You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@cxf.apache.org by "Tor Ranfelt (Jira)" <ji...@apache.org> on 2021/08/30 11:39:00 UTC
[jira] [Closed] (CXF-8586) Signatures created with CXF are
sometimes rejected by third party system
[ https://issues.apache.org/jira/browse/CXF-8586?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Tor Ranfelt closed CXF-8586.
----------------------------
Resolution: Done
I have narrowed down the reason to Merlin in WSS4J:
https://issues.apache.org/jira/browse/WSS-688
> Signatures created with CXF are sometimes rejected by third party system
> ------------------------------------------------------------------------
>
> Key: CXF-8586
> URL: https://issues.apache.org/jira/browse/CXF-8586
> Project: CXF
> Issue Type: Bug
> Components: WS-* Components
> Affects Versions: 3.4.4
> Reporter: Tor Ranfelt
> Priority: Critical
>
> I make soap-requests to a system which sometimes will reject my requests due to "The signature verification failed". When this happens it goes on for a long while (maybe a whole day), and then suddenly it will work again.
> The system is used by many users and each request is made with a different certificate. - Crypto-provider is set programatically.
>
> Before the issue appeared I was running with CXF 3.3.7 on Java 1.8 (version 1.8.0.282) with the following CXF dependencies:
> org.apache.cxf:cxf-rt-frontend-jaxws:3.3.7
> org.apache.cxf:cxf-rt-ws-security:3.3.7
> org.apache.cxf:cxf-rt-transports-http:3.3.7
> org.apache.cxf:cxf-rt-features-logging:3.3.7
> When the issue appeared I was running with CXF 3.4.4 on Java 11 (version 11.0.11.0.9) with the following CXF dependencies:
> org.apache.cxf:cxf-rt-frontend-jaxws:3.4.4
> org.apache.cxf:cxf-rt-ws-security:3.4.4
> org.apache.cxf:cxf-rt-transports-http:3.4.4
> org.apache.cxf:cxf-rt-features-logging:3.4.4
> In order to run CXF on Java 11 I also needed the following dependencies (because they no longer are part of JRE):
> javax.xml.ws:jaxws-api:2.3.1
> javax.jws:javax.jws-api:1.1
> com.sun.xml.messaging.saaj:saaj-impl:1.5.3
> An example of a rejected request and the response informing me of the rejection (some information has been replaced with "MANUALLY-REMOVED"):
> Request:
> Address: MANUALLY-REMOVED
> HttpMethod: POST
> Content-Type: text/xml
> ExchangeId: 8a6f38de-b8e4-421c-94e1-f286ff04414f
> ServiceName: PersonKontrolOplysningHentService
> PortName: PersonKontrolOplysningHentService
> PortTypeName: PersonKontrolOplysningHentServicePortType
> Headers: {SOAPAction="", Accept=*/*}
> Payload: <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
> <soap:Header>
> <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" soap:mustUnderstand="1">
> <wsu:Timestamp wsu:Id="TS-3642f69d-0b13-4f1d-a370-5bc536bebbed">
> <wsu:Created>2021-08-11T09:09:05.094Z</wsu:Created>
> <wsu:Expires>2021-08-11T09:14:05.094Z</wsu:Expires>
> </wsu:Timestamp>
