You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cxf.apache.org by Pascal Alma <pa...@redstream.nl> on 2012/01/18 17:43:03 UTC
CXF 2.3.1: Message signature doesn't get validated
The issue is this:
I receive a signed soap message with the X509 certificate in the header (in
the BinarySecurityToken element). I have added this certificate to my
keystore and try to validate the signature. However the message won't be
validated, I keep receiving:
org.apache.xml.security.signature.Reference: Verification failed for URI
"#Timestamp-bcb7f6e3-350f-4ec7-8c81-e0d81ce53030"
I will add some more logging to the end of this post. Since I am rather new
to this ws-security i was wondering if I am on the wrong path with this. Are
there other issues that I have to be aware of?
I must say that my set up works with messages and signatures created by
myself, it only fails with message I get from third party.
Here is my CXF config:
<cxf:proxy-service>
<cxf:inInterceptors>
<spring:bean
class="org.apache.cxf.interceptor.LoggingInInterceptor" />
<spring:bean
class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
<spring:constructor-arg>
<spring:map>
<spring:entry key="action" value="Signature"
/>
<spring:entry key="signaturePropFile"
value="wssecurity.properties" />
<spring:entry key="signatureKeyIdentifier"
value="DirectReference" />
</spring:map>
</spring:constructor-arg>
</spring:bean>
</cxf:inInterceptors>
</cxf:proxy-service>
In my property file I have:
org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin
org.apache.ws.security.crypto.merlin.keystore.type=JKS
org.apache.ws.security.crypto.merlin.file=c:\\develop\\KeyStores\\myKeystore.jks
org.apache.ws.security.crypto.merlin.keystore.password=myPassword
Here is part of the logging I get:
---------------�-----------------------
DEBUG 2012-01-18 17:38:18,850
[[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
org.apache.cxf.phase.PhaseInterceptorChain: Invoking handleMessage on
interceptor org.apache.cxf.interceptor.AttachmentInInterceptor@347cdb
DEBUG 2012-01-18 17:38:18,850
[[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
org.apache.cxf.phase.PhaseInterceptorChain: Invoking handleMessage on
interceptor org.apache.cxf.interceptor.StaxInInterceptor@75f10df7
DEBUG 2012-01-18 17:38:18,850
[[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
org.apache.cxf.phase.PhaseInterceptorChain: Invoking handleMessage on
interceptor
org.apache.cxf.binding.soap.interceptor.ReadHeadersInterceptor@6365d2be
DEBUG 2012-01-18 17:38:18,850
[[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
org.apache.cxf.phase.PhaseInterceptorChain: Invoking handleMessage on
interceptor
org.apache.cxf.binding.soap.interceptor.SoapActionInInterceptor@24cc0f9f
DEBUG 2012-01-18 17:38:18,850
[[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
org.apache.cxf.phase.PhaseInterceptorChain: Invoking handleMessage on
interceptor
org.apache.cxf.binding.soap.interceptor.StartBodyInterceptor@31eeeaed
DEBUG 2012-01-18 17:38:18,850
[[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
org.apache.cxf.phase.PhaseInterceptorChain: Invoking handleMessage on
interceptor org.mule.module.cxf.support.MuleHeadersInInterceptor@170a6001
DEBUG 2012-01-18 17:38:18,850
[[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
org.apache.cxf.phase.PhaseInterceptorChain: Invoking handleMessage on
interceptor org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor@191c0b76
DEBUG 2012-01-18 17:38:18,866
[[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor: WSS4JInInterceptor:
enter handleMessage()
DEBUG 2012-01-18 17:38:18,866
[[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
org.apache.ws.security.WSSecurityEngine: enter processSecurityHeader()
DEBUG 2012-01-18 17:38:18,866
[[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
org.apache.ws.security.WSSecurityEngine: Processing WS-Security header for
'' actor.
DEBUG 2012-01-18 17:38:18,866
[[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
org.apache.ws.security.processor.SignatureProcessor: Found signature element
DEBUG 2012-01-18 17:38:18,866
[[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
org.apache.ws.security.processor.SignatureProcessor: Verify XML Signature
DEBUG 2012-01-18 17:38:18,866
[[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
org.apache.xml.security.utils.ElementProxy: setElement("Signature", "null")
DEBUG 2012-01-18 17:38:18,866
[[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
org.apache.xml.security.utils.ElementProxy: setElement("SignedInfo", "null")
DEBUG 2012-01-18 17:38:18,866
[[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
org.apache.xml.security.utils.ElementProxy: setElement("SignatureMethod",
"null")
DEBUG 2012-01-18 17:38:18,866
[[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
org.apache.xml.security.utils.ElementProxy: setElement("KeyInfo", "null")
DEBUG 2012-01-18 17:38:18,866
[[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
org.apache.ws.security.message.token.SecurityTokenReference: Token reference
uri: #SecurityToken-6afc8095-f450-4a21-82ba-8902e4a02d45
DEBUG 2012-01-18 17:38:18,866
[[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
org.apache.xml.security.signature.Manifest: verify 1 References
DEBUG 2012-01-18 17:38:18,881
[[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
org.apache.xml.security.signature.Manifest: I am not requested to follow
nested Manifests
DEBUG 2012-01-18 17:38:18,881
[[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
org.apache.xml.security.utils.ElementProxy: setElement("Reference", "null")
DEBUG 2012-01-18 17:38:18,881
[[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
org.apache.xml.security.utils.ElementProxy: setElement("Transforms", "null")
DEBUG 2012-01-18 17:38:18,881
[[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
org.apache.xml.security.algorithms.JCEMapper: Request for URI
http://www.w3.org/2000/09/xmldsig#sha1
DEBUG 2012-01-18 17:38:18,881
[[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
org.apache.xml.security.utils.resolver.ResourceResolver: I was asked to
create a ResourceResolver and got 1
DEBUG 2012-01-18 17:38:18,881
[[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
org.apache.xml.security.utils.resolver.ResourceResolver: extra resolvers to
my existing 4 system-wide resolvers
DEBUG 2012-01-18 17:38:18,881
[[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
org.apache.xml.security.utils.resolver.ResourceResolver: check resolvability
by class org.apache.ws.security.message.EnvelopeIdResolver
DEBUG 2012-01-18 17:38:18,881
[[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
org.apache.ws.security.message.EnvelopeIdResolver: enter engineResolve, look
for: #Body-432a8626-6c46-47b8-b069-7443138f9b8d
DEBUG 2012-01-18 17:38:18,881
[[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
org.apache.ws.security.message.EnvelopeIdResolver: exit engineResolve,
result: XMLSignatureInput/Element/[soapenv:Body: null] exclude null
comments:false/null
DEBUG 2012-01-18 17:38:18,881
[[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
org.apache.xml.security.utils.ElementProxy: setElement("Transform", "null")
WARN 2012-01-18 17:38:18,881
[[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
org.apache.xml.security.signature.Reference: Verification failed for URI
"#Body-432a8626-6c46-47b8-b069-7443138f9b8d"
DEBUG 2012-01-18 17:38:18,881
[[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
org.apache.xml.security.signature.Manifest: The Reference has Type
WARN 2012-01-18 17:38:18,881
[[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor:
org.apache.ws.security.WSSecurityException: The signature or decryption was
invalid
at
org.apache.ws.security.processor.SignatureProcessor.verifyXMLSignature(SignatureProcessor.java:529)
at
org.apache.ws.security.processor.SignatureProcessor.handleToken(SignatureProcessor.java:97)
at
org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:326)
at
org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:243)
at
org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:215)
at
org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:81)
at
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:255)
at
org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:113)
at
org.mule.module.cxf.CxfInboundMessageProcessor.sendToDestination(CxfInboundMessageProcessor.java:296)
at
org.mule.module.cxf.CxfInboundMessageProcessor.process(CxfInboundMessageProcessor.java:137)
at
org.mule.module.cxf.config.FlowConfiguringMessageProcessor.process(FlowConfiguringMessageProcessor.java:50)
at
org.mule.processor.chain.DefaultMessageProcessorChain.doProcess(DefaultMessageProcessorChain.java:99)
at
org.mule.processor.chain.AbstractMessageProcessorChain.process(AbstractMessageProcessorChain.java:66)
at
org.mule.processor.chain.InterceptingChainLifecycleWrapper.doProcess(InterceptingChainLifecycleWrapper.java:56)
at
org.mule.processor.chain.AbstractMessageProcessorChain.process(AbstractMessageProcessorChain.java:66)
at
org.mule.processor.chain.InterceptingChainLifecycleWrapper.process(InterceptingChainLifecycleWrapper.java:87)
at
org.mule.processor.chain.DefaultMessageProcessorChain.doProcess(DefaultMessageProcessorChain.java:99)
at
org.mule.processor.chain.AbstractMessageProcessorChain.process(AbstractMessageProcessorChain.java:66)
at
org.mule.processor.chain.InterceptingChainLifecycleWrapper.doProcess(InterceptingChainLifecycleWrapper.java:56)
at
org.mule.processor.chain.AbstractMessageProcessorChain.process(AbstractMessageProcessorChain.java:66)
at
org.mule.processor.chain.InterceptingChainLifecycleWrapper.process(InterceptingChainLifecycleWrapper.java:87)
at
org.mule.transport.AbstractMessageReceiver.routeMessage(AbstractMessageReceiver.java:195)
at
org.mule.transport.AbstractMessageReceiver.routeMessage(AbstractMessageReceiver.java:163)
at
org.mule.transport.AbstractMessageReceiver.routeMessage(AbstractMessageReceiver.java:150)
at
org.mule.transport.http.HttpMessageReceiver$HttpWorker.doRequest(HttpMessageReceiver.java:299)
at
org.mule.transport.http.HttpMessageReceiver$HttpWorker.processRequest(HttpMessageReceiver.java:258)
at
org.mule.transport.http.HttpMessageReceiver$HttpWorker.run(HttpMessageReceiver.java:163)
at org.mule.work.WorkerContext.run(WorkerContext.java:310)
at
java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)
at java.lang.Thread.run(Thread.java:662)
WARN 2012-01-18 17:38:18,897
[[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
org.apache.cxf.phase.PhaseInterceptorChain: Interceptor for
{http://support.cxf.module.mule.org/}ProxyService has thrown exception,
unwinding now
org.apache.cxf.binding.soap.SoapFault: The signature or decryption was
invalid
at
org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.createSoapFault(WSS4JInInterceptor.java:654)
at
org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:275)
at
org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:81)
at
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:255)
at
org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:113)
at
org.mule.module.cxf.CxfInboundMessageProcessor.sendToDestination(CxfInboundMessageProcessor.java:296)
at
org.mule.module.cxf.CxfInboundMessageProcessor.process(CxfInboundMessageProcessor.java:137)
at
org.mule.module.cxf.config.FlowConfiguringMessageProcessor.process(FlowConfiguringMessageProcessor.java:50)
at
org.mule.processor.chain.DefaultMessageProcessorChain.doProcess(DefaultMessageProcessorChain.java:99)
at
org.mule.processor.chain.AbstractMessageProcessorChain.process(AbstractMessageProcessorChain.java:66)
at
org.mule.processor.chain.InterceptingChainLifecycleWrapper.doProcess(InterceptingChainLifecycleWrapper.java:56)
at
org.mule.processor.chain.AbstractMessageProcessorChain.process(AbstractMessageProcessorChain.java:66)
at
org.mule.processor.chain.InterceptingChainLifecycleWrapper.process(InterceptingChainLifecycleWrapper.java:87)
at
org.mule.processor.chain.DefaultMessageProcessorChain.doProcess(DefaultMessageProcessorChain.java:99)
at
org.mule.processor.chain.AbstractMessageProcessorChain.process(AbstractMessageProcessorChain.java:66)
at
org.mule.processor.chain.InterceptingChainLifecycleWrapper.doProcess(InterceptingChainLifecycleWrapper.java:56)
at
org.mule.processor.chain.AbstractMessageProcessorChain.process(AbstractMessageProcessorChain.java:66)
at
org.mule.processor.chain.InterceptingChainLifecycleWrapper.process(InterceptingChainLifecycleWrapper.java:87)
at
org.mule.transport.AbstractMessageReceiver.routeMessage(AbstractMessageReceiver.java:195)
at
org.mule.transport.AbstractMessageReceiver.routeMessage(AbstractMessageReceiver.java:163)
at
org.mule.transport.AbstractMessageReceiver.routeMessage(AbstractMessageReceiver.java:150)
at
org.mule.transport.http.HttpMessageReceiver$HttpWorker.doRequest(HttpMessageReceiver.java:299)
at
org.mule.transport.http.HttpMessageReceiver$HttpWorker.processRequest(HttpMessageReceiver.java:258)
at
org.mule.transport.http.HttpMessageReceiver$HttpWorker.run(HttpMessageReceiver.java:163)
at org.mule.work.WorkerContext.run(WorkerContext.java:310)
at
java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)
at java.lang.Thread.run(Thread.java:662)
Caused by: org.apache.ws.security.WSSecurityException: The signature or
decryption was invalid
at
org.apache.ws.security.processor.SignatureProcessor.verifyXMLSignature(SignatureProcessor.java:529)
at
org.apache.ws.security.processor.SignatureProcessor.handleToken(SignatureProcessor.java:97)
at
org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:326)
at
org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:243)
at
org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:215)
... 26 more
--
View this message in context: http://cxf.547215.n5.nabble.com/CXF-2-3-1-Message-signature-doesn-t-get-validated-tp5155316p5155316.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: CXF 2.3.1: Message signature doesn't get validated
Posted by Jens <sm...@dzbank.de>.
