Werner, OK, sounds like good progress. Thanks for looking. Did you manage to get a working version by hacking on Axis itself? I mean, is it feasible for me to make a modified version of Axis to go on with pending a proper patch? If so, could you please point me at the right classes.
Thanks, Guy On Fri, 24 Mar 2006, Werner Dittmann wrote: > Guy, > > thanks alot for your in-depth analysis. I repeated your tests > with Axis 1.3 (I used 1.2.1 til now) and have the same error. > I somehow didn't catch that you used Axis 1.3. > > I could see that Axis 1.3 modifies the document by inserting > newlines at various places. This happens during re-parsing of > the signed XML document to create a new SOAP enevelope. > > I've filed an issue with Axis 1.3 with priority "Blocker" because > with Axis 1.3 all WSS4J test cases fail to work. > > Regards, > Werner > > Guy Rixon wrote: > > Hi, > > > > I'm still stuck this failing signature. I now have some more information > > information. > > > > First, the failure happens with Axis 1.3 jars, but not with Axis 1.2.1. It > > seems to be the same problem that you were discussing last October; did you > > ever find out what was wrong. > > > > In this specific case, I've found out from the library logging that the > > digests of the references are correct. Therefore, I presume that the failure > > is in the digesting/canonicalization/signing of the SignedInfo itself. > > > > Further, after hacking in extra checks to my handler, I find that the > > signature checks out OK after WSSignEnvelope has made it, but fails after I > > pass the enevlope with the signed message to Axis' MessageContext and then > > get it back again. I.e., it goes wrong before the pivot handler in the > > client > > can change anything, and way before the service handlers get to play with > > it. > > > > Finally, is there any chance that this can be related to the > > canonicalization > > problem reported as http://issues.apache.org/jira/browse/WSS-19 ? > > > > BTW, "go back to Axis 1.2.1" is not a cheap option for us. We'd really like > > to > > get this fixed. > > > > Cheers, > > Guy > > > > > > On Fri, 17 Mar 2006, Dittmann, Werner wrote: > > > > > >>Guy, > >> > >>you are right, it's part of the XMLUtils.outputDOM() method. > >> > >>It's necessary to have these c14n step and to use the > >>Axis parameters to ensure that the namespace handling is > >>correct. > >> > >>Regards, > >>Werner > >> > >> > >>>-----Urspr�ngliche Nachricht----- > >>>Von: Guy Rixon [mailto:[EMAIL PROTECTED] > >>>Gesendet: Freitag, 17. M�rz 2006 15:15 > >>>An: Dittmann, Werner > >>>Cc: [EMAIL PROTECTED]; [email protected] > >>>Betreff: Re: AW: AW:Problems with signatures > >>> > >>>Werner, > >>> > >>>OK, code is appended. Actually, I wrote this handler _after_ > >>>I started seeing > >>>this bug. I orginally had the problem when using > >>>WSDoAllSender. I can't > >>>see a canonicalization step in WSDoAllSender itself; is it part of > >>>XMLUtils.outputDOM()? Originally, I used that (I lifted the > >>>serialization code > >>>from WSDoAllSender), but still got the problem. Maybe I > >>>didn't try that with > >>>the Axis don't-fiddle options set. > >>> > >>>Cheers, > >>>Guy > >>> > >>> // Get the SOAP envelop as a DOM. > >>> Document envelope = > >>> > >>>msgContext.getCurrentMessage().getSOAPEnvelope().getAsDocument(); > >>> if (envelope == null) { > >>> throw new Exception("SOAP Envelope is null"); > >>> } > >>> > >>> // Sign the message using WSS4J. By default, the > >>>WSSignEnvelope signs > >>>the > >>> // the SOAP body as a whole, which is correct for this use case. > >>> Init.init(); > >>> WSSignEnvelope signer = new WSSignEnvelope(); > >>> signer.setUserInfo(alias, password); // Lets it use the Crypto. > >>> > >>>signer.setKeyIdentifierType(WSConstants.BST_DIRECT_REFERENCE); // > >>>Includes certificates in the message. > >>> Document newEnvelope = signer.build(envelope, crypto); > >>> > >>> > >>> // DEBUG: dump the raw document. > >>> org.apache.axis.utils.XMLUtils.DocumentToStream(newEnvelope, new > >>>java.io.FileOutputStream("client.xml")); > >>> > >>> // Replace the unsigned message with the signed one. > >>> String serializedEnvelope = > >>> > >>>org.apache.axis.utils.XMLUtils.DocumentToString(newEnvelope); > >>> SOAPPart sp = > >>> > >>>(org.apache.axis.SOAPPart)(msgContext.getCurrentMessage().getS > >>>OAPPart()); > >>> sp.setCurrentMessage(serializedEnvelope.getBytes(), > >>>SOAPPart.FORM_BYTES); > >>> > >>> > >>> > >>>On Fri, 17 Mar 2006, Dittmann, Werner wrote: > >>> > >>> > >>>> Guy, > >>>> > >>>>I wasn't aware that you use a custom handler. > >>>> > >>>>As I can see there could be a problem when you hand over > >>>>the signed message to Axis for sending it over the wire. > >>>>It's somewhat tricky to do this. Bevor handing it over > >>>>to Axis the message should be fed thru a c14n method, > >>>>this is was WSDoAllSender does before it sets the signed > >>>>message as "new" message to Axis. > >>>> > >>>>Maybe you can show the code snippet where your handler > >>>>do this. > >>>> > >>>>Regards, > >>>>Werner > >>>> > >>>> > >>>>>-----Urspr�ngliche Nachricht----- > >>>>>Von: Guy Rixon [mailto:[EMAIL PROTECTED] > >>>>>Gesendet: Freitag, 17. M�rz 2006 11:06 > >>>>>An: Dittmann, Werner > >>>>>Cc: [EMAIL PROTECTED]; [email protected] > >>>>>Betreff: Re: AW: AW: AW: Problems with signatures > >>>>> > >>>>>Test configuration: > >>>>> > >>>>>Custom handler in the client, calling WSSignEnvelope; based > >>>>>on WSDoAllSender, > >>>>>but stripped down so that it only has the code relevant > >>> > >>>to signature. > >>> > >>>>>WSDoAllReceiver in the service (tweaked with extra logging, > >>>>>but basically the > >>>>>one from WSS4J 1.0.0). > >>>>> > >>>>>Certificates generated from local CA. The trust anchor was > >>>>>made with OpenSSL > >>>>>and the user certificate with KeyStore Explorer. The trust > >>>>>anchor is an > >>>>>X.509v3 and the user one an X.509v1. The keys do work for the > >>>>>signature: I > >>>>>know that because I put a check in WSSignEnvelope to check > >>>>>the signature just > >>>>>after signing. > >>>>> > >>>>>This is the log output from the JUnit tests, starting from > >>>>>the entry to > >>>>>WSDoAllReceiver. > >>>>> > >>>>>1051 DEBUG org.astrogrid.security.ServiceHandler - > >>>>>WSDoAllReceiver: enter > >>>>>invoke() with msg type: null > >>>>>1071 DEBUG org.astrogrid.security.ServiceHandler - Received > >>>>>SOAP request: > >>>>>1071 DEBUG org.astrogrid.security.ServiceHandler - > >>>>><soapenv:Envelope