Hi, Yes, an empty PrefixList is valid, and the receiving stack should be able to handle it. I've updated WSS4J however not to emit an empty PrefixList for the next release, but you will need to update your CXF version as WSS4J 1.6.x is no longer supported.
Colm. On Tue, Mar 8, 2016 at 9:55 PM, Christopher Cool <[email protected]> wrote: > I have a dynamic client application that is sending a signed SOAP request > to a service where an InclusiveNamespaces element contains a PrefixList > that is empty. The service rejects the payload with the error: > > *Validation failed because:cvc-minLength-valid: Value '' with length = '0' > is not facet-valid with respect to minLength '1' for type 'NMTOKENS'.* > > I took a look at the specs: > > https://www.w3.org/TR/xml-exc-c14n/ > > > > http://www.ws-i.org/profiles/basicsecurityprofile-1.1.html#InclusiveNamespaces > > And it is not clear to me if PrefixList can be an empty string or not, but > this spec: > > https://www.w3.org/TR/2000/WD-xml-2e-20000814#NT-Nmtokens > > indicates that it cannot. > > I am using the following settings: > > > - The "action" parameter is set to "Timestamp" and "Body" > - The "signatureDigestAlgorithm" parameter is " > http://www.w3.org/2000/09/xmldsig#sha1"; > - The "signatureParts" parameter is > > "{Element}{ > > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd}Timestamp;{Element}{http://schemas.xmlsoap.org/soap/envelope/}Body > "; > > > Here is a snippet from the header of the outbound request. Note that the > Reference for the Timestamp contains values in the PrefixList, but the > reference associated with the Body does not: > > <ds:SignedInfo> > <ds:CanonicalizationMethod Algorithm=" > http://www.w3.org/2001/10/xml-exc-c14n#";> > <ec:InclusiveNamespaces xmlns:ec=" > http://www.w3.org/2001/10/xml-exc-c14n#"; > PrefixList="soap"> > </ec:InclusiveNamespaces> > </ds:CanonicalizationMethod> > <ds:SignatureMethod Algorithm=" > http://www.w3.org/2000/09/xmldsig#rsa-sha1";> > </ds:SignatureMethod> > > <ds:Reference URI="#TS-15"> > <ds:Transforms> > <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";> > <ec:InclusiveNamespaces xmlns:ec=" > http://www.w3.org/2001/10/xml-exc-c14n#"; > PrefixList="ns1 ns2 ns3 ns4 soap"> > </ec:InclusiveNamespaces> > </ds:Transform> > </ds:Transforms> > > <ds:DigestMethod > Algorithm="http://www.w3.org/2000/09/xmldsig#sha1";></ds:DigestMethod> > > <ds:DigestValue>hjy97p3MBjtA2IjdM/XzjHG9V6s=</ds:DigestValue> > </ds:Reference> > > <ds:Reference URI="#id-16"> > <ds:Transforms> > <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";> > <ec:InclusiveNamespaces xmlns:ec=" > http://www.w3.org/2001/10/xml-exc-c14n#"; > *PrefixList**=""*> > </ec:InclusiveNamespaces> > </ds:Transform> > </ds:Transforms> > > <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1 > "></ds:DigestMethod> > <ds:DigestValue>dknPQWZJt54NUo+dJKAWiG8oYz8=</ds:DigestValue> > </ds:Reference> > > </ds:SignedInfo> > > And here is the reference to the Body (id-16): > > <soap:Body xmlns:wsu=" > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity > utility-1.0.xsd" wsu:Id="id-16"> > > Is an empty PrefixList valid? > > If not, is there a way to control this programmatically as an outbound > interceptor? I saw the samples that use DefaultCryptoCoverageChecker, but > the samples use it as an inbound interceptor. > > I am using CXF 2.7.8, WSS4j 1.6.11 and XMLSec 1.5.4. > > Thanks, > > Chris > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