Pascal Alma wrote
>
> So it is quite normal to obtain the certificate from the message header
> and use that to validate the signing of the message? It cannot have to do
> with the fact that they use some 'embedded' root certificate or a complete
> chain when signing the message and I only have the 'upper' level
> certificate with the public key? (I am not sure if I make sense in this
> question so please let me know if you don't get it).
>
I haven't tried with recent versions of CXF, but at least with 2.2.x that
didn't work. I always had to import the "leaf" certificate into my keystore,
too, to make validation work.
Jens
--
View this message in context: http://cxf.547215.n5.nabble.com/CXF-2-3-1-Message-signature-doesn-t-get-validated-tp5155316p5157968.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: CXF 2.3.1: Message signature doesn't get validated
Posted by Christopher Riley <cr...@hkmconsultingllc.com>.
Hi Pascal,
Good point on the cert. Since you were successfully able to verify on your
end, you could request the entire cert chain they are using. We also did
the same because it was not clear what within the certificate was being
utilized in the calculation for our client and we wanted to not have a
mismatch in the trust store.
Chris
On Thu, Jan 19, 2012 at 10:13 AM, Pascal Alma <pa...@redstream.nl>wrote:
> Hi Chris and Colm,
>
> Thanks for your replies.
>
> The reason I used this version specific version is that this one comes
> with the Mule ESB we use.
>
> So best thing to do is to find out how the sender does its
> canonicalization, etc. and make sure it matches the way I expect it
> (although I already checked it before).
>
> So it is quite normal to obtain the certificate from the message header
> and use that to validate the signing of the message? It cannot have to do
> with the fact that they use some 'embedded' root certificate or a complete
> chain when signing the message and I only have the 'upper' level
> certificate with the public key? (I am not sure if I make sense in this
> question so please let me know if you don't get it).
> kind regards,
>
> Pascal
>
>
> On 19 jan. 2012, at 15:57, Christopher Riley [via CXF] wrote:
>
> > Hi guys,
> >
> > I have had issues when the canonicalization algorithm was not set
> properly
> > on the sender side. This deals with how whitespaces are included/not
> > included in the calculation. In our case we used soapUI to prove the
> > security was setup properly and then shared the project with the client
> so
> > they could get their output to match (canonicalization, signature method
> > etc.). This then decouples you from having to spend so much time
> debugging.
> >
> > Chris
> >
> >
> >
> > On Thu, Jan 19, 2012 at 5:47 AM, Colm O hEigeartaigh <[hidden
> email]>wrote:
> >
> > > The errors in the log indicate that the digest of the signed
> > > references does not match the digests in the signature. Is anything
> > > changing the SOAP Message between when the signature was created and
> > > validated?
> > >
> > > Have you tried with a more recent version of CXF?
> > >
> > > Colm.
> > >
> > > On Wed, Jan 18, 2012 at 4:43 PM, Pascal Alma <[hidden email]>
> > > wrote:
> > > > The issue is this:
> > > > I receive a signed soap message with the X509 certificate in the
> header
> > > (in
> > > > the BinarySecurityToken element). I have added this certificate to my
> > > > keystore and try to validate the signature. However the message
> won't be
> > > > validated, I keep receiving:
> > > > org.apache.xml.security.signature.Reference: Verification failed for
> URI
> > > > "#Timestamp-bcb7f6e3-350f-4ec7-8c81-e0d81ce53030"
> > > >
> > > > I will add some more logging to the end of this post. Since I am
> rather
> > > new
> > > > to this ws-security i was wondering if I am on the wrong path with
> this.
> > > Are
> > > > there other issues that I have to be aware of?
> > > >
> > > > I must say that my set up works with messages and signatures created
> by
> > > > myself, it only fails with message I get from third party.
> > > >
> > > > Here is my CXF config:
> > > > <cxf:proxy-service>
> > > > <cxf:inInterceptors>
> > > > <spring:bean
> > > > class="org.apache.cxf.interceptor.LoggingInInterceptor" />
> > > > <spring:bean
> > > > class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
> > > > <spring:constructor-arg>
> > > > <spring:map>
> > > > <spring:entry key="action"
> > > value="Signature"
> > > > />
> > > > <spring:entry key="signaturePropFile"
> > > > value="wssecurity.properties" />
> > > > <spring:entry
> key="signatureKeyIdentifier"
> > > > value="DirectReference" />
> > > > </spring:map>
> > > > </spring:constructor-arg>
> > > > </spring:bean>
> > > > </cxf:inInterceptors>
> > > > </cxf:proxy-service>
> > > >
> > > > In my property file I have:
> > > >
> > >
> org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin
> > > > org.apache.ws.security.crypto.merlin.keystore.type=JKS
> > > >
> > >
> org.apache.ws.security.crypto.merlin.file=c:\\develop\\KeyStores\\myKeystore.jks
> > > > org.apache.ws.security.crypto.merlin.keystore.password=myPassword
> > > >
> > > > Here is part of the logging I get:
> > > > --------------- -----------------------
> > > > DEBUG 2012-01-18 17:38:18,850
> > > > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
> > > > org.apache.cxf.phase.PhaseInterceptorChain: Invoking handleMessage on
> > > > interceptor org.apache.cxf.interceptor.AttachmentInInterceptor@347cdb
> > > > DEBUG 2012-01-18 17:38:18,850
> > > > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
> > > > org.apache.cxf.phase.PhaseInterceptorChain: Invoking handleMessage on
> > > > interceptor org.apache.cxf.interceptor.StaxInInterceptor@75f10df7
> > > > DEBUG 2012-01-18 17:38:18,850
> > > > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
> > > > org.apache.cxf.phase.PhaseInterceptorChain: Invoking handleMessage on
> > > > interceptor
> > > >
> org.apache.cxf.binding.soap.interceptor.ReadHeadersInterceptor@6365d2be
> > > > DEBUG 2012-01-18 17:38:18,850
> > > > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
> > > > org.apache.cxf.phase.PhaseInterceptorChain: Invoking handleMessage on
> > > > interceptor
> > > >
> org.apache.cxf.binding.soap.interceptor.SoapActionInInterceptor@24cc0f9f
> > > > DEBUG 2012-01-18 17:38:18,850
> > > > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
> > > > org.apache.cxf.phase.PhaseInterceptorChain: Invoking handleMessage on
> > > > interceptor
> > > > org.apache.cxf.binding.soap.interceptor.StartBodyInterceptor@31eeeaed
> > > > DEBUG 2012-01-18 17:38:18,850
> > > > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
> > > > org.apache.cxf.phase.PhaseInterceptorChain: Invoking handleMessage on
> > > > interceptor
> org.mule.module.cxf.support.MuleHeadersInInterceptor@170a6001
> > > > DEBUG 2012-01-18 17:38:18,850
> > > > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
> > > > org.apache.cxf.phase.PhaseInterceptorChain: Invoking handleMessage on
> > > > interceptor
> org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor@191c0b76
> > > > DEBUG 2012-01-18 17:38:18,866
> > > > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
> > > > org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor:
> WSS4JInInterceptor:
> > > > enter handleMessage()
> > > > DEBUG 2012-01-18 17:38:18,866
> > > > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
> > > > org.apache.ws.security.WSSecurityEngine: enter
> processSecurityHeader()
> > > > DEBUG 2012-01-18 17:38:18,866
> > > > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
> > > > org.apache.ws.security.WSSecurityEngine: Processing WS-Security
> header
> > > for
> > > > '' actor.
