I'm not sure why you are seeing empty namespaces. Could you create a unit test or some way of reproducing the problem that I can look at?
Colm. On Sun, Mar 4, 2018 at 9:46 AM, Al Ramsey <aram...@vecna.com> wrote: > We’re currently trying to migrate WSS4J from version 1.6 to 2.0.1 but our > integration tests to the service provider is now failing. A highlighted > overview is given below: > > • In the SignedInfo node, two references were hashed - (1) Timestamp, and > (2) Body. Validation of (1) the Timestamp SHA1 digest against the expected > value passes, but it fails for (2) the Body. WSS4J decrypts the Body > successfully, but fails in the validation. > • We made some changes with our WSS4J configuration based on the > recommendations from the WSS4J Migration Guide (link: > https://ws.apache.org/wss4j/migration/wss4j20.html). > • When I manually removed an empty namespace in one of the tags, a manual > check of the SHA1 digest appears to finally succeed. > • WSS4J first decrypts the Body, then performs a canonical transformation > prior to validation. An empty namespace in one of the tags seem to show up > in our application when we use WSS4J 2.0.1 but it does not show up when > using WSS4J 1.6. > > An illustrative example: the decoded Body is: > > <results xmlns="" xmlns:a="http://ebs.health.ontario.ca/" xmlns:b=" > http://msa.ebs.health.ontario.ca/" xmlns:c="http://hcv.health.ontario.ca/" > xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsu=" > http://docs.oasis-open.org/wss/2004/01/oasis- > 200401-wss-wssecurity-utility-1.0.xsd"><auditUID>676345d6- > 3fc4-434c-96b3-012c73672b6a</auditUID><results><healthNumber>1286844022</ > healthNumber><responseAction>Ask the cardholder to either visit the local > ServiceOntario office or call 1 800-268-1154.</responseAction>< > responseCode>10</responseCode><responseDescription>The Health Number > submitted does not exist on the ministry's system</responseDescription>< > responseID>FAILED_MOD10</responseID><versionCode>YX</ > versionCode></results></results> > > … and the Body after canonical transformation is: > > <soapenv:Body xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" > xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis- > 200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="Body-42a8192d-3065- > 451d-bfeb-1156ae118da4"><c:validateResponse xmlns:c="http://hcv.health. > ontario.ca/"><results xmlns=""><auditUID>676345d6- > 3fc4-434c-96b3-012c73672b6a</auditUID><results><healthNumber>1286844022</ > healthNumber><responseAction>Ask the cardholder to either visit the local > ServiceOntario office or call 1 800-268-1154.</responseAction>< > responseCode>10</responseCode><responseDescription>The Health Number > submitted does not exist on the ministry's system</responseDescription>< > responseID>FAILED_MOD10</responseID><versionCode>YX</ > versionCode></results></results></c:validateResponse></soapenv:Body> > > I had to manually change > > <results xmlns=""> > > to the following: > > <results> > > A manual check of the SHA1 digest tells me it would now pass validation. > I am not sure why the empty namespace appears when using WSS4J 2.0.1 and > not 1.6. Did I miss a configuration when updated them? > > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com