> <wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="X509-9eafd6ed-9e44-49f5-a1b4-ebb94936a3b6">MIIF/TCCBOWgAwIBAgIEXcMovzANBgkqhkiG9w0BAQsFADBAMQswCQYDVQQGEwJESzESMBAGA1UECgwJVFJVU1QyNDA4MR0wGwYDVQQDDBRUUlVTVDI0MDggT0NFUyBDQSBJVjAeFw0yMDA1MjIwOTM4MTFaFw0yMzA1MjIwOTM0MzFaMHMxCzAJBgNVBAYTAkRLMSowKAYDVQQKDCFCRVJOVCBSQU5GRUxUIEFwUyAvLyBDVlI6MzYwMjY1ODgxODAUBgNVBAMMDUJlcm50IFJhbmZlbHQwIAYDVQQFExlDVlI6MzYwMjY1ODgtUklEOjczODU0NDIyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyGpXep77P74MA5QqE2SsNKIiPpBxGbHtRxQ8ebiCwwr7KBs/aJzedywmkrHbmLFZFMaLZUR4NdVzumxwumchG9IZYrhxMTid0T46/TKCTbSl8UeFoxhaTm/wN5s8HyPCLP1hAX4JkU6ImN3eF42vdc6eAemRGrMAYjazbMqRayHU9X12Pzi0I1IO6ll2jv+ufjJA4PxaM21a+bojiqvG03PDMWw7YC5NaWwSRionjuEpZOexfYST4nv4zIYFMvryESnjAFm6y8Ol+Oo92nBM/BP5CB8wptlp5lChGKpHm4cb4csL4KI7nIBhoaY1eUNNe3AiBsb1xYhJabf1FmTM/QIDAQABo4ICyjCCAsYwDgYDVR0PAQH/BAQDAgP4MIGJBggrBgEFBQcBAQR9MHswNQYIKwYBBQUHMAGGKWh0dHA6Ly9vY3NwLmljYTA0LnRydXN0MjQwOC5jb20vcmVzcG9uZGVyMEIGCCsGAQUFBzAChjZodHRwOi8vbS5haWEuaWNhMDQudHJ1c3QyNDA4LmNvbS9vY2VzLWlzc3VpbmcwNC1jYS5jZXIwggFDBgNVHSAEggE6MIIBNjCCATIGCiqBUIEpAQEBAgYwggEiMC8GCCsGAQUFBwIBFiNodHRwOi8vd3d3LnRydXN0MjQwOC5jb20vcmVwb3NpdG9yeTCB7gYIKwYBBQUHAgIwgeEwEBYJVFJVU1QyNDA4MAMCAQEagcxGb3IgYW52ZW5kZWxzZSBhZiBjZXJ0aWZpa2F0ZXQgZ+ZsZGVyIE9DRVMgdmlsa+VyLCBDUFMgb2cgT0NFUyBDUCwgZGVyIGthbiBoZW50ZXMgZnJhIHd3dy50cnVzdDI0MDguY29tL3JlcG9zaXRvcnkuIEJlbeZyaywgYXQgVFJVU1QyNDA4IGVmdGVyIHZpbGvlcmVuZSBoYXIgZXQgYmVncuZuc2V0IGFuc3ZhciBpZnQuIHByb2Zlc3Npb25lbGxlIHBhcnRlci4wgZUGA1UdHwSBjTCBijAuoCygKoYoaHR0cDovL2NybC5pY2EwNC50cnVzdDI0MDguY29tL2ljYTA0LmNybDBYoFagVKRSMFAxCzAJBgNVBAYTAkRLMRIwEAYDVQQKDAlUUlVTVDI0MDgxHTAbBgNVBAMMFFRSVVNUMjQwOCBPQ0VTIENBIElWMQ4wDAYDVQQDDAVDUkw2NzAfBgNVHSMEGDAWgBRcu3ViFjKZqjaguJr7b6cMX/AK1TAdBgNVHQ4EFgQUVyPuwVzHUUgsQorDJVmSoVkuMiYwCQYDVR0TBAIwADANBgkqhkiG9w0BAQsFAAOCAQEA0GztvM2UnAqaQqaQ0AALzT3R+erwPG3U6mF2jXWhONYKgPS5SLutKuwUOCwutTrH+m8rZzESOezBsTHwsT4EMbFnP/FnwKDNDf4RJodHqJqdFGzml3oafHxcy7aUrNHFLdJVlISqDq7g1UpLpaz08fY4QNHwrcvFUfDvaKBYik3MR0+Rlvh/+bk43hNDRIUSeL37vuQgsv86yXFUK/zs69Z220FCx9CsZM/ITJENosBAoGSjBFk5hcGyaMpk2CI2JcJHA4hFc+u2cnMbpn/itQtc28UvehX4WiITXJK4Y/boPxlh6mpxlQKH0dbJRCOGNeUQSbOxf/DaPEafCGWVsg==</wsse:BinarySecurityToken>
> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="SIG-13997ab7-df26-43f3-98e4-7adcc915e0fc">
> <ds:SignedInfo>
> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
> <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="soap"/>
> </ds:CanonicalizationMethod>
> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
> <ds:Reference URI="#id-d0003083-cd39-4c1b-9001-418996754365">
> <ds:Transforms>
> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
> </ds:Transforms>
> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
> <ds:DigestValue>6yqRKqb6yP0uGTAJ0VyCVigFWxM=</ds:DigestValue>
> </ds:Reference>
> </ds:SignedInfo>
> <ds:SignatureValue>e5fdYtRHcNSG1A92GDXTWbUeYz7mo3CWU07uhBOTgPo+nVThkYHu2zD0FIVwG+nGML8LESr2CTsHupoFlMiH9vCfpW8LiprAufj7S7Ks6Use7VQZ1H57ERzfABmi41eUTejl8c6XD6vUK39KPqbuL8cJ6TWAsO7er4iJG4Ww01+Hd7fyqxFnw7dzN6/WT97NWJToDNt/GMFcaAWsZMMNEfW2M6GEhDgbggeWbPjGx6Fcq2ifaxtJWwX9KH2ENeJmXXvII/vj3YKch0MLRwjR5nckPcRKwzHrJhMh0RnzD/bF24E4w1DuKD99UKRd+p3isJgZVhSKG114TexBcQJUDg==</ds:SignatureValue>