> > > > DEBUG 2012-01-18 17:38:18,866
> > > > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
> > > > org.apache.ws.security.processor.SignatureProcessor: Found signature
> > > element
> > > > DEBUG 2012-01-18 17:38:18,866
> > > > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
> > > > org.apache.ws.security.processor.SignatureProcessor: Verify XML
> Signature
> > > > DEBUG 2012-01-18 17:38:18,866
> > > > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
> > > > org.apache.xml.security.utils.ElementProxy: setElement("Signature",
> > > "null")
> > > > DEBUG 2012-01-18 17:38:18,866
> > > > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
> > > > org.apache.xml.security.utils.ElementProxy: setElement("SignedInfo",
> > > "null")
> > > > DEBUG 2012-01-18 17:38:18,866
> > > > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
> > > > org.apache.xml.security.utils.ElementProxy:
> setElement("SignatureMethod",
> > > > "null")
> > > > DEBUG 2012-01-18 17:38:18,866
> > > > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
> > > > org.apache.xml.security.utils.ElementProxy: setElement("KeyInfo",
> "null")
> > > > DEBUG 2012-01-18 17:38:18,866
> > > > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
> > > > org.apache.ws.security.message.token.SecurityTokenReference: Token
> > > reference
> > > > uri: #SecurityToken-6afc8095-f450-4a21-82ba-8902e4a02d45
> > > > DEBUG 2012-01-18 17:38:18,866
> > > > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
> > > > org.apache.xml.security.signature.Manifest: verify 1 References
> > > > DEBUG 2012-01-18 17:38:18,881
> > > > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
> > > > org.apache.xml.security.signature.Manifest: I am not requested to
> follow
> > > > nested Manifests
> > > > DEBUG 2012-01-18 17:38:18,881
> > > > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
> > > > org.apache.xml.security.utils.ElementProxy: setElement("Reference",
> > > "null")
> > > > DEBUG 2012-01-18 17:38:18,881
> > > > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
> > > > org.apache.xml.security.utils.ElementProxy: setElement("Transforms",
> > > "null")
> > > > DEBUG 2012-01-18 17:38:18,881
> > > > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
> > > > org.apache.xml.security.algorithms.JCEMapper: Request for URI
> > > > http://www.w3.org/2000/09/xmldsig#sha1
> > > > DEBUG 2012-01-18 17:38:18,881
> > > > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
> > > > org.apache.xml.security.utils.resolver.ResourceResolver: I was asked
> to
> > > > create a ResourceResolver and got 1
> > > > DEBUG 2012-01-18 17:38:18,881
> > > > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
> > > > org.apache.xml.security.utils.resolver.ResourceResolver: extra
> > > resolvers to
> > > > my existing 4 system-wide resolvers
> > > > DEBUG 2012-01-18 17:38:18,881
> > > > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
> > > > org.apache.xml.security.utils.resolver.ResourceResolver: check
> > > resolvability
> > > > by class org.apache.ws.security.message.EnvelopeIdResolver
> > > > DEBUG 2012-01-18 17:38:18,881
> > > > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
> > > > org.apache.ws.security.message.EnvelopeIdResolver: enter
> engineResolve,
> > > look
> > > > for: #Body-432a8626-6c46-47b8-b069-7443138f9b8d
> > > > DEBUG 2012-01-18 17:38:18,881
> > > > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
> > > > org.apache.ws.security.message.EnvelopeIdResolver: exit
> engineResolve,
> > > > result: XMLSignatureInput/Element/[soapenv:Body: null] exclude null
> > > > comments:false/null
> > > > DEBUG 2012-01-18 17:38:18,881
> > > > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
> > > > org.apache.xml.security.utils.ElementProxy: setElement("Transform",
> > > "null")
> > > > WARN 2012-01-18 17:38:18,881
> > > > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
> > > > org.apache.xml.security.signature.Reference: Verification failed for
> URI
> > > > "#Body-432a8626-6c46-47b8-b069-7443138f9b8d"
> > > > DEBUG 2012-01-18 17:38:18,881
> > > > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
> > > > org.apache.xml.security.signature.Manifest: The Reference has Type
> > > > WARN 2012-01-18 17:38:18,881
> > > > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
> > > > org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor:
> > > > org.apache.ws.security.WSSecurityException: The signature or
> decryption
> > > was
> > > > invalid
> > > > at
> > > >
> > >
> org.apache.ws.security.processor.SignatureProcessor.verifyXMLSignature(SignatureProcessor.java:529)
> > > > at
> > > >
> > >
> org.apache.ws.security.processor.SignatureProcessor.handleToken(SignatureProcessor.java:97)
> > > > at
> > > >
> > >
> org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:326)
> > > > at
> > > >
> > >
> org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:243)
> > > > at
> > > >
> > >
> org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:215)
> > > > at
> > > >
> > >
> org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:81)
> > > > at
> > > >
> > >
> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:255)
> > > > at
> > > >
> > >
> org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:113)
> > > > at
> > > >
> > >
> org.mule.module.cxf.CxfInboundMessageProcessor.sendToDestination(CxfInboundMessageProcessor.java:296)
> > > > at
> > > >
> > >
> org.mule.module.cxf.CxfInboundMessageProcessor.process(CxfInboundMessageProcessor.java:137)
> > > > at
> > > >
> > >
> org.mule.module.cxf.config.FlowConfiguringMessageProcessor.process(FlowConfiguringMessageProcessor.java:50)
> > > > at
> > > >
> > >
> org.mule.processor.chain.DefaultMessageProcessorChain.doProcess(DefaultMessageProcessorChain.java:99)
> > > > at
> > > >
> > >
> org.mule.processor.chain.AbstractMessageProcessorChain.process(AbstractMessageProcessorChain.java:66)
> > > > at
> > > >
> > >
> org.mule.processor.chain.InterceptingChainLifecycleWrapper.doProcess(InterceptingChainLifecycleWrapper.java:56)
> > > > at
> > > >
> > >
> org.mule.processor.chain.AbstractMessageProcessorChain.process(AbstractMessageProcessorChain.java:66)
> > > > at
> > > >
> > >
> org.mule.processor.chain.InterceptingChainLifecycleWrapper.process(InterceptingChainLifecycleWrapper.java:87)
> > > > at
> > > >
> > >
> org.mule.processor.chain.DefaultMessageProcessorChain.doProcess(DefaultMessageProcessorChain.java:99)
> > > > at
> > > >
> > >
> org.mule.processor.chain.AbstractMessageProcessorChain.process(AbstractMessageProcessorChain.java:66)
> > > > at
> > > >
> > >
> org.mule.processor.chain.InterceptingChainLifecycleWrapper.doProcess(InterceptingChainLifecycleWrapper.java:56)
> > > > at
> > > >
> > >
> org.mule.processor.chain.AbstractMessageProcessorChain.process(AbstractMessageProcessorChain.java:66)
> > > > at
> > > >
> > >
> org.mule.processor.chain.InterceptingChainLifecycleWrapper.process(InterceptingChainLifecycleWrapper.java:87)
> > > > at
> > > >
> > >
> org.mule.transport.AbstractMessageReceiver.routeMessage(AbstractMessageReceiver.java:195)
> > > > at
> > > >
> > >
> org.mule.transport.AbstractMessageReceiver.routeMessage(AbstractMessageReceiver.java:163)
> > > > at
> > > >
> > >
> org.mule.transport.AbstractMessageReceiver.routeMessage(AbstractMessageReceiver.java:150)
> > > > at
> > > >
> > >
> org.mule.transport.http.HttpMessageReceiver$HttpWorker.doRequest(HttpMessageReceiver.java:299)
> > > > at
> > > >
> > >
> org.mule.transport.http.HttpMessageReceiver$HttpWorker.processRequest(HttpMessageReceiver.java:258)
> > > > at
> > > >
> > >
> org.mule.transport.http.HttpMessageReceiver$HttpWorker.run(HttpMessageReceiver.java:163)
> > > > at org.mule.work.WorkerContext.run(WorkerContext.java:310)
> > > > at
> > > >
> > >
> java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)
> > > > at
> > > >
> > >
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)
> > > > at java.lang.Thread.run(Thread.java:662)
> > > > WARN 2012-01-18 17:38:18,897
> > > > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
> > > > org.apache.cxf.phase.PhaseInterceptorChain: Interceptor for
> > > > {http://support.cxf.module.mule.org/}ProxyService has thrown
> exception,
> > > > unwinding now
> > > > org.apache.cxf.binding.soap.SoapFault: The signature or decryption
> was
> > > > invalid
> > > > at
> > > >
> > >
> org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.createSoapFault(WSS4JInInterceptor.java:654)
> > > > at
> > > >
> > >
> org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:275)
> > > > at
> > > >
> > >
> org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:81)
> > > > at
> > > >
> > >
> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:255)
> > > > at
> > > >
> > >
> org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:113)
> > > > at
> > > >
> > >
> org.mule.module.cxf.CxfInboundMessageProcessor.sendToDestination(CxfInboundMessageProcessor.java:296)
> > > > at
> > > >
> > >
> org.mule.module.cxf.CxfInboundMessageProcessor.process(CxfInboundMessageProcessor.java:137)
> > > > at
> > > >
> > >
> org.mule.module.cxf.config.FlowConfiguringMessageProcessor.process(FlowConfiguringMessageProcessor.java:50)
> > > > at
> > > >
> > >
> org.mule.processor.chain.DefaultMessageProcessorChain.doProcess(DefaultMessageProcessorChain.java:99)
> > > > at
> > > >
> > >
> org.mule.processor.chain.AbstractMessageProcessorChain.process(AbstractMessageProcessorChain.java:66)
> > > > at
> > > >
> > >
> org.mule.processor.chain.InterceptingChainLifecycleWrapper.doProcess(InterceptingChainLifecycleWrapper.java:56)
> > > > at
> > > >
> > >
> org.mule.processor.chain.AbstractMessageProcessorChain.process(AbstractMessageProcessorChain.java:66)
> > > > at
> > > >
> > >
> org.mule.processor.chain.InterceptingChainLifecycleWrapper.process(InterceptingChainLifecycleWrapper.java:87)
> > > > at
> > > >
> > >
> org.mule.processor.chain.DefaultMessageProcessorChain.doProcess(DefaultMessageProcessorChain.java:99)
> > > > at
> > > >
> > >
> org.mule.processor.chain.AbstractMessageProcessorChain.process(AbstractMessageProcessorChain.java:66)
> > > > at
> > > >
> > >
> org.mule.processor.chain.InterceptingChainLifecycleWrapper.doProcess(InterceptingChainLifecycleWrapper.java:56)
> > > > at
> > > >
> > >
> org.mule.processor.chain.AbstractMessageProcessorChain.process(AbstractMessageProcessorChain.java:66)
> > > > at
> > > >
> > >
> org.mule.processor.chain.InterceptingChainLifecycleWrapper.process(InterceptingChainLifecycleWrapper.java:87)
> > > > at
> > > >
> > >
> org.mule.transport.AbstractMessageReceiver.routeMessage(AbstractMessageReceiver.java:195)
> > > > at
> > > >
> > >
> org.mule.transport.AbstractMessageReceiver.routeMessage(AbstractMessageReceiver.java:163)
> > > > at
> > > >
> > >
> org.mule.transport.AbstractMessageReceiver.routeMessage(AbstractMessageReceiver.java:150)
> > > > at
> > > >
> > >
> org.mule.transport.http.HttpMessageReceiver$HttpWorker.doRequest(HttpMessageReceiver.java:299)
> > > > at
> > > >
> > >
> org.mule.transport.http.HttpMessageReceiver$HttpWorker.processRequest(HttpMessageReceiver.java:258)
> > > > at
> > > >
> > >
> org.mule.transport.http.HttpMessageReceiver$HttpWorker.run(HttpMessageReceiver.java:163)
> > > > at org.mule.work.WorkerContext.run(WorkerContext.java:310)
> > > > at
> > > >
> > >
> java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)
> > > > at
> > > >
> > >
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)
> > > > at java.lang.Thread.run(Thread.java:662)
> > > > Caused by: org.apache.ws.security.WSSecurityException: The signature
> or
> > > > decryption was invalid
> > > > at
> > > >
> > >
> org.apache.ws.security.processor.SignatureProcessor.verifyXMLSignature(SignatureProcessor.java:529)
> > > > at
> > > >
> > >
> org.apache.ws.security.processor.SignatureProcessor.handleToken(SignatureProcessor.java:97)
> > > > at
> > > >
> > >
> org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:326)
> > > > at
> > > >
> > >
> org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:243)
> > > > at
> > > >
> > >
> org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:215)
> > > > ... 26 more
> > > >
> > > > --
> > > > View this message in context:
> > >
> http://cxf.547215.n5.nabble.com/CXF-2-3-1-Message-signature-doesn-t-get-validated-tp5155316p5155316.html
> > > > Sent from the cxf-user mailing list archive at Nabble.com.
