Partially solved: I discovered that the sample works only if I set in server-config.wsdd:
<parameter name="enableNamespacePrefixOptimization" value="true"/> while I had <parameter name="enableNamespacePrefixOptimization" value="false"/> but I can't understand why. Setting this property to "true" shouldn't create a risk of a change to the message and so invalidate the sign? Regards, Luciano -----Messaggio originale----- Da: Montebove Luciano [mailto:[EMAIL PROTECTED] Inviato: martedì 11 luglio 2006 17.10 A: Dittmann, Werner; [email protected] Oggetto: R: Problem with SAML token with "sender vouches" option Dittmar, i know that the problem is related to a mismatch after recalculating the digest, and before writing i checked any modification i could have done in my code (it's an italian open source project www.openspcoop.org) and to have a countercheck i tried using directly the sample described here http://ws.apache.org/wss4j/axis.html changing only the wsdds as you can see below, but then i have the same error. So it doesn't work even without any custom code. I'm using WSS4J 1.5.0 and Axis 1.4. Any idea? Regards, Luciano ________________________________ Da: Dittmann, Werner [mailto:[EMAIL PROTECTED] Inviato: martedì 11 luglio 2006 16.53 A: Montebove Luciano; [email protected] Oggetto: AW: Problem with SAML token with "sender vouches" option That Warning shows that the content of the message was modified somehow, that mfailure is independent of the keystore. "Verfication failed" is a message from xml-sec library that recomputes the digest of the message part that the id identifies, in this case the part with the id "#STRSAMLId-136". Somehow this part of the message was modified, thus the message digests do not match. Regards, Werner ________________________________ Von: Montebove Luciano [mailto:[EMAIL PROTECTED] Gesendet: Dienstag, 11. Juli 2006 16:35 An: [email protected] Betreff: Problem with SAML token with "sender vouches" option I'm trying to use a SAML token with WSS4J with the "sender vouches" option. I followed the configuration tips in the interop files but while the client generate the assertion and sign both the assertion and the body of the message, server side I can verify only the body sign while I get always an error for the assertion sign: 16:08:51,515 WARN [Reference] Verification failed for URI "#STRSAMLId-136" 16:08:51,515 INFO [Reference] Verification successful for URI "#id-137" 16:08:51,531 INFO [STDOUT] org.apache.ws.security.WSSecurityException: The sign ature verification failed 16:08:51,531 INFO [STDOUT] at org.apache.ws.security.processor.SignaturePro cessor.verifyXMLSignature(SignatureProcessor.java:327) My Axis configuration client side is: <requestFlow > <handler type="java:org.apache.ws.axis.security.WSDoAllSender" > <parameter name="action" value="Timestamp SAMLTokenSigned"/> <parameter name="samlPropFile" value="saml3.properties"/> <parameter name="signatureKeyIdentifier" value="DirectReference"/> </handler> </requestFlow > and server side is: <requestFlow> <handler type="java:org.apache.ws.axis.security.WSDoAllReceiver"> <parameter name="action" value="Timestamp Signature SAMLTokenUnsigned"/> <parameter name="signaturePropFile" value="pa-crypto.properties" /> </handler> </requestFlow> Quite strange if I use the "keyHolder" option (with little changes to the Axis configuration as described in interop files) all works fine with the same keystore. Thanks Luciano Montebove --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
