Hi,
I've managed to find the root cause. It's not in cxf libs but in a library that
cxf depends on - apache santuario xmlsec.
As you're strongly dependant on this library I think you should also be aware
of this problem.
Attached is the email I've sent to their developer's list.
Best regards,
Szymon
-----Original Message-----
From: Colm O hEigeartaigh [mailto:[email protected]]
Sent: Thursday, June 02, 2016 4:47 PM
To: [email protected]
Subject: Re: Root element namespace prefix removed when using policy feature
Do you have a test-case to reproduce the problem?
Colm.
On Thu, Jun 2, 2016 at 3:38 PM, <[email protected]> wrote:
> Hi,
> I'm using cxf 3.0.9 with security policy added in a dynamic way:
>
> private static void initializedP2pPolicyFeature(Client wsClient) throws
> ParserConfigurationException, SAXException, IOException {
> PolicyBuilder builder =
> wsClient.getBus().getExtension(PolicyBuilder.class);
> Policy policy =
> builder.getPolicy(NodeWebServiceProvider.class.getResourceAsStream(P2P_POLICY_FILE));
> WSPolicyFeature wsPolicyFeature = new WSPolicyFeature(policy);
> wsClient.getBus().getFeatures().add(wsPolicyFeature);
> wsPolicyFeature.initialize(wsClient, wsClient.getBus());
> }
>
>
> When the policy is added then the root element in my soap body has no
> prefix:
>
> <soap:Body xmlns:wsu="
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
> wsu:Id="_50f6c0c5-1e8c-4828-8fe1-7835388d361b">
>
> <SubmitRetrieveInterchangeAgreementsRequestRequest xmlns:ns16="
> http://uri.etsi.org/01903/v1.4.1#";
> xmlns:ns15="urn:oasis:names:specification:ubl:schema:xsd:Fault-1"
> xmlns:ns14="ec:schema:xsd:RetrieveInterchangeAgreementsRequest-2"
> xmlns:ns13="ec:schema:xsd:RetrieveInterchangeAgreementsResponse-2"
> xmlns:ns12="http://uri.etsi.org/01903/v1.3.2#"; xmlns:xmime="
> http://www.w3.org/2005/05/xmlmime";
> xmlns:ns10="ec:schema:xsd:CommonBasicComponents-1"
> xmlns:ns9="urn:oasis:names:specification:ubl:schema:xsd:SignatureAggregateComponents-2"
> xmlns:ns8="http://www.w3.org/2000/09/xmldsig#";
> xmlns:ns7="urn:oasis:names:specification:ubl:schema:xsd:SignatureBasicComponents-2"
> xmlns:ns6="
> http://www.unece.org/cefact/namespaces/StandardBusinessDocumentHeader";
> xmlns:ns5="ec:schema:xsd:CommonAggregateComponents-2"
> xmlns:ns4="urn:oasis:names:specification:ubl:schema:xsd:CommonAggregateComponents-2"
> xmlns:ns3="urn:oasis:names:specification:ubl:schema:xsd:CommonExtensionComponents-2"
> xmlns:ns2="urn:oasis:names:specification:ubl:schema:xsd:CommonBasicComponents-2">
>
> <ece:RetrieveInterchangeAgreementsRequest>
>
> <ns4:SenderParty>
>
> <ns2:EndpointID>DEV1_NOTENC_WEB_PARTY</ns2:EndpointID>
>
> </ns4:SenderParty>
>
> <ns4:ReceiverParty>
>
> <ns2:EndpointID>DEV1_NOTENC_APP_PARTY</ns2:EndpointID>
>
> </ns4:ReceiverParty>
>
> </ece:RetrieveInterchangeAgreementsRequest>
>
> </SubmitRetrieveInterchangeAgreementsRequestRequest>
> </soap:Body>
>
>
> I've managed to add the prefix by adding the "soap.env.ns.map", but then
> the response is failing signature validation.
> Response got valid namespace prefix:
> <ec:SubmitRetrieveInterchangeAgreementsRequestResponse
> xmlns:ec="ec:services:wsdl:RetrieveInterchangeAgreementsRequest-2"
> xmlns:ec1="ec:schema:xsd:CommonBasicComponents-0.1">...
> </ec:SubmitRetrieveInterchangeAgreementsRequestResponse>
>
>
> But during the signature validation the prefix was gone:
> 2016-06-02 16:10:42,724 DEBUG
> [org.apache.jcp.xml.dsig.internal.DigesterOutputStream] - <SOAP-ENV:Body
> xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"; xmlns:wsu="
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
> wsu:Id="XWSSGID-1464876575214141951024"><SubmitRetrieveInterchangeAgreementsRequestResponse
> xmlns="ec:services:wsdl:RetrieveInterchangeAgreementsRequest-2"
> xmlns:ec="ec:services:wsdl:RetrieveInterchangeAgreementsRequest-2"
> xmlns:ec1="ec:schema:xsd:CommonBasicComponents-0.1">
>
> Causing that the actual digest didn't match the expected value.