xmlns="" > >>>>>xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"; > >>>>>xmlns:xsd="http://www.w3.org/2001/XMLSchema"; > >>>>>xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";> > >>>>> <soapenv:Header> > >>>>> <wsse:Security soapenv:mustUnderstand="1" xmlns="" > >>>>>xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-20040 > >>>>>1-wss-wssecurity-secext-1.0.xsd"> > >>>>> <wsse:BinarySecurityToken > >>>>>EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200 > >>>>>401-wss-soap-message-security-1.0#Base64Binary" > >>>>>ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401 > >>>>>-wss-x509-token-profile-1.0#X509v3" > >>>>>wsu:Id="CertId--273267" xmlns="" > >>>>>xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401 > >>>>>-wss-wssecurity-utility-1.0.xsd"> > >>>>>MIIDETCCAfmgAwIBAAIBBDANBgkqhkiG9w0BAQIFADBCMQswCQYDVQQDEwJDQT > >>>>>ESMBAGA1UECxMJ > >>>>>dW5pdC10ZXN0MRIwEAYDVQQKEwlBc3Ryb0dyaWQxCzAJBgNVBAYTAlVLMB4XDT > >>>>>A2MDMwNzE4MjAz > >>>>>OVoXDTE2MDMwNzE4MjAzOVowVjELMAkGA1UEBhMCVUsxEjAQBgNVBAoTCUFzdH > >>>>>JvR3JpZDESMBAG > >>>>>A1UECxMJdW5pdC10ZXN0MR8wHQYDVQQDExZTZWN1cml0eS1mYWNhZGUgdGVzdG > >>>>>VyMIIBIjANBgkq > >>>>>hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtA1mJfcoLg22xFvQiB9NY6tH7aY4Ub > >>>>>FHGIl5AjampcD8 > >>>>>zW/OcbaEndMaK495ODS8BbwXz8B0YPzIjczpO56k7H63sJWxrgMsDGU4oeIlh3 > >>>>>DiAOYywD3h9PAu > >>>>>c8tnoD7q5SyY0Vw9jkuRP6iOKmf+nTfi910zNB86PYjCk0zarie3Ehg7/LBYNC > >>>>>0us+JV9M/q76mw > >>>>>OOMzypgLjM1skBjO6tMbDosnCQe58+ei2ZfRT4gnCRhHRojLfcR3ND0pi7BS5T > >>>>>OX8qTrQ8x++erN > >>>>>BlA2X+uX3yAx4Y1cvW9YkKAjx5UxpUu8uJFYfLNKoTCq86E6+OFk5+SRQLp1Kp > >>>>>S9EvfZ5wIDAQAB > >>>>>MA0GCSqGSIb3DQEBAgUAA4IBAQARtZRiqKj1IXqD7wVlwqZPvE4CuFy9fjpu0n > >>>>>xVN+UnKs3cNm7g > >>>>>QfLPpDbh7maiGmmxWA2mFobptzbnfAyRfKYJWJ/hI8neouL+05L78cz7nTDDxp > >>>>>jEhWpV8qtXdKp4 > >>>>>r5S4GhG84HzPMrEqxxc0CRXbK3KLLLudbCPMNgSFxzRwimCpBTkwe81jwYH0FZ > >>>>>ECyCBAsgfUMCz4 > >>>>>jeYwBjqKxHlGeZERD9oRfsRF28nLgNRrP5D9IMj2Y2rhbILMmb0GTK/YWFpfD3 > >>>>>H/DEP0hUVtRni7 > >>>>>ykGvaLOYA7rI1eiKwxmFWTs6H+CPgkyZ+SW3l//uY/6HnzD1XacTIRASz1UK7Bzw > >>>>></wsse:BinarySecurityToken> > >>>>> <ds:Signature xmlns="" > >>>>>xmlns:ds="http://www.w3.org/2000/09/xmldsig#";> > >>>>> > >>>>> <ds:SignedInfo xmlns=""> > >>>>> > >>>>> <ds:CanonicalizationMethod > >>>>>Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"; xmlns=""/> > >>>>> > >>>>> <ds:SignatureMethod > >>>>>Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"; xmlns=""/> > >>>>> > >>>>> <ds:Reference URI="#id-367156" xmlns=""> > >>>>> > >>>>> <ds:Transforms xmlns=""> > >>>>> > >>>>> <ds:Transform > >>>>>Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"; > >>>>>xmlns=""/> > >>>>> > >>>>> </ds:Transforms> > >>>>> > >>>>> <ds:DigestMethod > >>>>>Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"; > >>>>>xmlns=""/> > >>>>> > >>>>> <ds:DigestValue xmlns=""> > >>>>>S4XaDnlI8lOC8p5vVKlx9sLrKl8= </ds:DigestValue> > >>>>> > >>>>> </ds:Reference> > >>>>> > >>>>> </ds:SignedInfo> > >>>>> > >>>>> <ds:SignatureValue xmlns=""> > >>>>> > >>>>>fTcyC/oqssWUL1G96ma5ED/gNIaecHKgJBR7kCeXg2mzSwfSfe3gWRFEkiViGS > >>>>>zXE0OFvsDMjm7p > >>>>>JdytgsjH3iuMg9WaZOV9TU7ZaYhabZMtK0toq3zGFNJayIhfpuZq5WDAbdqvZ1 > >>>>>2BnJppWvYWADvy > >>>>>+zX7w0UGl3ApikKbcGMp7SSnB4JRb7TS0Ln0rk0dYcpm9cAEj76dT5UFW7e+af > >>>>>QQeUwj03E5sQfS > >>>>>H9KjN1gg+YD1B3gNPFYErwI+QeX+UDY9fb+qAqFxN734NhvR+/rC3JTNgieSmu > >>>>>iCjXE/8MKdOfFJ > >>>>>QpEE1YEqTC1SH6cUU0YR3rt84Eqg91JeyrCOpQ== > >>>>> </ds:SignatureValue> > >>>>> > >>>>> <ds:KeyInfo Id="KeyId-12014770" xmlns=""> > >>>>> > >>>>> <wsse:SecurityTokenReference wsu:Id="STRId-28360136" xmlns="" > >>>>>xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401 > >>>>>-wss-wssecurity-utility-1.0.xsd"> > >>>>> <wsse:Reference URI="#CertId--273267" > >>>>>ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401 > >>>>>-wss-x509-token-profile-1.0#X509v3" > >>>>>xmlns=""/> > >>>>> </wsse:SecurityTokenReference> > >>>>> > >>>>> </ds:KeyInfo> > >>>>> > >>>>> </ds:Signature> > >>>>> </wsse:Security> > >>>>> </soapenv:Header> > >>>>> <soapenv:Body wsu:Id="id-367156" > >>>>>xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401 > >>>>>-wss-wssecurity-utility-1.0.xsd"> > >>>>> <whoAmI xmlns=""/> > >>>>> </soapenv:Body> > >>>>></soapenv:Envelope> > >>>>> > >>>>>1071 INFO > >>>>>org.apache.ws.security.components.crypto.CryptoFactory - Using > >>>>>Crypto Engine [org.apache.ws.security.components.crypto.Merlin] > >>>>>1071 DEBUG org.apache.ws.security.WSSecurityEngine - enter > >>>>>processSecurityHeader() > >>>>>1081 DEBUG org.apache.ws.security.WSSecurityEngine - > >>>>>Processing WS-Security > >>>>>header for '' actor. > >>>>>1081 DEBUG org.apache.ws.security.WSSecurityEngine - > >>> > >>>Unknown Element: > >>> > >>>>>BinarySecurityToken > >>>>>http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecu > >>>>>rity-secext-1.0.xsd > >>>>>1081 DEBUG org.apache.ws.security.WSSecurityEngine - Found > >>>>>signature element > >>>>>1081 DEBUG org.apache.ws.security.WSSecurityEngine - Verify > >>>>>XML Signature > >>>>>1081 DEBUG org.apache.xml.security.utils.ElementProxy - > >>>>>setElement("ds:Signature", "null") > >>>>>1081 DEBUG org.apache.xml.security.utils.ElementProxy - > >>>>>setElement("ds:SignedInfo", "null") > >>>>>1081 DEBUG org.apache.xml.security.utils.ElementProxy - > >>>>>setElement("ds:SignatureMethod", "null") > >>>>>1081 DEBUG > >>>>>org.apache.xml.security.algorithms.SignatureAlgorithm - > >>> > >>>Create URI > >>> > >>>>>"http://www.w3.org/2000/09/xmldsig#rsa-sha1"; class > >>>>>"org.apache.xml.security.algorithms.implementations.SignatureB > >>>>>aseRSA$SignatureRSASHA1" > >>>>>1081 DEBUG org.apache.xml.security.algorithms.JCEMapper - > >>>>>Request for URI > >>>>>http://www.w3.org/2000/09/xmldsig#rsa-sha1 > >>>>>1081 DEBUG > >>>>> > >>> > >>>org.apache.xml.security.algorithms.implementations.SignatureBaseRSA > >>> > >>>>>- Created SignatureDSA using SHA1withRSA > >>>>>1081 DEBUG org.apache.xml.security.utils.ElementProxy - > >>>>>setElement("ds:KeyInfo", "null") > >>>>>1081 DEBUG org.apache.ws.security.WSSecurityEngine - > >>>>>Checking signature value > >>>>>with a certificate in the name of CN=Security-facade tester, > >>>>>OU=unit-test, > >>>>>O=AstroGrid, C=UK issued by C=UK, O=AstroGrid, OU=unit-test, CN=CA > >>>>>1081 DEBUG org.apache.xml.security.signature.Manifest - > >>>>>verify 1 References > >>>>>1081 DEBUG org.apache.xml.security.signature.Manifest - I am > >>>>>not requested to > >>>>>follow nested Manifests > >>>>>1081 DEBUG org.apache.xml.security.utils.ElementProxy - > >>>>>setElement("ds:Reference", "null") > >>>>>1081 