You are viewing a plain text version of this content. The canonical link for it is here.
Posted to fx-dev@ws.apache.org by Montebove Luciano <L....@finsiel.it> on 2006/07/25 12:16:27 UTC
Why Axis XML signature verification problem is not completely solved by "enableNamespacePrefixOptimization" parameter
Hi all,
i first encountered the XML signature verification problem generated by
the serialization mechanism of Axis 1.x when starting to use wss4j SAML
support based on OpenSAML 1.0.1.
To create an SAML assertion uses org.opensaml.SAMLAssertion that
creates assertions this way:
<Assertion AssertionID="_c7ecbec589fb83a6aff2176535125169"
IssueInstant="2006-07-24T16:26:22.000Z" Issuer="myissuer"
MajorVersion="1" MinorVersion="1"
xmlns="urn:oasis:names:tc:SAML:1.0:assertion"
xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"
xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol">
....
</Assertion>
When this assertion is signed it shouldn't be modified before sign
verification, but this not the way Axis serialization works when you set
the "enableNamespacePrefixOptimization" parameter to "false".
In such a case, regardless of the format of the SOAP message received on
the net (with or withoute the prefix) the assertion will be modified in:
<saml:Assertion AssertionID="_c7ecbec589fb83a6aff2176535125169"
IssueInstant="2006-07-24T16:26:22.000Z" Issuer="myissuer"
MajorVersion="1" MinorVersion="1"
xmlns="urn:oasis:names:tc:SAML:1.0:assertion"
xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"
xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol">
....
</Assertion>
breaking signature verification.
Naturally setting the "enableNamespacePrefixOptimization" parameter to
true solves this problem, but then this workaround can create a
situation that seems an unsolvable problem to me.
As you know the "enableNamespacePrefixOptimization" parameter was
introduced to solve a specular problem to that of my SAML assertion,
when we have a SOAP body like this:
<soapenv:Body wsu:id="id-23412344"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-2004">
<somepfx:SomeTag id="e0sdoaeckrpd" xmlns="ns:uri:one"
xmlns:somepfx="ns:uri:one">hello</somepfx:SomeTag>
</soapenv:Body>
this can work when received in Axis only if you set
"enableNamespacePrefixOptimization" parameter to "false" otherwise the
signature validation will fail as the message would be changed in:
<soapenv:Body wsu:id="id-23412344"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-2004">
<SomeTag id="e0sdoaeckrpd" xmlns="ns:uri:one"
xmlns:somepfx="ns:uri:one">hello</SomeTag>
</soapenv:Body>
see: https://issues.apache.org/jira/browse/AXIS-1624 for a discussion of
the problem an the solution proposed.
And now the unsolvable problem:
if i have a SOAP message with a SAML assertion and a SOAP body like in
my example and i sign both, a receiving Axis service will not be able to
validate both signatures:
-if i set "enableNamespacePrefixOptimization" parameter to "false" the
SAML assertion signature validation will fail
-if i set "enableNamespacePrefixOptimization" parameter to "true" the
SOAP body signature validation will fail.
Changing the SOAP clients can't be a solution, as they are not always
under our control :)
Any idea on how to deal with this "deadlock"?
I tested only Axis 1.3 and 1.4. is there anyone using Axis2/Axiom that
can report if the same problem still exist in this release?
Regards,
Luciano
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org