>
> Can you please help? I'm stuck with this problem for a week already.
>
> Best regards,
> Szymon
>
>
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
--- Begin Message ---
Hello,
I'm fighting with cxf 3.0.9 for more than a week and finally found problem in
xmlsec library.
Starting from version 2.0.0 the
Canonicalizer20010315_ExclOmitCommentsTransformer transformer works incorrectly.
When the list of inclusive namespaces is added the transformer adds empty
namespaces declarations at the root element if the namespace is not defined
already at this element.
So, here's example:
inclusiveNamespaces = "SOAP-ENV ec ec1 ns0 ns1 ns11 ns2 ns4 ns9"
output root:
<SOAP-ENV:Body xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/";
xmlns:ec="" xmlns:ec1="" xmlns:ns0="" xmlns:ns1="" xmlns:ns11="" xmlns:ns2=""
xmlns:ns4="" xmlns:ns9=""
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
wsu:Id="XWSSGID-1465203363337-2063525437">
As you can see the empty declarations have been added causing the calculated
digest doesn't match, so the message is not passing the signature verification.
Attached are: sample code and the transformation result. Example was tested
with xmlspec 2.0.0 and xmlspec 2.0.6.
Old versions 1.5.7, 1.5.8 are working fine - please take a look at:
Canonicalizer20010315Excl.java, starting from line 201 -> it's not adding all
prefixes defined in "inclusiveNamespaces" but only those for which there's a
need.
Please help!
Best regards,
Szymon
NamespaceBug.java
Description: NamespaceBug.java
<SOAP-ENV:Body xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"; xmlns:ec="" xmlns:ec1="" xmlns:ns0="" xmlns:ns1="" xmlns:ns11="" xmlns:ns2="" xmlns:ns4="" xmlns:ns9="" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; wsu:Id="XWSSGID-1465203363337-2063525437">
<ec:SubmitRetrieveInterchangeAgreementsRequestResponse xmlns:ec="ec:services:wsdl:RetrieveInterchangeAgreementsRequest-2" xmlns:ec1="ec:schema:xsd:CommonBasicComponents-0.1">
<ns0:RetrieveInterchangeAgreementsResponse xmlns:ns0="ec:services:wsdl:RetrieveInterchangeAgreementsRequest-2" xmlns:ns1="urn:oasis:names:specification:ubl:schema:xsd:CommonExtensionComponents-2" xmlns:ns11="urn:oasis:names:specification:ubl:schema:xsd:CommonAggregateComponents-2" xmlns:ns2="urn:oasis:names:specification:ubl:schema:xsd:CommonBasicComponents-2" xmlns:ns4="ec:schema:xsd:CommonBasicComponents-1" xmlns:ns9="ec:schema:xsd:CommonAggregateComponents-2">
<ns9:InterchangeAgreement>
<ns11:SenderParty>
<ns2:EndpointID schemeID="GLN">DEV1_NOTENC_WEB_PARTY</ns2:EndpointID>
<ns11:PartyIdentification>
<ns2:ID schemeID="GLN">DEV1_NOTENC_WEB_PARTY</ns2:ID>
</ns11:PartyIdentification>
</ns11:SenderParty>
<ns11:ReceiverParty>
<ns2:EndpointID schemeID="GLN">DEV1_NOTENC_APP_PARTY</ns2:EndpointID>
<ns11:PartyIdentification>
<ns2:ID schemeID="GLN">DEV1_NOTENC_APP_PARTY</ns2:ID>
</ns11:PartyIdentification>
</ns11:ReceiverParty>
<ns9:SecurityInformation>
<ns4:ConfidentialityLevelCode>0</ns4:ConfidentialityLevelCode>
<ns4:IntegrityLevelCode>0</ns4:IntegrityLevelCode>
<ns4:AvailabilityLevelCode>0</ns4:AvailabilityLevelCode>
</ns9:SecurityInformation>
<ns2:DocumentTypeCode></ns2:DocumentTypeCode>
<ns2:ProfileID>Bundle</ns2:ProfileID>
</ns9:InterchangeAgreement>
</ns0:RetrieveInterchangeAgreementsResponse>
</ec:SubmitRetrieveInterchangeAgreementsRequestResponse>
</SOAP-ENV:Body>
--- End Message ---
