Can you attach the log4j debug output for this? Colm.
-----Original Message----- From: Nitin Handa [mailto:[email protected]] Sent: 30 April 2009 11:26 To: Colm O hEigeartaigh (JIRA) Cc: [email protected] Subject: Re: [jira] Commented: (WSS-181) Signature verification should not fail due to default namespaces added after singing when using exclusive canonicalization Hi Colm, Realized that the issue is with AXIS. It is optimizing namespace declaration For eg, owsm signed below element ------------------------------------------------ <wsse:BinarySecurityToken xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wsse curity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssec urity-utility-1.0.xsd" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-so ap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509- token-profile-1.0#X509v3" wsu:Id="BST-2NQixJV5aafKsVvYq15hlw22">M+/8im3Pgzb3insPQq+N6BcQP9uiPv3fL/ BDuIL</wsse:BinarySecurityToken> But below element was sent somehow from oracle's webservices stack (after added default namespace): ------------------------------------------------ <wsse:BinarySecurityToken xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wsse curity-secext-1.0.xsd" xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurit y-secext-1.0.xsd" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509- token-profile-1.0#X509v3" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-so ap-message-security-1.0#Base64Binary" wsu:Id="BST-2NQixJV5aafKsVvYq15hlw22" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssec urity-utility-1.0.xsd">M+/8im3Pgzb3insPQq+N6BcQP9uiPv3fL/BDuIL</wsse:Bin arySecurityToken> While below element is received by wss4j : (realized that somehow AXIS is doing optimization and removed prefix to give preference to default namespace: ------------------------------------------------ <BinarySecurityToken xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurit y-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssec urity-utility-1.0.xsd" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-so ap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509- token-profile-1.0#X509v3" wsu:Id="BST-2NQixJV5aafKsVvYq15hlw22">M+/8im3Pgzb3insPQq+N6BcQP9uiPv3fL/ BDuIL</BinarySecurityToken> I had a talk with web services team but they says that this should be ok for wss4j while doing exclusive canonicalization as they are also doing this as per standard specs so wss4j should also handle this. Please let me know if anything can be done about this at wss4j end. thanks Nitin Colm O hEigeartaigh (JIRA) wrote: > [ https://issues.apache.org/jira/browse/WSS-181?page=com.atlassian.jira.pl ugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12704550#ac tion_12704550 ] > > Colm O hEigeartaigh commented on WSS-181: > ----------------------------------------- > > > Who's adding the extra default namespaces (and why)? Are they added at the owsm client or the Axis server end? Can you attach the client request? > > >> Signature verification should not fail due to default namespaces added after singing when using exclusive canonicalization >> ------------------------------------------------------------------------ -------------------------------------------------- >> >> Key: WSS-181 >> URL: https://issues.apache.org/jira/browse/WSS-181 >> Project: WSS4J >> Issue Type: Bug >> Components: WSS4J Core >> Affects Versions: 1.5.7 >> Environment: tomcat + axis 1.4 + wss4j 1.5.7 >> Reporter: Nitin Handa >> Assignee: Ruchith Udayanga Fernando >> Priority: Blocker >> >> Signature verification failing but it should not when using exclusive canonicalization. >> Below timestamp element was signed by owsm:- >> <wsu:Timestamp xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssec urity-utility-1.0.xsd" wsu:Id="Timestamp-iZia05BtcBfzdM8WfpM1fA22"> >> <wsu:Created ValueType="http://www.w3.org/2001/XMLSchema/dateTime";>2009-04-20T17:09:2 4Z</wsu:Created> >> <wsu:Expires ValueType="http://www.w3.org/2001/XMLSchema/dateTime";>2009-04-20T17:14:2 4Z</wsu:Expires></wsu:Timestamp> >> while below timestamp element was received by wss4j:- >> <wsu:Timestamp xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssec urity-utility-1.0.xsd" *xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecuri ty-utility-1.0.xsd" *wsu:Id="Timestamp-iZia05BtcBfzdM8WfpM1fA22"> >> <wsu:Created ValueType="http://www.w3.org/2001/XMLSchema/dateTime";>2009-04-20T17:09:2 4Z</wsu:Created> >> <wsu:Expires ValueType="http://www.w3.org/2001/XMLSchema/dateTime";>2009-04-20T17:14:2 4Z</wsu:Expires></wsu:Timestamp> >> note that default namespace is also there so wss4j verification failed while it should be ignored as this default namespace is unused. >> This same case is with STR and BST too.. >> Canonicalized STR & BST at wss4j end used default namespace which canonicalization >> > > --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