> <ds:KeyInfo Id="KI-f2a30b8e-eaaa-4bb9-8294-f46c9d168a90">
> <wsse:SecurityTokenReference xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="STR-7f863928-c2a6-485e-a466-d09b6b497082">
> <wsse:Reference URI="#X509-9eafd6ed-9e44-49f5-a1b4-ebb94936a3b6" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
> </wsse:SecurityTokenReference>
> </ds:KeyInfo>
> </ds:Signature>
> </wsse:Security>
> </soap:Header>
> <soap:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="id-d0003083-cd39-4c1b-9001-418996754365">
> <ns4:PersonKontrolOplysningHent_I xmlns="http://rep.oio.dk/skat.dk/basis/kontekst/xml/schemas/2006/09/01/" xmlns:ns10="http://rep.oio.dk/skat.dk/eindkomst/class/alternativadresse/xml/schemas/20071202/" xmlns:ns11="http://rep.oio.dk/ebxml/xml/schemas/dkcc/2003/02/13/" xmlns:ns12="http://rep.oio.dk/cvr.dk/xml/schemas/2005/03/22/" xmlns:ns13="http://rep.oio.dk/cpr.dk/xml/schemas/core/2002/06/28/" xmlns:ns14="http://rep.oio.dk/skat.dk/TSE/angivelse/xml/schemas/2006/09/01/" xmlns:ns15="urn:oio:oib:oekonomiskat:1.1.0" xmlns:ns16="http://rep.oio.dk/xkom.dk/xml/schemas/2006/09/01/" xmlns:ns17="http://rep.oio.dk/xkom.dk/xml/schemas/2007/04/15/" xmlns:ns18="http://rep.oio.dk/xkom.dk/xml/schemas/2007/09/01/" xmlns:ns19="http://rep.oio.dk/cpr.dk/xml/schemas/core/2005/05/19/" xmlns:ns2="http://rep.oio.dk/cpr.dk/xml/schemas/core/2005/03/18/" xmlns:ns3="http://rep.oio.dk/oib/dato.tid.maal/xml.schema/" xmlns:ns4="urn:oio:skat:personskat:ws:1.0.0" xmlns:ns5="http://rep.oio.dk/skat.dk/eindkomst/class/adgangformaaltype/xml/schemas/20071202/" xmlns:ns6="http://rep.oio.dk/skat.dk/motor/class/virksomhed/xml/schemas/20080401/" xmlns:ns7="http://rep.oio.dk/itst.dk/xml/schemas/2006/01/17/" xmlns:ns8="urn:oio:skat:personskat:1.0.0" xmlns:ns9="http://rep.oio.dk/ebxml/xml/schemas/dkcc/2005/05/19/">
> <HovedOplysninger>
> <TransaktionIdentifikator>7d68917e-a3a0-4016-adb7-ad67aa28d052</TransaktionIdentifikator>
> <TransaktionTid>2021-08-11T11:09:05.083+02:00</TransaktionTid>
> </HovedOplysninger>
> <ns4:PersonAar>
> <ns2:PersonCivilRegistrationIdentifier>MANUALLY-REMOVED</ns2:PersonCivilRegistrationIdentifier>
> <ns3:AarIdentifikator>2020</ns3:AarIdentifikator>
> </ns4:PersonAar>
> </ns4:PersonKontrolOplysningHent_I>
> </soap:Body>
> </soap:Envelope>
>
> Response:
> <?xml version="1.0" encoding="UTF-8"?><SOAP-ENV:Fault xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"><faultcode xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">soapenv:Server.generalException</faultcode><faultstring>WSDoAllReceiver: security processing failed; nested exception is:
> org.apache.ws.security.WSSecurityException: The signature verification failed</faultstring><detail><ns1:hostname xmlns:ns1="http://xml.apache.org/axis/">SKATVerifikationOCES_sktpcws01app02.csc.dk</ns1:hostname></detail></SOAP-ENV:Fault>
> Any thought about what might be the cause?
--
This message was sent by Atlassian Jira
(v8.3.4#803005)