DEBUG org.apache.xml.security.algorithms.JCEMapper - > >>>>>Request for URI > >>>>>http://www.w3.org/2000/09/xmldsig#sha1 > >>>>>1081 DEBUG > >>>>>org.apache.xml.security.utils.resolver.ResourceResolver - I was > >>>>>asked to create a ResourceResolver and got 1 > >>>>>1081 DEBUG > >>>>>org.apache.xml.security.utils.resolver.ResourceResolver - extra > >>>>>resolvers to my existing 4 system-wide resolvers > >>>>>1081 DEBUG > >>>>>org.apache.xml.security.utils.resolver.ResourceResolver - check > >>>>>resolvability by class > >>>>>org.apache.ws.security.message.EnvelopeIdResolver > >>>>>1091 DEBUG org.apache.xml.security.utils.ElementProxy - > >>>>>setElement("ds:Transforms", "null") > >>>>>1091 DEBUG org.apache.xml.security.utils.ElementProxy - > >>>>>setElement("ds:Transform", "null") > >>>>>1091 DEBUG org.apache.xml.security.transforms.Transforms - > >>>>>Preform the (0)th > >>>>>http://www.w3.org/2001/10/xml-exc-c14n# transform > >>>>>1091 WARN org.apache.xml.security.signature.Reference - > >>>>>Verification failed > >>>>>for URI "#id-367156" > >>>>>1091 DEBUG org.apache.xml.security.signature.Manifest - The > >>>>>Reference has > >>>>>Type > >>>>>------------- ---------------- --------------- > >>>>>------------- Standard Error ----------------- > >>>>>org.apache.ws.security.WSSecurityException: The signature > >>>>>verification failed > >>>>> at > >>>>>org.apache.ws.security.WSSecurityEngine.verifyXMLSignature(WSS > >>>>>ecurityEngine.java:649) > >>>>> at > >>>>>org.apache.ws.security.WSSecurityEngine.processSecurityHeader( > >>>>>WSSecurityEngine.java:334) > >>>>> at > >>>>>org.apache.ws.security.WSSecurityEngine.processSecurityHeader( > >>>>>WSSecurityEngine.java:259) > >>>>> at > >>>>> > >>> > >>>org.astrogrid.security.ServiceHandler.invoke(ServiceHandler.java:160) > >>> > >>>>> at > >>>>>org.apache.axis.strategies.InvocationStrategy.visit(Invocation > >>>>>Strategy.java:32) > >>>>> at org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118) > >>>>> at org.apache.axis.SimpleChain.invoke(SimpleChain.java:83) > >>>>> at > >>>>>org.apache.axis.strategies.InvocationStrategy.visit(Invocation > >>>>>Strategy.java:32) > >>>>> at org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118) > >>>>> at org.apache.axis.SimpleChain.invoke(SimpleChain.java:83) > >>>>> at > >>>>> > >>> > >>>org.apache.axis.handlers.soap.SOAPService.invoke(SOAPService.java:453) > >>> > >>>>> at org.apache.axis.server.AxisServer.invoke(AxisServer.java:281) > >>>>> at > >>>>>org.apache.axis.transport.local.LocalSender.invoke(LocalSender > >>>>>.java:141) > >>>>> at > >>>>>org.apache.axis.strategies.InvocationStrategy.visit(Invocation > >>>>>Strategy.java:32) > >>>>> at org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118) > >>>>> at org.apache.axis.SimpleChain.invoke(SimpleChain.java:83) > >>>>> at org.apache.axis.client.AxisClient.invoke(AxisClient.java:165) > >>>>> at org.apache.axis.client.Call.invokeEngine(Call.java:2784) > >>>>> at org.apache.axis.client.Call.invoke(Call.java:2767) > >>>>> at org.apache.axis.client.Call.invoke(Call.java:2443) > >>>>> at org.apache.axis.client.Call.invoke(Call.java:2366) > >>>>> at org.apache.axis.client.Call.invoke(Call.java:1812) > >>>>> at > >>>>>org.astrogrid.security.sample.SamplePortSoapBindingStub.whoAmI > >>>>>(SamplePortSoapBindingStub.java:108) > >>>>> at > >>>>>org.astrogrid.security.sample.SampleDelegate.whoAmI(SampleDele > >>>>>gate.java:42) > >>>>> at > >>>>>org.astrogrid.security.EndToEndTest.testGoodCredentials(EndToE > >>>>>ndTest.java:58) > >>>>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > >>>>> at > >>>>>sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccess > >>>>>orImpl.java:39) > >>>>> at > >>>>>sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMeth > >>>>>odAccessorImpl.java:25) > >>>>> at java.lang.reflect.Method.invoke(Method.java:324) > >>>>> at junit.framework.TestCase.runTest(TestCase.java:154) > >>>>> at junit.framework.TestCase.runBare(TestCase.java:127) > >>>>> at junit.framework.TestResult$1.protect(TestResult.java:106) > >>>>> at junit.framework.TestResult.runProtected(TestResult.java:124) > >>>>> at junit.framework.TestResult.run(TestResult.java:109) > >>>>> at junit.framework.TestCase.run(TestCase.java:118) > >>>>> at junit.framework.TestSuite.runTest(TestSuite.java:208) > >>>>> at junit.framework.TestSuite.run(TestSuite.java:203) > >>>>> at > >>>>>org.apache.tools.ant.taskdefs.optional.junit.JUnitTestRunner.r > >>>>>un(JUnitTestRunner.java:325) > >>>>> at > >>>>>org.apache.tools.ant.taskdefs.optional.junit.JUnitTestRunner.m > >>>>>ain(JUnitTestRunner.java:536) > >>>>> > >>>>> > >>>>>I made it log the actual exception thrown by XMLSec: > >>>>> > >>>>>1091 WARN org.apache.xml.security.signature.Reference - > >>>>>Verification failed > >>>>>for URI "#id-367156" > >>>>> > >>>>>Cheers, > >>>>>Guy > >>>>> > >>>>> > >>>>> > >>>>>On Fri, 17 Mar 2006, Dittmann, Werner wrote: > >>>>> > >>>>> > >>>>>>Guy, > >>>>>> > >>>>>>whatis your test configuration? Which certificates do you use? > >>>>>> > >>>>>>What is the exception that xml-sec throws? > >>>>>> > >>>>>>Thanks, > >>>>>>Werner > >>>>>> > >>>>>> > >>>>>>>-----Urspr�ngliche Nachricht----- > >>>>>>>Von: Guy Rixon [mailto:[EMAIL PROTECTED] > >>>>>>>Gesendet: Donnerstag, 16. M�rz 2006 17:11 > >>>>>>>An: Dittmann, Werner > >>>>>>>Cc: [EMAIL PROTECTED]; [email protected] > >>>>>>>Betreff: Re: AW: AW: Problems with signatures > >>>>>>> > >>>>>>>I've set the options on both client and service and the > >>>>>>>verification still > >>>>>>>fails. I've dumped the raw XML messages with and without the > >>>>>>>options and there > >>>>>>>doesn't seem to be any difference. > >>>>>>> > >>>>>>>On Thu, 16 Mar 2006, Dittmann, Werner wrote: > >>>>>>> > >>>>>>> > >>>>>>>>Probably on both if the service responds with > >>> > >>>signed messages. > >>> > >>>>>>>>Regards, > >>>>>>>>Werner > >>>>>>>> > >>>>>>>> > >>>>>>>>>-----Urspr�ngliche Nachricht----- > >>>>>>>>>Von: Guy Rixon [mailto:[EMAIL PROTECTED] > >>>>>>>>>Gesendet: Donnerstag, 16. M�rz 2006 16:29 > >>>>>>>>>An: [EMAIL PROTECTED] > >>>>>>>>>Cc: Dittmann, Werner; [email protected] > >>>>>>>>>Betreff: Re: AW: Problems with signatures > >>>>>>>>> > >>>>>>>>>Thanks. > >>>>>>>>> > >>>>>>>>>Do these parameters have to be set on the client, the > >>>>>>> > >>>>>>>service or both? > >>>>>>> > >>>>>>>>>Setting them just on the service doesn't fix the > >>> > >>>problem, and > >>> > >>>>>>>>>to set them on > >>>>>>>>>the client I have to find out how to do it > >>> > >>>programmatically. > >>> > >>>>>>>>>On Thu, 16 