You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cxf.apache.org by Andrew Rowe <an...@abs.gov.au> on 2009/05/12 07:12:54 UTC
signature validation with \r [SEC=UNCLASSIFIED]
Problem
We're signing our JAXWS messages using XWSS and getting a signature
validation error on one of the calls. It appears that carriage returns
(CR, "\r"*) in one of the parameters for that call is causing the problem.
Note it seems to be only carriage returns, not linefeeds (LF, "\n") which
cause issues.
Solution
This problem has been encountered before by another project. Apparently
Sun was notified of the issue but never responded. that project ended up
simply stripping the CR\LFs from their offending parameter (which didn't
mind at all, since it was a quiet and uncomplaining XML document).
Solution part 1
Removing the carriage returns but leaving newlines ("\n") appears to work
for us. That's probably because (AFAIK) Java IO and string handling is
generally happy to accept any of CR, LF, or CR\LF as line breaks.
i'm using a timestamp and signature as follows:
<bean id="wss4jInConfiguration" class=
"org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
<property name="properties">
<map>
<entry key="action" value="Timestamp Signature" />
<entry key="passwordType" value="PasswordDigest" />
<entry key="signaturePropFile" value=
"server_sign.properties"></entry>
<entry>
<key>
<value>passwordCallbackRef</value>
</key>
<ref bean="passwordCallback" />
</entry>
</map>
</property>
</bean>
with CXF 2.2.1 and spring 2.5.5
My question for the list is, this a bug with the signing CXF
infrastructure or just a feature I will have to get used to?
Andrew Rowe.
Australian Bureau of Statistics.
TSD TA for Dissemination Services,
ABS House 5s152
02 6252 6393
Mob 04 381 777 86
------------------------------------------------------------------------------------------------
Free publications and statistics available on www.abs.gov.au