Thank you Colm – another engineer actually found the culprit today. It was a bug with xmlsec (https://issues.apache.org/jira/browse/SANTUARIO-412), and after we upgraded the version of the library, it now works!
-Al From: Colm O hEigeartaigh <cohei...@apache.org> Reply-To: "users@ws.apache.org" <users@ws.apache.org>, "cohei...@apache.org" <cohei...@apache.org> Date: Monday, March 5, 2018 at 4:53 AM To: "users@ws.apache.org" <users@ws.apache.org> Subject: Re: Validation failing due to empty namespace in tag I'm not sure why you are seeing empty namespaces. Could you create a unit test or some way of reproducing the problem that I can look at? Colm. On Sun, Mar 4, 2018 at 9:46 AM, Al Ramsey <aram...@vecna.com<mailto:aram...@vecna.com>> wrote: We’re currently trying to migrate WSS4J from version 1.6 to 2.0.1 but our integration tests to the service provider is now failing. A highlighted overview is given below: • In the SignedInfo node, two references were hashed - (1) Timestamp, and (2) Body. Validation of (1) the Timestamp SHA1 digest against the expected value passes, but it fails for (2) the Body. WSS4J decrypts the Body successfully, but fails in the validation. • We made some changes with our WSS4J configuration based on the recommendations from the WSS4J Migration Guide (link: https://ws.apache.org/wss4j/migration/wss4j20.html). • When I manually removed an empty namespace in one of the tags, a manual check of the SHA1 digest appears to finally succeed. • WSS4J first decrypts the Body, then performs a canonical transformation prior to validation. An empty namespace in one of the tags seem to show up in our application when we use WSS4J 2.0.1 but it does not show up when using WSS4J 1.6. An illustrative example: the decoded Body is: <results xmlns="" xmlns:a="http://ebs.health.ontario.ca/" xmlns:b="http://msa.ebs.health.ontario.ca/" xmlns:c="http://hcv.health.ontario.ca/" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"><auditUID>676345d6-3fc4-434c-96b3-012c73672b6a</auditUID><results><healthNumber>1286844022</healthNumber><responseAction>Ask the cardholder to either visit the local ServiceOntario office or call 1 800-268-1154<tel:1%20800-268-1154>.</responseAction><responseCode>10</responseCode><responseDescription>The Health Number submitted does not exist on the ministry's system</responseDescription><responseID>FAILED_MOD10</responseID><versionCode>YX</versionCode></results></results> … and the Body after canonical transformation is: <soapenv:Body xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="Body-42a8192d-3065-451d-bfeb-1156ae118da4"><c:validateResponse xmlns:c="http://hcv.health.ontario.ca/"><results xmlns=""><auditUID>676345d6-3fc4-434c-96b3-012c73672b6a</auditUID><results><healthNumber>1286844022</healthNumber><responseAction>Ask the cardholder to either visit the local ServiceOntario office or call 1 800-268-1154<tel:1%20800-268-1154>.</responseAction><responseCode>10</responseCode><responseDescription>The Health Number submitted does not exist on the ministry's system</responseDescription><responseID>FAILED_MOD10</responseID><versionCode>YX</versionCode></results></results></c:validateResponse></soapenv:Body> I had to manually change <results xmlns=""> to the following: <results> A manual check of the SHA1 digest tells me it would now pass validation. I am not sure why the empty namespace appears when using WSS4J 2.0.1 and not 1.6. Did I miss a configuration when updated them? -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com