> > >
> > >
> > >
> > > --
> > > Colm O hEigeartaigh
> > >
> > > Talend Community Coder
> > > http://coders.talend.com
> > >
> >
> >
> >
> > --
> > Chris Riley, Partner
> > HKM Consulting LLC
> > (o) 774.553.5314
> > (m) 508.273.3102
> > (f) 774.553.5316
> >
> >
> > If you reply to this email, your message will be added to the discussion
> below:
> >
> http://cxf.547215.n5.nabble.com/CXF-2-3-1-Message-signature-doesn-t-get-validated-tp5155316p5157872.html
> > To unsubscribe from CXF 2.3.1: Message signature doesn't get validated,
> click here.
> > NAML
>
>
>
> --
> View this message in context:
> http://cxf.547215.n5.nabble.com/CXF-2-3-1-Message-signature-doesn-t-get-validated-tp5155316p5157918.html
> Sent from the cxf-user mailing list archive at Nabble.com.
>
--
Chris Riley, Partner
HKM Consulting LLC
(o) 774.553.5314
(m) 508.273.3102
(f) 774.553.5316
Re: CXF 2.3.1: Message signature doesn't get validated
Posted by Pascal Alma <pa...@redstream.nl>.
Hi Chris and Colm,
Thanks for your replies.
The reason I used this version specific version is that this one comes with the Mule ESB we use.
So best thing to do is to find out how the sender does its canonicalization, etc. and make sure it matches the way I expect it (although I already checked it before).
So it is quite normal to obtain the certificate from the message header and use that to validate the signing of the message? It cannot have to do with the fact that they use some 'embedded' root certificate or a complete chain when signing the message and I only have the 'upper' level certificate with the public key? (I am not sure if I make sense in this question so please let me know if you don't get it).
kind regards,
Pascal
On 19 jan. 2012, at 15:57, Christopher Riley [via CXF] wrote:
> Hi guys,
>
> I have had issues when the canonicalization algorithm was not set properly
> on the sender side. This deals with how whitespaces are included/not
> included in the calculation. In our case we used soapUI to prove the
> security was setup properly and then shared the project with the client so
> they could get their output to match (canonicalization, signature method
> etc.). This then decouples you from having to spend so much time debugging.
>
> Chris
>
>
>
> On Thu, Jan 19, 2012 at 5:47 AM, Colm O hEigeartaigh <[hidden email]>wrote:
>
> > The errors in the log indicate that the digest of the signed
> > references does not match the digests in the signature. Is anything
> > changing the SOAP Message between when the signature was created and
> > validated?
> >
> > Have you tried with a more recent version of CXF?
> >
> > Colm.
> >
> > On Wed, Jan 18, 2012 at 4:43 PM, Pascal Alma <[hidden email]>
> > wrote:
> > > The issue is this:
> > > I receive a signed soap message with the X509 certificate in the header
> > (in
> > > the BinarySecurityToken element). I have added this certificate to my
> > > keystore and try to validate the signature. However the message won't be
> > > validated, I keep receiving:
> > > org.apache.xml.security.signature.Reference: Verification failed for URI
> > > "#Timestamp-bcb7f6e3-350f-4ec7-8c81-e0d81ce53030"
> > >
> > > I will add some more logging to the end of this post. Since I am rather
> > new
> > > to this ws-security i was wondering if I am on the wrong path with this.
> > Are
> > > there other issues that I have to be aware of?
> > >
> > > I must say that my set up works with messages and signatures created by
> > > myself, it only fails with message I get from third party.
> > >
> > > Here is my CXF config:
> > > <cxf:proxy-service>
> > > <cxf:inInterceptors>
> > > <spring:bean
> > > class="org.apache.cxf.interceptor.LoggingInInterceptor" />
> > > <spring:bean
> > > class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
> > > <spring:constructor-arg>
> > > <spring:map>
> > > <spring:entry key="action"
> > value="Signature"
> > > />
> > > <spring:entry key="signaturePropFile"
> > > value="wssecurity.properties" />
> > > <spring:entry key="signatureKeyIdentifier"
> > > value="DirectReference" />
> > > </spring:map>
> > > </spring:constructor-arg>
> > > </spring:bean>
> > > </cxf:inInterceptors>
> > > </cxf:proxy-service>
> > >
> > > In my property file I have:
> > >
> > org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin
> > > org.apache.ws.security.crypto.merlin.keystore.type=JKS
> > >
> > org.apache.ws.security.crypto.merlin.file=c:\\develop\\KeyStores\\myKeystore.jks
> > > org.apache.ws.security.crypto.merlin.keystore.password=myPassword
> > >
> > > Here is part of the logging I get:
> > > --------------- -----------------------
> > > DEBUG 2012-01-18 17:38:18,850
> > > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
> > > org.apache.cxf.phase.PhaseInterceptorChain: Invoking handleMessage on
> > > interceptor org.apache.cxf.interceptor.AttachmentInInterceptor@347cdb
> > > DEBUG 2012-01-18 17:38:18,850
> > > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
> > > org.apache.cxf.phase.PhaseInterceptorChain: Invoking handleMessage on
> > > interceptor org.apache.cxf.interceptor.StaxInInterceptor@75f10df7
> > > DEBUG 2012-01-18 17:38:18,850
> > > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
> > > org.apache.cxf.phase.PhaseInterceptorChain: Invoking handleMessage on
> > > interceptor
> > > org.apache.cxf.binding.soap.interceptor.ReadHeadersInterceptor@6365d2be
> > > DEBUG 2012-01-18 17:38:18,850
> > > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
> > > org.apache.cxf.phase.PhaseInterceptorChain: Invoking handleMessage on
> > > interceptor
> > > org.apache.cxf.binding.soap.interceptor.SoapActionInInterceptor@24cc0f9f
> > > DEBUG 2012-01-18 17:38:18,850
> > > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
> > > org.apache.cxf.phase.PhaseInterceptorChain: Invoking handleMessage on
> > > interceptor
> > > org.apache.cxf.binding.soap.interceptor.StartBodyInterceptor@31eeeaed
> > > DEBUG 2012-01-18 17:38:18,850
> > > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
> > > org.apache.cxf.phase.PhaseInterceptorChain: Invoking handleMessage on
> > > interceptor org.mule.module.cxf.support.MuleHeadersInInterceptor@170a6001
> > > DEBUG 2012-01-18 17:38:18,850
> > > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
> > > org.apache.cxf.phase.PhaseInterceptorChain: Invoking handleMessage on
> > > interceptor org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor@191c0b76
> > > DEBUG 2012-01-18 17:38:18,866
> > > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
> > > org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor: WSS4JInInterceptor:
> > > enter handleMessage()
> > > DEBUG 2012-01-18 17:38:18,866
> > > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
> > > org.apache.ws.security.WSSecurityEngine: enter processSecurityHeader()
> > > DEBUG 2012-01-18 17:38:18,866
> > > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
> > > org.apache.ws.security.WSSecurityEngine: Processing WS-Security header
> > for
> > > '' actor.