Mar 2006 [EMAIL PROTECTED] wrote: > >>>>>>>>> > >>>>>>>>> > >>>>>>>>>>Hi Guy > >>>>>>>>>>setting these 2 props works for me. > >>>>>>>>>> <parameter name="enableNamespacePrefixOptimization" > >>>>>>>>> > >>>>>>>>>value="false" /> > >>>>>>>>> > >>>>>>>>>> <parameter name="disablePrettyXML" value="true"/> > >>>>>>>>>> > >>>>>>>>>>thanks > >>>>>>>>>>Anamitra > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> "Dittmann, > >>>>>>>>>> Werner" > >>>>>>>>>> <werner.dittmann@ > >>>>>>>>> > >>>>>>>>> To > >>>>>>>>> > >>>>>>>>>> siemens.com> "Guy Rixon" > >>>>>>>>> > >>>>>>>>><[EMAIL PROTECTED]>, > >>>>>>>>> > >>>>><[email protected]> > >>>>> > >>>>>>>>>> 03/16/2006 09:10 > >>>>>>>>> > >>>>>>>>> cc > >>>>>>>>> > >>>>>>>>>> AM > >>>>>>>>>> > >>>>>>>>> > >>>>>>>>> Subject > >>>>>>>>> > >>>>>>>>>> AW: Problems > >>>>>>> > >>>>>>>with signatures > >>>>>>> > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>>AFAIK there is a switch / parameter in the Axis > >>> > >>>WSDD files > >>> > >>>>>>>>>>to disable XML pretty printing. Maybe this > >>>>> > >>>>>"feature" is enabled > >>>>> > >>>>>>>>>>by default - pretty printing always destroys > >>> > >>>the signature > >>> > >>>>>>>>>>hashes. > >>>>>>>>>> > >>>>>>>>>>Also there is a parameter for Axis to disable some sort > >>>>>>>>>>of namespace optimization - sorry but I haven't the > >>>>> > >>>>>parameter > >>>>> > >>>>>>>>>>names at hand. > >>>>>>>>>> > >>>>>>>>>>Regards, > >>>>>>>>>>Werner > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>>>-----Urspr�ngliche Nachricht----- > >>>>>>>>>>>Von: Guy Rixon [mailto:[EMAIL PROTECTED] > >>>>>>>>>>>Gesendet: Donnerstag, 16. M�rz 2006 14:01 > >>>>>>>>>>>An: [email protected] > >>>>>>>>>>>Betreff: Problems with signatures > >>>>>>>>>>> > >>>>>>>>>>>Hi, > >>>>>>>>>>> > >>>>>>>>>>>can you help me with a signature problem? I > >>> > >>>have a client > >>> > >>>>>>>>>>>and service, both > >>>>>>>>>>>using WSS4J 1.0.0. The client signs the SOAP > >>> > >>>body of the > >>> > >>>>>>>>>>>request, but the > >>>>>>>>>>>signature checking in the service always fails at > >>>>> > >>>>>the XMLSec > >>>>> > >>>>>>>>>>>level. The > >>>>>>>>>>>signature uses a direct reference to a > >>>>> > >>>>>BinarySecurityToken, > >>>>> > >>>>>>>>>>>and the service > >>>>>>>>>>>seems to be reading the token properly; at least, > >>>>> > >>>>>it gets the > >>>>> > >>>>>>>>>>>subject DN > >>>>>>>>>>>right. > >>>>>>>>>>> > >>>>>>>>>>>I've checked the signature in the client > >>> > >>>immediately after > >>> > >>>>>>>>>>>signing and it > >>>>>>>>>>>verifies correctly there. Something bad seems to > >>>>> > >>>>>be happening > >>>>> > >>>>>>>>>>>to the XML on > >>>>>>>>>>>the way to the service, but I can't think > >>> > >>>what. No other > >>> > >>>>>>>>>>>special handlers are > >>>>>>>>>>>involved. > >>>>>>>>>>> > >>>>>>>>>>>This is all with Axis 1.3 and "local" transport, BTW. > >>>>>>>>>>> > >>>>>>>>>>>Thanks, > >>>>>>>>>>>Guy > >>>>>>>>>>> > >>>>>>>>>>>Guy Rixon > >>>>>>>>>> > >>>>>>>>>>[EMAIL PROTECTED] > >>>>>>>>>> > >>>>>>>>>>>Institute of Astronomy > >>> > >>> Tel: > >>> > >>>>>>>>>+44-1223-337542 > >>>>>>>>> > >>>>>>>>>>>Madingley Road, Cambridge, UK, CB3 0HA > >>>>>>> > >>>>>>> Fax: > >>>>>>> > >>>>>>>>>>>+44-1223-337523 > >>>>>>>>>>> > >>>>>>>>>>> > >>>>>>>>> > >>>--------------------------------------------------------------------- > >>> > >>>>>>>>>>>To unsubscribe, e-mail: > >>>>> > >>>>>[EMAIL PROTECTED] > >>>>> > >>>>>>>>>>>For additional commands, e-mail: > >>>>> > >>>>>[EMAIL PROTECTED] > >>>>> > >>>>>>>>>>> > >>>>>>>>>> > >>>--------------------------------------------------------------------- > >>> > >>>>>>>>>>To unsubscribe, e-mail: > >>> > >>>[EMAIL PROTECTED] > >>> > >>>>>>>>>>For additional commands, e-mail: > >>>>> > >>>>>[EMAIL PROTECTED] > >>>>> > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>Guy Rixon > >>>>>>> > >>>>>>>[EMAIL PROTECTED] > >>>>>>> > >>>>>>>>>Institute of Astronomy Tel: > >>>>> > >>>>>+44-1223-337542 > >>>>> > >>>>>>>>>Madingley Road, Cambridge, UK, CB3 0HA Fax: > >>>>>>>>>+44-1223-337523 > >>>>>>>>> > >>>>>>>>> > >>>>>>> > >>>--------------------------------------------------------------------- > >>> > >>>>>>>>>To unsubscribe, e-mail: > >>> > >>>[EMAIL PROTECTED] > >>> > >>>>>>>>>For additional commands, e-mail: > >>> > >>>[EMAIL PROTECTED] > >>> > >>>>>>>>> > >>>>>>>Guy Rixon > >>>>> > >>>>>[EMAIL PROTECTED] > >>>>> > >>>>>>>Institute of Astronomy Tel: > >>> > >>>+44-1223-337542 > >>> > >>>>>>>Madingley Road, Cambridge, UK, CB3 0HA Fax: > >>>>>>>+44-1223-337523 > >>>>>>> > >>>>>>> > >>>>> > >>>--------------------------------------------------------------------- > >>> > >>>>>>>To unsubscribe, e-mail: [EMAIL PROTECTED] > >>>>>>>For additional commands, e-mail: [EMAIL PROTECTED] > >>>>>>> > >>>>>>> > >>>>>> > >>>>>> > >>>--------------------------------------------------------------------- > >>> > >>>>>>To unsubscribe, e-mail: [EMAIL PROTECTED] > >>>>>>For additional commands, e-mail: [EMAIL PROTECTED] > >>>>>> > >>>>>> > >>>>> > >>>>>Guy Rixon > >>> > >>>[EMAIL PROTECTED] > >>> > >>>>>Institute of Astronomy Tel: +44-1223-337542 > >>>>>Madingley Road, Cambridge, UK, CB3 0HA Fax: > >>>>>+44-1223-337523 > >>>>> > >>>>> > >>> > >>>--------------------------------------------------------------------- > >>> > >>>>>To unsubscribe, e-mail: [EMAIL PROTECTED] > >>>>>For additional commands, e-mail: [EMAIL PROTECTED] > >>>>> > >>>>> > >>>> > >>>> > >>>--------------------------------------------------------------------- > >>> > >>>>To unsubscribe, e-mail: [EMAIL PROTECTED] > >>>>For additional commands, e-mail: [EMAIL PROTECTED] > >>>> > >>>> > >>> > >>>Guy Rixon [EMAIL PROTECTED] > >>>Institute of Astronomy Tel: +44-1223-337542 > >>>Madingley Road, Cambridge, UK, CB3 0HA Fax: > >>>+44-1223-337523 > >>> > >>>--------------------------------------------------------------------- > >>>To unsubscribe, e-mail: [EMAIL PROTECTED] > >>>For additional commands, e-mail: [EMAIL PROTECTED] > >>> > >>> > >> > >>--------------------------------------------------------------------- > >>To unsubscribe, e-mail: [EMAIL PROTECTED] > >>For additional commands, e-mail: [EMAIL PROTECTED] > >> > >> > > > > > > Guy Rixon [EMAIL PROTECTED] > > Institute of Astronomy Tel: +44-1223-337542 > > Madingley Road, Cambridge, UK, CB3 0HA Fax: +44-1223-337523 > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > Guy Rixon [EMAIL PROTECTED] Institute of Astronomy Tel: +44-1223-337542 Madingley Road, Cambridge, UK, CB3 0HA Fax: +44-1223-337523 --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
