Hi,
I've been trying for some time now to get a simple working example of wss4j
using signatures, but am struggling with the current sparse level of
documentation. I can get UsernameToken working fine, but with Signatures I've
only got as far as sending what I think is a valid SOAP request with a
signature on it, but the server rejects it as it thinks the signature is
invalid.
I'll outline what I'm doing, I assume it's something simple I am doing
something wrong?
- I'm using Sun JDK 1.5.0-03, WSS4J 1.0, Axis 1.2.1, JBoss 4.0.2, Windows XP
- I created a client key using keytool (i.e. a self-signed X509 v1 certificate
using RSA), exported it as a certificate and imported it into the server's
keystore
- My client code uses the WSS4JHandler, with the following settings:
- action = Signature
- signaturePropFile = client-signature.properties (which references
client.keystore)
- user = clientkey
- signatureKeyIdentifier = DirectReference
- My server-config.wsdd uses the WSDoAllReceiver handler, with the following
settings:
- action = Signature
- signaturePropFile = server-signature.properties (which references
server.keystore)
(I would use signatureKeyIdentifier = IssuerSerial, as this is what most of the
examples I've seen use, but I'm unsure where the long hex serial number comes
from?)
keytool -printcert on my client certificate gives:
Owner: CN=clientkey
Issuer: CN=clientkey
Serial number: 43175c89
Valid from: Thu Sep 01 20:54:49 BST 2005 until: Wed Nov 30 19:54:49 GMT 2005
Certificate fingerprints:
MD5: AC:C7:EA:41:B4:FB:6A:C2:30:A4:6B:A6:02:0A:AC:2E
SHA1: 9D:23:FF:F9:87:AE:28:0E:31:98:2C:53:4F:B0:F9:29:15:C0:5F:BE
The SOAP request is:
POST /sidWS/services/SecureService HTTP/1.0
Content-Type: text/xml; charset=utf-8
Accept: application/soap+xml, application/dime, multipart/related, text/*
User-Agent: Axis/1.2.1
Host: localhost:9080
Cache-Control: no-cache
Pragma: no-cache
SOAPAction: "http://localhost:8080/sidWS/services/SecureService";
Content-Length: 2885
<?xml version="1.0" encoding="UTF-8"?>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/";
xmlns:xsd="http://www.w3.org/2001/XMLSchema";
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";>
<soapenv:Header>
<wsse:Security
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecuri
ty-secext-1.0.xsd" soapenv:mustUnderstand="1"><wsse:BinarySecurityToken
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-m
essage-security-1.0#Base64Binary"
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-toke
n-profile-1.0#X509v3"
wsu:Id="CertId--34480">MIIBmjCCAQMCBEMXXIkwDQYJKoZIhvcNAQEEBQAwFDESMBAGA1UEA
xMJY2xpZW50a2V5MB4XDTA1
MDkwMTE5NTQ0OVoXDTA1MTEzMDE5NTQ0OVowFDESMBAGA1UEAxMJY2xpZW50a2V5MIGfMA0GCSqG
SIb3DQEBAQUAA4GNADCBiQKBgQCWO2CV7m7gU4/usE+2+1I5cnBNl4zwZkx1Xw8x9B/KINGR86XK
x/SGU2fKOrEZ+Nz4ULbIFJE9CjCBt3LCbkOCCAVal7VBVR2hkuJkdAIhl99D8cWAohw9D2sfcuvk
Piaz+tuOIowNLavi9hi9xYtVZRzvk7TB5ijZm8028w38TwIDAQABMA0GCSqGSIb3DQEBBAUAPiaz+A4GB
AHBm+yKgqZ6pn2viUUQcQa/yVLF3HD0D1+hfhipAco0ZEJudw109+KUsujehlyKyiV3drKrsAHBm+whEn
EXlUVktIwS8KSDtIFN7bh7GNK6ufYIhTQjVbBt3ghvCNiRL4nLuCCzzs89I5XPlNQAtg/rVFdcBj
jDdgZgMvjYXlJfJjMw9J</wsse:BinarySecurityToken><ds:Signature
xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
<ds:SignedInfo>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";></ds:CanonicalizationMethod>
<ds:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1";></ds:SignatureMethod>
<ds:Reference URI="#id-20214052">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";></ds:Transform>
</ds:Transforms>
<ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1";></ds:DigestMethod>
<ds:DigestValue>yndU9pRNx8a7Elqop4bXh1oAv6M=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
Rckm6JJXXGcBmTawi6X5RTMRr3xNXGmoBEbiwq3m9UFsLtwWsIVspUaLE8DUp/sEpoKDKByaRvZZ
a177PyIX7yzw2ExiynVFqlOOmf8KF4D1KRcyWC6n2c8wvggNghSWRd2BwwsxGSACwupJORysJC9Kco3ttafBUlytRhVe7Ac=
</ds:SignatureValue>
<ds:KeyInfo Id="KeyId-15308417">
<wsse:SecurityTokenReference