> > > DEBUG 2012-01-18 17:38:18,866
> > > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
> > > org.apache.ws.security.processor.SignatureProcessor: Found signature
> > element
> > > DEBUG 2012-01-18 17:38:18,866
> > > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
> > > org.apache.ws.security.processor.SignatureProcessor: Verify XML Signature
> > > DEBUG 2012-01-18 17:38:18,866
> > > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
> > > org.apache.xml.security.utils.ElementProxy: setElement("Signature",
> > "null")
> > > DEBUG 2012-01-18 17:38:18,866
> > > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
> > > org.apache.xml.security.utils.ElementProxy: setElement("SignedInfo",
> > "null")
> > > DEBUG 2012-01-18 17:38:18,866
> > > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
> > > org.apache.xml.security.utils.ElementProxy: setElement("SignatureMethod",
> > > "null")
> > > DEBUG 2012-01-18 17:38:18,866
> > > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
> > > org.apache.xml.security.utils.ElementProxy: setElement("KeyInfo", "null")
> > > DEBUG 2012-01-18 17:38:18,866
> > > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
> > > org.apache.ws.security.message.token.SecurityTokenReference: Token
> > reference
> > > uri: #SecurityToken-6afc8095-f450-4a21-82ba-8902e4a02d45
> > > DEBUG 2012-01-18 17:38:18,866
> > > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
> > > org.apache.xml.security.signature.Manifest: verify 1 References
> > > DEBUG 2012-01-18 17:38:18,881
> > > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
> > > org.apache.xml.security.signature.Manifest: I am not requested to follow
> > > nested Manifests
> > > DEBUG 2012-01-18 17:38:18,881
> > > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
> > > org.apache.xml.security.utils.ElementProxy: setElement("Reference",
> > "null")
> > > DEBUG 2012-01-18 17:38:18,881
> > > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
> > > org.apache.xml.security.utils.ElementProxy: setElement("Transforms",
> > "null")
> > > DEBUG 2012-01-18 17:38:18,881
> > > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
> > > org.apache.xml.security.algorithms.JCEMapper: Request for URI
> > > http://www.w3.org/2000/09/xmldsig#sha1
> > > DEBUG 2012-01-18 17:38:18,881
> > > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
> > > org.apache.xml.security.utils.resolver.ResourceResolver: I was asked to
> > > create a ResourceResolver and got 1
> > > DEBUG 2012-01-18 17:38:18,881
> > > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
> > > org.apache.xml.security.utils.resolver.ResourceResolver: extra
> > resolvers to
> > > my existing 4 system-wide resolvers
> > > DEBUG 2012-01-18 17:38:18,881
> > > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
> > > org.apache.xml.security.utils.resolver.ResourceResolver: check
> > resolvability
> > > by class org.apache.ws.security.message.EnvelopeIdResolver
> > > DEBUG 2012-01-18 17:38:18,881
> > > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
> > > org.apache.ws.security.message.EnvelopeIdResolver: enter engineResolve,
> > look
> > > for: #Body-432a8626-6c46-47b8-b069-7443138f9b8d
> > > DEBUG 2012-01-18 17:38:18,881
> > > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
> > > org.apache.ws.security.message.EnvelopeIdResolver: exit engineResolve,
> > > result: XMLSignatureInput/Element/[soapenv:Body: null] exclude null
> > > comments:false/null
> > > DEBUG 2012-01-18 17:38:18,881
> > > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
> > > org.apache.xml.security.utils.ElementProxy: setElement("Transform",
> > "null")
> > > WARN 2012-01-18 17:38:18,881
> > > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
> > > org.apache.xml.security.signature.Reference: Verification failed for URI
> > > "#Body-432a8626-6c46-47b8-b069-7443138f9b8d"
> > > DEBUG 2012-01-18 17:38:18,881
> > > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
> > > org.apache.xml.security.signature.Manifest: The Reference has Type
> > > WARN 2012-01-18 17:38:18,881
> > > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
> > > org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor:
> > > org.apache.ws.security.WSSecurityException: The signature or decryption
> > was
> > > invalid
> > > at
> > >
> > org.apache.ws.security.processor.SignatureProcessor.verifyXMLSignature(SignatureProcessor.java:529)
> > > at
> > >
> > org.apache.ws.security.processor.SignatureProcessor.handleToken(SignatureProcessor.java:97)
> > > at
> > >
> > org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:326)
> > > at
> > >
> > org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:243)
> > > at
> > >
> > org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:215)
> > > at
> > >
> > org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:81)
> > > at
> > >
> > org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:255)
> > > at
> > >
> > org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:113)
> > > at
> > >
> > org.mule.module.cxf.CxfInboundMessageProcessor.sendToDestination(CxfInboundMessageProcessor.java:296)
> > > at
> > >
> > org.mule.module.cxf.CxfInboundMessageProcessor.process(CxfInboundMessageProcessor.java:137)
> > > at
> > >
> > org.mule.module.cxf.config.FlowConfiguringMessageProcessor.process(FlowConfiguringMessageProcessor.java:50)
> > > at
> > >
> > org.mule.processor.chain.DefaultMessageProcessorChain.doProcess(DefaultMessageProcessorChain.java:99)
> > > at
> > >
> > org.mule.processor.chain.AbstractMessageProcessorChain.process(AbstractMessageProcessorChain.java:66)
> > > at
> > >
> > org.mule.processor.chain.InterceptingChainLifecycleWrapper.doProcess(InterceptingChainLifecycleWrapper.java:56)
> > > at
> > >
> > org.mule.processor.chain.AbstractMessageProcessorChain.process(AbstractMessageProcessorChain.java:66)
> > > at
> > >
> > org.mule.processor.chain.InterceptingChainLifecycleWrapper.process(InterceptingChainLifecycleWrapper.java:87)
> > > at
> > >
> > org.mule.processor.chain.DefaultMessageProcessorChain.doProcess(DefaultMessageProcessorChain.java:99)
> > > at
> > >
> > org.mule.processor.chain.AbstractMessageProcessorChain.process(AbstractMessageProcessorChain.java:66)
> > > at
> > >
> > org.mule.processor.chain.InterceptingChainLifecycleWrapper.doProcess(InterceptingChainLifecycleWrapper.java:56)
> > > at
> > >
> > org.mule.processor.chain.AbstractMessageProcessorChain.process(AbstractMessageProcessorChain.java:66)
> > > at
> > >
> > org.mule.processor.chain.InterceptingChainLifecycleWrapper.process(InterceptingChainLifecycleWrapper.java:87)
> > > at
> > >
> > org.mule.transport.AbstractMessageReceiver.routeMessage(AbstractMessageReceiver.java:195)
> > > at
> > >
> > org.mule.transport.AbstractMessageReceiver.routeMessage(AbstractMessageReceiver.java:163)
> > > at
> > >
> > org.mule.transport.AbstractMessageReceiver.routeMessage(AbstractMessageReceiver.java:150)
> > > at
> > >
> > org.mule.transport.http.HttpMessageReceiver$HttpWorker.doRequest(HttpMessageReceiver.java:299)
> > > at
> > >
> > org.mule.transport.http.HttpMessageReceiver$HttpWorker.processRequest(HttpMessageReceiver.java:258)
> > > at
> > >
> > org.mule.transport.http.HttpMessageReceiver$HttpWorker.run(HttpMessageReceiver.java:163)
> > > at org.mule.work.WorkerContext.run(WorkerContext.java:310)
> > > at
> > >
> > java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)
> > > at
> > >
> > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)
> > > at java.lang.Thread.run(Thread.java:662)
> > > WARN 2012-01-18 17:38:18,897
> > > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
> > > org.apache.cxf.phase.PhaseInterceptorChain: Interceptor for
> > > {http://support.cxf.module.mule.org/}ProxyService has thrown exception,
> > > unwinding now
> > > org.apache.cxf.binding.soap.SoapFault: The signature or decryption was
> > > invalid
> > > at
> > >
> > org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.createSoapFault(WSS4JInInterceptor.java:654)
> > > at
> > >
> > org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:275)
> > > at
> > >
> > org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:81)
> > > at
> > >
> > org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:255)
> > > at
> > >
> > org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:113)
> > > at
> > >
> > org.mule.module.cxf.CxfInboundMessageProcessor.sendToDestination(CxfInboundMessageProcessor.java:296)
> > > at
> > >
> > org.mule.module.cxf.CxfInboundMessageProcessor.process(CxfInboundMessageProcessor.java:137)
> > > at
> > >
> > org.mule.module.cxf.config.FlowConfiguringMessageProcessor.process(FlowConfiguringMessageProcessor.java:50)
> > > at
> > >
> > org.mule.processor.chain.DefaultMessageProcessorChain.doProcess(DefaultMessageProcessorChain.java:99)
> > > at
> > >
> > org.mule.processor.chain.AbstractMessageProcessorChain.process(AbstractMessageProcessorChain.java:66)
> > > at
> > >
> > org.mule.processor.chain.InterceptingChainLifecycleWrapper.doProcess(InterceptingChainLifecycleWrapper.java:56)
> > > at
> > >
> > org.mule.processor.chain.AbstractMessageProcessorChain.process(AbstractMessageProcessorChain.java:66)
> > > at
> > >
> > org.mule.processor.chain.InterceptingChainLifecycleWrapper.process(InterceptingChainLifecycleWrapper.java:87)
> > > at
> > >
> > org.mule.processor.chain.DefaultMessageProcessorChain.doProcess(DefaultMessageProcessorChain.java:99)
> > > at
> > >
> > org.mule.processor.chain.AbstractMessageProcessorChain.process(AbstractMessageProcessorChain.java:66)
> > > at
> > >
> > org.mule.processor.chain.InterceptingChainLifecycleWrapper.doProcess(InterceptingChainLifecycleWrapper.java:56)
> > > at
> > >
> > org.mule.processor.chain.AbstractMessageProcessorChain.process(AbstractMessageProcessorChain.java:66)
> > > at
> > >
> > org.mule.processor.chain.InterceptingChainLifecycleWrapper.process(InterceptingChainLifecycleWrapper.java:87)
> > > at
> > >
> > org.mule.transport.AbstractMessageReceiver.routeMessage(AbstractMessageReceiver.java:195)
> > > at
> > >
> > org.mule.transport.AbstractMessageReceiver.routeMessage(AbstractMessageReceiver.java:163)
> > > at
> > >
> > org.mule.transport.AbstractMessageReceiver.routeMessage(AbstractMessageReceiver.java:150)
> > > at
> > >
> > org.mule.transport.http.HttpMessageReceiver$HttpWorker.doRequest(HttpMessageReceiver.java:299)
> > > at
> > >
> > org.mule.transport.http.HttpMessageReceiver$HttpWorker.processRequest(HttpMessageReceiver.java:258)
> > > at
> > >
> > org.mule.transport.http.HttpMessageReceiver$HttpWorker.run(HttpMessageReceiver.java:163)
> > > at org.mule.work.WorkerContext.run(WorkerContext.java:310)
> > > at
> > >
> > java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)
> > > at
> > >
> > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)
> > > at java.lang.Thread.run(Thread.java:662)
> > > Caused by: org.apache.ws.security.WSSecurityException: The signature or
> > > decryption was invalid
> > > at
> > >
> > org.apache.ws.security.processor.SignatureProcessor.verifyXMLSignature(SignatureProcessor.java:529)
> > > at
> > >
> > org.apache.ws.security.processor.SignatureProcessor.handleToken(SignatureProcessor.java:97)
> > > at
> > >
> > org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:326)
> > > at
> > >
> > org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:243)
> > > at
> > >
> > org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:215)
> > > ... 26 more
> > >
> > > --
> > > View this message in context:
> > http://cxf.547215.n5.nabble.com/CXF-2-3-1-Message-signature-doesn-t-get-validated-tp5155316p5155316.html
> > > Sent from the cxf-user mailing list archive at Nabble.com.
