Yes, this parameter controls a specific "optimization" Axis performs on name spaces. This "optimization" is done after computing the signature of the message. Because Axis modifies some name space data during this optimization this also invalidates the signature. Some time back this behavior was reported. I'm not quite sure if a JIRA issue report exists or if this is mentioned i WSS4J's FAQ.
Regards, Werner Montebove Luciano wrote: > Partially solved: > > I discovered that the sample works only if I set in server-config.wsdd: > > <parameter name="enableNamespacePrefixOptimization" value="true"/> > while I had > <parameter name="enableNamespacePrefixOptimization" value="false"/> > > but I can't understand why. Setting this property to "true" shouldn't create > a risk of a change to the message and so invalidate the sign? > > Regards, > > > Luciano > > > > -----Messaggio originale----- > Da: Montebove Luciano [mailto:[EMAIL PROTECTED] > Inviato: martedì 11 luglio 2006 17.10 > A: Dittmann, Werner; [email protected] > Oggetto: R: Problem with SAML token with "sender vouches" option > > Dittmar, > > i know that the problem is related to a mismatch after recalculating the > digest, and before writing i checked any modification i could have done in my > code (it's an italian open source project www.openspcoop.org) and to have a > countercheck i tried using directly the sample described here > http://ws.apache.org/wss4j/axis.html changing only the wsdds as you can see > below, but then i have the same error. > So it doesn't work even without any custom code. I'm using WSS4J 1.5.0 and > Axis 1.4. > > Any idea? > > Regards, > Luciano > > ________________________________ > > Da: Dittmann, Werner [mailto:[EMAIL PROTECTED] > Inviato: martedì 11 luglio 2006 16.53 > A: Montebove Luciano; [email protected] > Oggetto: AW: Problem with SAML token with "sender vouches" option > > > That Warning shows that the content of the message was modified > somehow, that mfailure is independent of the keystore. > > "Verfication failed" is a message from xml-sec library that recomputes > the digest of the message part that the id identifies, in this case the > part with the id "#STRSAMLId-136". Somehow this part of the message > was modified, thus the message digests do not match. > > > Regards, > Werner > > > > > > ________________________________ > > Von: Montebove Luciano [mailto:[EMAIL PROTECTED] > Gesendet: Dienstag, 11. Juli 2006 16:35 > An: [email protected] > Betreff: Problem with SAML token with "sender vouches" option > > > I'm trying to use a SAML token with WSS4J with the "sender vouches" > option. > I followed the configuration tips in the interop files but while the > client generate the assertion and sign both the assertion and the body of the > message, server side I can verify only the body sign while I get always an > error for the assertion sign: > > 16:08:51,515 WARN [Reference] Verification failed for URI > "#STRSAMLId-136" > 16:08:51,515 INFO [Reference] Verification successful for URI "#id-137" > 16:08:51,531 INFO [STDOUT] org.apache.ws.security.WSSecurityException: > The sign > ature verification failed > 16:08:51,531 INFO [STDOUT] at > org.apache.ws.security.processor.SignaturePro > cessor.verifyXMLSignature(SignatureProcessor.java:327) > > My Axis configuration client side is: > <requestFlow > > <handler type="java:org.apache.ws.axis.security.WSDoAllSender" > > <parameter name="action" value="Timestamp > SAMLTokenSigned"/> > <parameter name="samlPropFile" > value="saml3.properties"/> > <parameter name="signatureKeyIdentifier" > value="DirectReference"/> > </handler> > </requestFlow > > > and server side is: > <requestFlow> > <handler type="java:org.apache.ws.axis.security.WSDoAllReceiver"> > <parameter name="action" value="Timestamp Signature > SAMLTokenUnsigned"/> > <parameter name="signaturePropFile" value="pa-crypto.properties" /> > </handler> > </requestFlow> > > Quite strange if I use the "keyHolder" option (with little changes to > the Axis configuration as described in interop files) all works fine with > the same keystore. > > Thanks > > Luciano Montebove > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