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurit
y-utility-1.0.xsd" wsu:Id="STRId-21357269"><wsse:Reference URI="#CertId--34480"
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-toke
n-profile-1.0#X509v3"></wsse:Reference></wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature></wsse:Security></soapenv:Header><soapenv:Body
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurit
y-utility-1.0.xsd" wsu:Id="id-20214052"><ns1:Nominal
xmlns="http://www.test.com/Test"; xmlns:ns1="http://www.test.com/Test";>
<ns1:name>Bert</ns1:name>
<ns1:number>1234</ns1:number></ns1:Nominal></soapenv:Body></soapenv:Envelope>
The server stack trace is:
Verification failed for URI "#id-20214052"
org.apache.ws.security.WSSecurityException: The signature verification failed
at
org.apache.ws.security.WSSecurityEngine.verifyXMLSignature(WSSecurityEngine.java:644)
at
org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:334)
at
org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:259)
at org.apache.ws.axis.security.WSDoAllReceiver.invoke(WSDoAllReceiver.java:183)
at
org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrategy.java:32)
at org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118)
at org.apache.axis.SimpleChain.invoke(SimpleChain.java:83)
at
org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrategy.java:32)
at org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118)
at org.apache.axis.SimpleChain.invoke(SimpleChain.java:83)
at org.apache.axis.handlers.soap.SOAPService.invoke(SOAPService.java:453)
at org.apache.axis.server.AxisServer.invoke(AxisServer.java:281)
at org.apache.axis.transport.http.AxisServlet.doPost(AxisServlet.java:699)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
at
org.apache.axis.transport.http.AxisServletBase.service(AxisServletBase.java:327)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:810)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:252)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
at
org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:81)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213)
at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:178)
at
org.jboss.web.tomcat.security.CustomPrincipalValve.invoke(CustomPrincipalValve.java:39)
at
org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:153)
at
org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:59)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105)
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:856)
at
org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processConnection(Http11Protocol.java:744)
at
org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:527)
at
org.apache.tomcat.util.net.MasterSlaveWorkerThread.run(MasterSlaveWorkerThread.java:112)
at java.lang.Thread.run(Thread.java:595)
Chris Nappin
Technical Architect
ABM United Kingdom Limited
Telephone: +44 (0) 115 977 6999
Facsimile: +44 (0) 115 977 6850
Web: http://www.abm-uk.com
ABM for Intelligent Solutions
CONFIDENTIALITY & PRIVILEGE NOTICE
This e-mail is confidential to its intended recipient. It may also be
privileged. Neither the confidentiality nor any privilege attaching to this
e-mail is waived lost or destroyed by reason that it has been mistakenly
transmitted to a person or entity other than its intended recipient. If you are
not the intended recipient please notify us immediately by telephone or fax at
the numbers provided above or e-mail by Reply To Author and return the printed
e-mail to us by post at our expense. We believe, but do not warrant, that this
e-mail and any attachments are virus-free, but you should check. We may monitor
traffic data of both business and personal e-mails. We are not liable for any
opinions expressed by the sender where this is a non-business e-mail. If you do
not receive all the message, or if you have difficulty with the transmission,
please telephone us immediately.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