> >
> >
> >
> > --
> > Colm O hEigeartaigh
> >
> > Talend Community Coder
> > http://coders.talend.com
> >
>
>
>
> --
> Chris Riley, Partner
> HKM Consulting LLC
> (o) 774.553.5314
> (m) 508.273.3102
> (f) 774.553.5316
>
>
> If you reply to this email, your message will be added to the discussion below:
> http://cxf.547215.n5.nabble.com/CXF-2-3-1-Message-signature-doesn-t-get-validated-tp5155316p5157872.html
> To unsubscribe from CXF 2.3.1: Message signature doesn't get validated, click here.
> NAML
--
View this message in context: http://cxf.547215.n5.nabble.com/CXF-2-3-1-Message-signature-doesn-t-get-validated-tp5155316p5157918.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: CXF 2.3.1: Message signature doesn't get validated
Posted by Christopher Riley <cr...@hkmconsultingllc.com>.
Hi guys,
I have had issues when the canonicalization algorithm was not set properly
on the sender side. This deals with how whitespaces are included/not
included in the calculation. In our case we used soapUI to prove the
security was setup properly and then shared the project with the client so
they could get their output to match (canonicalization, signature method
etc.). This then decouples you from having to spend so much time debugging.
Chris
On Thu, Jan 19, 2012 at 5:47 AM, Colm O hEigeartaigh <co...@apache.org>wrote:
> The errors in the log indicate that the digest of the signed
> references does not match the digests in the signature. Is anything
> changing the SOAP Message between when the signature was created and
> validated?
>
> Have you tried with a more recent version of CXF?
>
> Colm.
>
> On Wed, Jan 18, 2012 at 4:43 PM, Pascal Alma <pa...@redstream.nl>
> wrote:
> > The issue is this:
> > I receive a signed soap message with the X509 certificate in the header
> (in
> > the BinarySecurityToken element). I have added this certificate to my
> > keystore and try to validate the signature. However the message won't be
> > validated, I keep receiving:
> > org.apache.xml.security.signature.Reference: Verification failed for URI
> > "#Timestamp-bcb7f6e3-350f-4ec7-8c81-e0d81ce53030"
> >
> > I will add some more logging to the end of this post. Since I am rather
> new
> > to this ws-security i was wondering if I am on the wrong path with this.
> Are
> > there other issues that I have to be aware of?
> >
> > I must say that my set up works with messages and signatures created by
> > myself, it only fails with message I get from third party.
> >
> > Here is my CXF config:
> > <cxf:proxy-service>
> > <cxf:inInterceptors>
> > <spring:bean
> > class="org.apache.cxf.interceptor.LoggingInInterceptor" />
> > <spring:bean
> > class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
> > <spring:constructor-arg>
> > <spring:map>
> > <spring:entry key="action"
> value="Signature"
> > />
> > <spring:entry key="signaturePropFile"
> > value="wssecurity.properties" />
> > <spring:entry key="signatureKeyIdentifier"
> > value="DirectReference" />
> > </spring:map>
> > </spring:constructor-arg>
> > </spring:bean>
> > </cxf:inInterceptors>
> > </cxf:proxy-service>
> >
> > In my property file I have:
> >
> org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin
> > org.apache.ws.security.crypto.merlin.keystore.type=JKS
> >
> org.apache.ws.security.crypto.merlin.file=c:\\develop\\KeyStores\\myKeystore.jks
> > org.apache.ws.security.crypto.merlin.keystore.password=myPassword
> >
> > Here is part of the logging I get:
> > --------------- -----------------------
> > DEBUG 2012-01-18 17:38:18,850
> > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
> > org.apache.cxf.phase.PhaseInterceptorChain: Invoking handleMessage on
> > interceptor org.apache.cxf.interceptor.AttachmentInInterceptor@347cdb
> > DEBUG 2012-01-18 17:38:18,850
> > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
> > org.apache.cxf.phase.PhaseInterceptorChain: Invoking handleMessage on
> > interceptor org.apache.cxf.interceptor.StaxInInterceptor@75f10df7
> > DEBUG 2012-01-18 17:38:18,850
> > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
> > org.apache.cxf.phase.PhaseInterceptorChain: Invoking handleMessage on
> > interceptor
> > org.apache.cxf.binding.soap.interceptor.ReadHeadersInterceptor@6365d2be
> > DEBUG 2012-01-18 17:38:18,850
> > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
> > org.apache.cxf.phase.PhaseInterceptorChain: Invoking handleMessage on
> > interceptor
> > org.apache.cxf.binding.soap.interceptor.SoapActionInInterceptor@24cc0f9f
> > DEBUG 2012-01-18 17:38:18,850
> > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
> > org.apache.cxf.phase.PhaseInterceptorChain: Invoking handleMessage on
> > interceptor
> > org.apache.cxf.binding.soap.interceptor.StartBodyInterceptor@31eeeaed
> > DEBUG 2012-01-18 17:38:18,850
> > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
> > org.apache.cxf.phase.PhaseInterceptorChain: Invoking handleMessage on
> > interceptor org.mule.module.cxf.support.MuleHeadersInInterceptor@170a6001
> > DEBUG 2012-01-18 17:38:18,850
> > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
> > org.apache.cxf.phase.PhaseInterceptorChain: Invoking handleMessage on
> > interceptor org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor@191c0b76
> > DEBUG 2012-01-18 17:38:18,866
> > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
> > org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor: WSS4JInInterceptor:
> > enter handleMessage()
> > DEBUG 2012-01-18 17:38:18,866
> > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
> > org.apache.ws.security.WSSecurityEngine: enter processSecurityHeader()
> > DEBUG 2012-01-18 17:38:18,866
> > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
> > org.apache.ws.security.WSSecurityEngine: Processing WS-Security header
> for
> > '' actor.
> > DEBUG 2012-01-18 17:38:18,866
> > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
> > org.apache.ws.security.processor.SignatureProcessor: Found signature
> element
> > DEBUG 2012-01-18 17:38:18,866
> > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
> > org.apache.ws.security.processor.SignatureProcessor: Verify XML Signature
> > DEBUG 2012-01-18 17:38:18,866
> > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
> > org.apache.xml.security.utils.ElementProxy: setElement("Signature",
> "null")
> > DEBUG 2012-01-18 17:38:18,866
> > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
> > org.apache.xml.security.utils.ElementProxy: setElement("SignedInfo",
> "null")
> > DEBUG 2012-01-18 17:38:18,866
> > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
> > org.apache.xml.security.utils.ElementProxy: setElement("SignatureMethod",
> > "null")
> > DEBUG 2012-01-18 17:38:18,866
> > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
> > org.apache.xml.security.utils.ElementProxy: setElement("KeyInfo", "null")
> > DEBUG 2012-01-18 17:38:18,866
> > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
> > org.apache.ws.security.message.token.SecurityTokenReference: Token
> reference
> > uri: #SecurityToken-6afc8095-f450-4a21-82ba-8902e4a02d45
> > DEBUG 2012-01-18 17:38:18,866
> > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
> > org.apache.xml.security.signature.Manifest: verify 1 References
> > DEBUG 2012-01-18 17:38:18,881
> > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
> > org.apache.xml.security.signature.Manifest: I am not requested to follow
> > nested Manifests
> > DEBUG 2012-01-18 17:38:18,881
> > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
> > org.apache.xml.security.utils.ElementProxy: setElement("Reference",
> "null")
> > DEBUG 2012-01-18 17:38:18,881
> > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
> > org.apache.xml.security.utils.ElementProxy: setElement("Transforms",
> "null")
> > DEBUG 2012-01-18 17:38:18,881
> > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
> > org.apache.xml.security.algorithms.JCEMapper: Request for URI
> > http://www.w3.org/2000/09/xmldsig#sha1
> > DEBUG 2012-01-18 17:38:18,881
> > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
> > org.apache.xml.security.utils.resolver.ResourceResolver: I was asked to
> > create a ResourceResolver and got 1
> > DEBUG 2012-01-18 17:38:18,881
> > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
> > org.apache.xml.security.utils.resolver.ResourceResolver: extra
> resolvers to
> > my existing 4 system-wide resolvers
> > DEBUG 2012-01-18 17:38:18,881
> > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
> > org.apache.xml.security.utils.resolver.ResourceResolver: check
> resolvability
> > by class org.apache.ws.security.message.EnvelopeIdResolver
> > DEBUG 2012-01-18 17:38:18,881
> > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
> > org.apache.ws.security.message.EnvelopeIdResolver: enter engineResolve,
> look
> > for: #Body-432a8626-6c46-47b8-b069-7443138f9b8d
> > DEBUG 2012-01-18 17:38:18,881
> > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
> > org.apache.ws.security.message.EnvelopeIdResolver: exit engineResolve,
> > result: XMLSignatureInput/Element/[soapenv:Body: null] exclude null
> > comments:false/null
> > DEBUG 2012-01-18 17:38:18,881
> > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
> > org.apache.xml.security.utils.ElementProxy: setElement("Transform",
> "null")
> > WARN 2012-01-18 17:38:18,881
> > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
> > org.apache.xml.security.signature.Reference: Verification failed for URI
> > "#Body-432a8626-6c46-47b8-b069-7443138f9b8d"
> > DEBUG 2012-01-18 17:38:18,881
> > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
> > org.apache.xml.security.signature.Manifest: The Reference has Type
> > WARN 2012-01-18 17:38:18,881
> > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
> > org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor:
> > org.apache.ws.security.WSSecurityException: The signature or decryption
> was
> > invalid
> > at
> >
> org.apache.ws.security.processor.SignatureProcessor.verifyXMLSignature(SignatureProcessor.java:529)
> > at
> >
> org.apache.ws.security.processor.SignatureProcessor.handleToken(SignatureProcessor.java:97)
> > at
> >
> org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:326)
> > at
> >
> org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:243)
> > at
> >
> org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:215)
> > at
> >
> org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:81)
> > at
> >
> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:255)
> > at
> >
> org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:113)
> > at
> >
> org.mule.module.cxf.CxfInboundMessageProcessor.sendToDestination(CxfInboundMessageProcessor.java:296)
> > at
> >
