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";> <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"; PrefixList="wsse soap" /> </ds:Transform> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"; /> <ds:DigestValue>OgsxMMNFLQsz/9IsfVQs/oLuc+8=</ds:DigestValue> </ds:Reference> <ds:Reference URI="#SC-2"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";> <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"; PrefixList="wsse soap" /> </ds:Transform> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"; /> <ds:DigestValue>oG+UlTKMXY7/IbQpRxvPYySh60Y=</ds:DigestValue> </ds:Reference> <ds:Reference URI="#Id-3417205"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";> <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"; PrefixList="" /> </ds:Transform> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"; /> <ds:DigestValue>rS4jFUikjRJY+jt6IKSIX7GXNWE=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>nX8nGcTY7Olu0UBX1S6KbKsGlP8exYu4FdSYCDCPWNm+pUH2PG7B8JJ2yJYFlL919nJUtOnndWYX7s3/eDTTQtR0hPWc6FNs0+yGr7yH6pSWlsbCf+a7n++FG8O+NKe6d2IyvJ4epLvgVVYaoj1RWYcPx31iAvTw6d7S16jZ184= </ds:SignatureValue> <ds:KeyInfo Id="KI-A18E11179961A8826E13530702550772"> <wsse:SecurityTokenReference wsu:Id="STR-A18E11179961A8826E13530702550773"> <wsse:KeyIdentifier EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"; ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1";>R0VTd2CEaTTD3qJ/lAomm31HARQ=</wsse:KeyIdentifier> </wsse:SecurityTokenReference> </ds:KeyInfo> </ds:Signature> </wsse:Security> </soap:Header> <soap:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; wsu:Id="Id-3417205"> <ns2:doitResponse xmlns:ns2="http://ws.ssotest/";> <return>doit() called.</return> </ns2:doitResponse> </soap:Body> </soap:Envelope> Weblogic SOAP response for comparison: <?xml version='1.0' encoding='UTF-8'?> <S:Envelope xmlns:S="http://schemas.xmlsoap.org/soap/envelope/";> <S:Header> <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"; S:mustUnderstand="1"> <wsse11:SignatureConfirmation xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd"; Value="BX/qFA56YzPI4Ybtmiqqk2BBqQHDA9FZ+fNwCXC++Tfb8PAQWTwjp8WRVyeCw5f1vMT9ABi8p2bUkdi/Z2T/cQ4D2hf3Y6SbZVu2v08yh8QZFSRubGqKGFqhV0Z6MSjdrj64nu7JMDKWe4OwSUZf58khfx6Kij7j+Eo2Jqq8k4Y=" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; wsu:Id="sigconf_Y1dLkZE12R3lo84g" /> <dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#";> <dsig:SignedInfo> <dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"; /> <dsig:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"; /> <dsig:Reference URI="#Timestamp_fyeHCdDCF1Q1mEQT"> <dsig:Transforms> <dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"; /> </dsig:Transforms> <dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"; /> <dsig:DigestValue>U6EZCrkoZVK51ldTBm01yjGvTqo=</dsig:DigestValue> </dsig:Reference> <dsig:Reference URI="#Body_dak1e6clIuiK32Q8"> <dsig:Transforms> <dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"; /> </dsig:Transforms> <dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"; /> <dsig:DigestValue>GpX21h7vU1Sv/5fAltIB7AC9JLk=</dsig:DigestValue> </dsig:Reference> <dsig:Reference URI="#sigconf_Y1dLkZE12R3lo84g"> <dsig:Transforms> <dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"; /> </dsig:Transforms> <dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"; /> <dsig:DigestValue>H/1u/9+eXPty0gZry3P6kC9lVjE=</dsig:DigestValue> </dsig:Reference> <dsig:Reference URI="#str_dEoDQOLRAT5qy2ha"> <dsig:Transforms> <dsig:Transform Algorithm="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform";> <wsse:TransformationParameters> <dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"; /> </wsse:TransformationParameters> </dsig:Transform> </dsig:Transforms> <dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"; /> <dsig:DigestValue>QwS0Bh2Dck6G5rCKyyGwLzCivGM=</dsig:DigestValue> </dsig:Reference> </dsig:SignedInfo> <dsig:SignatureValue>KsGzFjk9DEF56FfVQt9LnTHu7IWYrMu338Y8ntQWVXkIUp/+aUq2tAHWdG0uRyGwgyptkvyU2sAiHszLcHUXUSjt1MtIzHRNooEPsEzJCeeLDlrwhZ/zRglRMcLveI5rdWZYJmTRKo8zGyuCHesHqUWslWQBrbBW8rlIt0ZSwtg=</dsig:SignatureValue> <dsig:KeyInfo> <wsse:SecurityTokenReference xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"; xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd"; xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; wsse11:TokenType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"; wsu:Id="str_dEoDQOLRAT5qy2ha"> <wsse:KeyIdentifier EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"; ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1";>SSp+oSTFJ/0AMjafPrgRAJyDZRg=</wsse:KeyIdentifier> </wsse:SecurityTokenReference> </dsig:KeyInfo> </dsig:Signature> <wsu:Timestamp xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; wsu:Id="Timestamp_fyeHCdDCF1Q1mEQT"> <wsu:Created>2012-11-16T15:13:20Z</wsu:Created> <wsu:Expires>2012-11-16T15:14:20Z</wsu:Expires> </wsu:Timestamp> </wsse:Security> </S:Header> <S:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; wsu:Id="Body_dak1e6clIuiK32Q8"> <ns0:doitResponse xmlns:ns0="http://ws.ssotest/";> <return>triebela called web service 'SAML2TestService.doit' successfully.</return> </ns0:doitResponse> </S:Body> </S:Envelope> -Andreas -- View this message in context: http://cxf.547215.n5.nabble.com/Signature-Interop-Issue-Weblogic-Apache-CXF-tp5718487p5718688.html Sent from the cxf-user mailing list archive at Nabble.com.