> org.mule.module.cxf.CxfInboundMessageProcessor.process(CxfInboundMessageProcessor.java:137)
> > at
> >
> org.mule.module.cxf.config.FlowConfiguringMessageProcessor.process(FlowConfiguringMessageProcessor.java:50)
> > at
> >
> org.mule.processor.chain.DefaultMessageProcessorChain.doProcess(DefaultMessageProcessorChain.java:99)
> > at
> >
> org.mule.processor.chain.AbstractMessageProcessorChain.process(AbstractMessageProcessorChain.java:66)
> > at
> >
> org.mule.processor.chain.InterceptingChainLifecycleWrapper.doProcess(InterceptingChainLifecycleWrapper.java:56)
> > at
> >
> org.mule.processor.chain.AbstractMessageProcessorChain.process(AbstractMessageProcessorChain.java:66)
> > at
> >
> org.mule.processor.chain.InterceptingChainLifecycleWrapper.process(InterceptingChainLifecycleWrapper.java:87)
> > at
> >
> org.mule.processor.chain.DefaultMessageProcessorChain.doProcess(DefaultMessageProcessorChain.java:99)
> > at
> >
> org.mule.processor.chain.AbstractMessageProcessorChain.process(AbstractMessageProcessorChain.java:66)
> > at
> >
> org.mule.processor.chain.InterceptingChainLifecycleWrapper.doProcess(InterceptingChainLifecycleWrapper.java:56)
> > at
> >
> org.mule.processor.chain.AbstractMessageProcessorChain.process(AbstractMessageProcessorChain.java:66)
> > at
> >
> org.mule.processor.chain.InterceptingChainLifecycleWrapper.process(InterceptingChainLifecycleWrapper.java:87)
> > at
> >
> org.mule.transport.AbstractMessageReceiver.routeMessage(AbstractMessageReceiver.java:195)
> > at
> >
> org.mule.transport.AbstractMessageReceiver.routeMessage(AbstractMessageReceiver.java:163)
> > at
> >
> org.mule.transport.AbstractMessageReceiver.routeMessage(AbstractMessageReceiver.java:150)
> > at
> >
> org.mule.transport.http.HttpMessageReceiver$HttpWorker.doRequest(HttpMessageReceiver.java:299)
> > at
> >
> org.mule.transport.http.HttpMessageReceiver$HttpWorker.processRequest(HttpMessageReceiver.java:258)
> > at
> >
> org.mule.transport.http.HttpMessageReceiver$HttpWorker.run(HttpMessageReceiver.java:163)
> > at org.mule.work.WorkerContext.run(WorkerContext.java:310)
> > at
> >
> java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)
> > at
> >
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)
> > at java.lang.Thread.run(Thread.java:662)
> > WARN 2012-01-18 17:38:18,897
> > [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
> > org.apache.cxf.phase.PhaseInterceptorChain: Interceptor for
> > {http://support.cxf.module.mule.org/}ProxyService has thrown exception,
> > unwinding now
> > org.apache.cxf.binding.soap.SoapFault: The signature or decryption was
> > invalid
> > at
> >
> org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.createSoapFault(WSS4JInInterceptor.java:654)
> > at
> >
> org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:275)
> > at
> >
> org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:81)
> > at
> >
> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:255)
> > at
> >
> org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:113)
> > at
> >
> org.mule.module.cxf.CxfInboundMessageProcessor.sendToDestination(CxfInboundMessageProcessor.java:296)
> > at
> >
> org.mule.module.cxf.CxfInboundMessageProcessor.process(CxfInboundMessageProcessor.java:137)
> > at
> >
> org.mule.module.cxf.config.FlowConfiguringMessageProcessor.process(FlowConfiguringMessageProcessor.java:50)
> > at
> >
> org.mule.processor.chain.DefaultMessageProcessorChain.doProcess(DefaultMessageProcessorChain.java:99)
> > at
> >
> org.mule.processor.chain.AbstractMessageProcessorChain.process(AbstractMessageProcessorChain.java:66)
> > at
> >
> org.mule.processor.chain.InterceptingChainLifecycleWrapper.doProcess(InterceptingChainLifecycleWrapper.java:56)
> > at
> >
> org.mule.processor.chain.AbstractMessageProcessorChain.process(AbstractMessageProcessorChain.java:66)
> > at
> >
> org.mule.processor.chain.InterceptingChainLifecycleWrapper.process(InterceptingChainLifecycleWrapper.java:87)
> > at
> >
> org.mule.processor.chain.DefaultMessageProcessorChain.doProcess(DefaultMessageProcessorChain.java:99)
> > at
> >
> org.mule.processor.chain.AbstractMessageProcessorChain.process(AbstractMessageProcessorChain.java:66)
> > at
> >
> org.mule.processor.chain.InterceptingChainLifecycleWrapper.doProcess(InterceptingChainLifecycleWrapper.java:56)
> > at
> >
> org.mule.processor.chain.AbstractMessageProcessorChain.process(AbstractMessageProcessorChain.java:66)
> > at
> >
> org.mule.processor.chain.InterceptingChainLifecycleWrapper.process(InterceptingChainLifecycleWrapper.java:87)
> > at
> >
> org.mule.transport.AbstractMessageReceiver.routeMessage(AbstractMessageReceiver.java:195)
> > at
> >
> org.mule.transport.AbstractMessageReceiver.routeMessage(AbstractMessageReceiver.java:163)
> > at
> >
> org.mule.transport.AbstractMessageReceiver.routeMessage(AbstractMessageReceiver.java:150)
> > at
> >
> org.mule.transport.http.HttpMessageReceiver$HttpWorker.doRequest(HttpMessageReceiver.java:299)
> > at
> >
> org.mule.transport.http.HttpMessageReceiver$HttpWorker.processRequest(HttpMessageReceiver.java:258)
> > at
> >
> org.mule.transport.http.HttpMessageReceiver$HttpWorker.run(HttpMessageReceiver.java:163)
> > at org.mule.work.WorkerContext.run(WorkerContext.java:310)
> > at
> >
> java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)
> > at
> >
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)
> > at java.lang.Thread.run(Thread.java:662)
> > Caused by: org.apache.ws.security.WSSecurityException: The signature or
> > decryption was invalid
> > at
> >
> org.apache.ws.security.processor.SignatureProcessor.verifyXMLSignature(SignatureProcessor.java:529)
> > at
> >
> org.apache.ws.security.processor.SignatureProcessor.handleToken(SignatureProcessor.java:97)
> > at
> >
> org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:326)
> > at
> >
> org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:243)
> > at
> >
> org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:215)
> > ... 26 more
> >
> > --
> > View this message in context:
> http://cxf.547215.n5.nabble.com/CXF-2-3-1-Message-signature-doesn-t-get-validated-tp5155316p5155316.html
> > Sent from the cxf-user mailing list archive at Nabble.com.
>
>
>
> --
> Colm O hEigeartaigh
>
> Talend Community Coder
> http://coders.talend.com
>
--
Chris Riley, Partner
HKM Consulting LLC
(o) 774.553.5314
(m) 508.273.3102
(f) 774.553.5316
Re: CXF 2.3.1: Message signature doesn't get validated
Posted by Colm O hEigeartaigh <co...@apache.org>.
The errors in the log indicate that the digest of the signed
references does not match the digests in the signature. Is anything
changing the SOAP Message between when the signature was created and
validated?
Have you tried with a more recent version of CXF?
Colm.
On Wed, Jan 18, 2012 at 4:43 PM, Pascal Alma <pa...@redstream.nl> wrote:
> The issue is this:
> I receive a signed soap message with the X509 certificate in the header (in
> the BinarySecurityToken element). I have added this certificate to my
> keystore and try to validate the signature. However the message won't be
> validated, I keep receiving:
> org.apache.xml.security.signature.Reference: Verification failed for URI
> "#Timestamp-bcb7f6e3-350f-4ec7-8c81-e0d81ce53030"
>
> I will add some more logging to the end of this post. Since I am rather new
> to this ws-security i was wondering if I am on the wrong path with this. Are
> there other issues that I have to be aware of?
>
> I must say that my set up works with messages and signatures created by
> myself, it only fails with message I get from third party.
>
> Here is my CXF config:
> <cxf:proxy-service>
> <cxf:inInterceptors>
> <spring:bean
> class="org.apache.cxf.interceptor.LoggingInInterceptor" />
> <spring:bean
> class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
> <spring:constructor-arg>
> <spring:map>
> <spring:entry key="action" value="Signature"
> />
> <spring:entry key="signaturePropFile"
> value="wssecurity.properties" />
> <spring:entry key="signatureKeyIdentifier"
> value="DirectReference" />
> </spring:map>
> </spring:constructor-arg>
> </spring:bean>
> </cxf:inInterceptors>
> </cxf:proxy-service>
>
> In my property file I have:
> org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin
> org.apache.ws.security.crypto.merlin.keystore.type=JKS
> org.apache.ws.security.crypto.merlin.file=c:\\develop\\KeyStores\\myKeystore.jks
> org.apache.ws.security.crypto.merlin.keystore.password=myPassword
>
> Here is part of the logging I get:
> --------------- -----------------------
> DEBUG 2012-01-18 17:38:18,850
> [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
> org.apache.cxf.phase.PhaseInterceptorChain: Invoking handleMessage on
> interceptor org.apache.cxf.interceptor.AttachmentInInterceptor@347cdb
> DEBUG 2012-01-18 17:38:18,850
> [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
> org.apache.cxf.phase.PhaseInterceptorChain: Invoking handleMessage on
> interceptor org.apache.cxf.interceptor.StaxInInterceptor@75f10df7
> DEBUG 2012-01-18 17:38:18,850
> [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
> org.apache.cxf.phase.PhaseInterceptorChain: Invoking handleMessage on
> interceptor
> org.apache.cxf.binding.soap.interceptor.ReadHeadersInterceptor@6365d2be
> DEBUG 2012-01-18 17:38:18,850
> [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
> org.apache.cxf.phase.PhaseInterceptorChain: Invoking handleMessage on
> interceptor
> org.apache.cxf.binding.soap.interceptor.SoapActionInInterceptor@24cc0f9f
> DEBUG 2012-01-18 17:38:18,850
> [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
> org.apache.cxf.phase.PhaseInterceptorChain: Invoking handleMessage on
> interceptor
> org.apache.cxf.binding.soap.interceptor.StartBodyInterceptor@31eeeaed
> DEBUG 2012-01-18 17:38:18,850
> [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
> org.apache.cxf.phase.PhaseInterceptorChain: Invoking handleMessage on
> interceptor org.mule.module.cxf.support.MuleHeadersInInterceptor@170a6001
> DEBUG 2012-01-18 17:38:18,850
> [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
> org.apache.cxf.phase.PhaseInterceptorChain: Invoking handleMessage on
> interceptor org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor@191c0b76
> DEBUG 2012-01-18 17:38:18,866
> [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
> org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor: WSS4JInInterceptor:
> enter handleMessage()
> DEBUG 2012-01-18 17:38:18,866
> [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
> org.apache.ws.security.WSSecurityEngine: enter processSecurityHeader()
> DEBUG 2012-01-18 17:38:18,866
> [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
> org.apache.ws.security.WSSecurityEngine: Processing WS-Security header for
> '' actor.
> DEBUG 2012-01-18 17:38:18,866
> [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
> org.apache.ws.security.processor.SignatureProcessor: Found signature element
> DEBUG 2012-01-18 17:38:18,866
> [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
> org.apache.ws.security.processor.SignatureProcessor: Verify XML Signature
> DEBUG 2012-01-18 17:38:18,866
> [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
> org.apache.xml.security.utils.ElementProxy: setElement("Signature", "null")
> DEBUG 2012-01-18 17:38:18,866
> [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
> org.apache.xml.security.utils.ElementProxy: setElement("SignedInfo", "null")
> DEBUG 2012-01-18 17:38:18,866
> [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
> org.apache.xml.security.utils.ElementProxy: setElement("SignatureMethod",
> "null")
> DEBUG 2012-01-18 17:38:18,866
> [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
> org.apache.xml.security.utils.ElementProxy: setElement("KeyInfo", "null")
> DEBUG 2012-01-18 17:38:18,866
> [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
> org.apache.ws.security.message.token.SecurityTokenReference: Token reference
> uri: #SecurityToken-6afc8095-f450-4a21-82ba-8902e4a02d45
> DEBUG 2012-01-18 17:38:18,866
> [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
> org.apache.xml.security.signature.Manifest: verify 1 References
> DEBUG 2012-01-18 17:38:18,881
> [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
> org.apache.xml.security.signature.Manifest: I am not requested to follow
> nested Manifests
> DEBUG 2012-01-18 17:38:18,881
> [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
> org.apache.xml.security.utils.ElementProxy: setElement("Reference", "null")
> DEBUG 2012-01-18 17:38:18,881
> [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
> org.apache.xml.security.utils.ElementProxy: setElement("Transforms", "null")
> DEBUG 2012-01-18 17:38:18,881
> [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
> org.apache.xml.security.algorithms.JCEMapper: Request for URI
> http://www.w3.org/2000/09/xmldsig#sha1
> DEBUG 2012-01-18 17:38:18,881
> [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
> org.apache.xml.security.utils.resolver.ResourceResolver: I was asked to
> create a ResourceResolver and got 1
> DEBUG 2012-01-18 17:38:18,881
> [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
> org.apache.xml.security.utils.resolver.ResourceResolver: extra resolvers to
> my existing 4 system-wide resolvers
> DEBUG 2012-01-18 17:38:18,881
> [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
> org.apache.xml.security.utils.resolver.ResourceResolver: check resolvability
> by class org.apache.ws.security.message.EnvelopeIdResolver
> DEBUG 2012-01-18 17:38:18,881
> [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
> org.apache.ws.security.message.EnvelopeIdResolver: enter engineResolve, look
> for: #Body-432a8626-6c46-47b8-b069-7443138f9b8d
> DEBUG 2012-01-18 17:38:18,881
> [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
> org.apache.ws.security.message.EnvelopeIdResolver: exit engineResolve,
> result: XMLSignatureInput/Element/[soapenv:Body: null] exclude null
> comments:false/null
> DEBUG 2012-01-18 17:38:18,881
> [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
> org.apache.xml.security.utils.ElementProxy: setElement("Transform", "null")
> WARN 2012-01-18 17:38:18,881
> [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
> org.apache.xml.security.signature.Reference: Verification failed for URI
> "#Body-432a8626-6c46-47b8-b069-7443138f9b8d"
> DEBUG 2012-01-18 17:38:18,881
> [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
> org.apache.xml.security.signature.Manifest: The Reference has Type
> WARN 2012-01-18 17:38:18,881
> [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
> org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor:
> org.apache.ws.security.WSSecurityException: The signature or decryption was
> invalid
> at
> org.apache.ws.security.processor.SignatureProcessor.verifyXMLSignature(SignatureProcessor.java:529)
> at
> org.apache.ws.security.processor.SignatureProcessor.handleToken(SignatureProcessor.java:97)
> at
> org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:326)
> at
> org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:243)
> at
> org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:215)
> at
> org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:81)
> at
> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:255)
> at
> org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:113)
> at
> org.mule.module.cxf.CxfInboundMessageProcessor.sendToDestination(CxfInboundMessageProcessor.java:296)
> at
> org.mule.module.cxf.CxfInboundMessageProcessor.process(CxfInboundMessageProcessor.java:137)
> at
> org.mule.module.cxf.config.FlowConfiguringMessageProcessor.process(FlowConfiguringMessageProcessor.java:50)
> at
> org.mule.processor.chain.DefaultMessageProcessorChain.doProcess(DefaultMessageProcessorChain.java:99)
> at
> org.mule.processor.chain.AbstractMessageProcessorChain.process(AbstractMessageProcessorChain.java:66)
> at
> org.mule.processor.chain.InterceptingChainLifecycleWrapper.doProcess(InterceptingChainLifecycleWrapper.java:56)
> at
> org.mule.processor.chain.AbstractMessageProcessorChain.process(AbstractMessageProcessorChain.java:66)
> at
> org.mule.processor.chain.InterceptingChainLifecycleWrapper.process(InterceptingChainLifecycleWrapper.java:87)
> at
> org.mule.processor.chain.DefaultMessageProcessorChain.doProcess(DefaultMessageProcessorChain.java:99)
> at
> org.mule.processor.chain.AbstractMessageProcessorChain.process(AbstractMessageProcessorChain.java:66)
> at
> org.mule.processor.chain.InterceptingChainLifecycleWrapper.doProcess(InterceptingChainLifecycleWrapper.java:56)
> at
> org.mule.processor.chain.AbstractMessageProcessorChain.process(AbstractMessageProcessorChain.java:66)
> at
> org.mule.processor.chain.InterceptingChainLifecycleWrapper.process(InterceptingChainLifecycleWrapper.java:87)
> at
> org.mule.transport.AbstractMessageReceiver.routeMessage(AbstractMessageReceiver.java:195)
> at
> org.mule.transport.AbstractMessageReceiver.routeMessage(AbstractMessageReceiver.java:163)
> at
> org.mule.transport.AbstractMessageReceiver.routeMessage(AbstractMessageReceiver.java:150)
> at
> org.mule.transport.http.HttpMessageReceiver$HttpWorker.doRequest(HttpMessageReceiver.java:299)
> at
> org.mule.transport.http.HttpMessageReceiver$HttpWorker.processRequest(HttpMessageReceiver.java:258)
> at
> org.mule.transport.http.HttpMessageReceiver$HttpWorker.run(HttpMessageReceiver.java:163)
> at org.mule.work.WorkerContext.run(WorkerContext.java:310)
> at
> java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)
> at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)
> at java.lang.Thread.run(Thread.java:662)
> WARN 2012-01-18 17:38:18,897
> [[my-adapter-1.0-SNAPSHOT].httpConnector.receiver.06]
> org.apache.cxf.phase.PhaseInterceptorChain: Interceptor for
> {http://support.cxf.module.mule.org/}ProxyService has thrown exception,
> unwinding now
> org.apache.cxf.binding.soap.SoapFault: The signature or decryption was
> invalid
> at
> org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.createSoapFault(WSS4JInInterceptor.java:654)
> at
> org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:275)
> at
> org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:81)
> at
> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:255)
> at
> org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:113)
> at
> org.mule.module.cxf.CxfInboundMessageProcessor.sendToDestination(CxfInboundMessageProcessor.java:296)
> at
> org.mule.module.cxf.CxfInboundMessageProcessor.process(CxfInboundMessageProcessor.java:137)
> at
> org.mule.module.cxf.config.FlowConfiguringMessageProcessor.process(FlowConfiguringMessageProcessor.java:50)
> at
> org.mule.processor.chain.DefaultMessageProcessorChain.doProcess(DefaultMessageProcessorChain.java:99)
> at
> org.mule.processor.chain.AbstractMessageProcessorChain.process(AbstractMessageProcessorChain.java:66)
> at
> org.mule.processor.chain.InterceptingChainLifecycleWrapper.doProcess(InterceptingChainLifecycleWrapper.java:56)
> at
> org.mule.processor.chain.AbstractMessageProcessorChain.process(AbstractMessageProcessorChain.java:66)
> at
> org.mule.processor.chain.InterceptingChainLifecycleWrapper.process(InterceptingChainLifecycleWrapper.java:87)
> at
> org.mule.processor.chain.DefaultMessageProcessorChain.doProcess(DefaultMessageProcessorChain.java:99)
> at
> org.mule.processor.chain.AbstractMessageProcessorChain.process(AbstractMessageProcessorChain.java:66)
> at
> org.mule.processor.chain.InterceptingChainLifecycleWrapper.doProcess(InterceptingChainLifecycleWrapper.java:56)
> at
> org.mule.processor.chain.AbstractMessageProcessorChain.process(AbstractMessageProcessorChain.java:66)
> at
> org.mule.processor.chain.InterceptingChainLifecycleWrapper.process(InterceptingChainLifecycleWrapper.java:87)
> at
> org.mule.transport.AbstractMessageReceiver.routeMessage(AbstractMessageReceiver.java:195)
> at
> org.mule.transport.AbstractMessageReceiver.routeMessage(AbstractMessageReceiver.java:163)
> at
> org.mule.transport.AbstractMessageReceiver.routeMessage(AbstractMessageReceiver.java:150)
> at
> org.mule.transport.http.HttpMessageReceiver$HttpWorker.doRequest(HttpMessageReceiver.java:299)
> at
> org.mule.transport.http.HttpMessageReceiver$HttpWorker.processRequest(HttpMessageReceiver.java:258)
> at
> org.mule.transport.http.HttpMessageReceiver$HttpWorker.run(HttpMessageReceiver.java:163)
> at org.mule.work.WorkerContext.run(WorkerContext.java:310)
> at
> java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)
> at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)
> at java.lang.Thread.run(Thread.java:662)
> Caused by: org.apache.ws.security.WSSecurityException: The signature or
> decryption was invalid
> at
> org.apache.ws.security.processor.SignatureProcessor.verifyXMLSignature(SignatureProcessor.java:529)
> at
> org.apache.ws.security.processor.SignatureProcessor.handleToken(SignatureProcessor.java:97)
> at
> org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:326)
> at
> org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:243)
> at
> org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:215)
> ... 26 more
>
> --
> View this message in context: http://cxf.547215.n5.nabble.com/CXF-2-3-1-Message-signature-doesn-t-get-validated-tp5155316p5155316.html
> Sent from the cxf-user mailing list archive at Nabble.com.
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com