You are viewing a plain text version of this content. The canonical link for it is here.
Posted to fx-dev@ws.apache.org by George Cowe <gc...@origoservices.com> on 2007/03/27 12:28:42 UTC

wss4j without Axis Signature verification problem

Hi 

I have used Axis 1.3 and WSS4J 1.5.1 to create a secure web service running on Tomcat. 

The web service requires messages to be signed with an x509 certificates private key.

When using an Axis 1.3 and WSS4J 1.5.1 client to sign the message everything works ok - no interoperability issues.

However when I attempt to use only the WSS4J 1.5.1 APIs (no Axis) at the client side, the signature fails to verify correctly on the server side and produces this warning. 
WARN org.apache.xml.security.signature.Reference - Verification failed for URI "#id-25589390"

Obviously this is something to do with the fact that I'm not using Axis to construct the SOAP message at the client!

This is the WSS4J API client code snippet which starts with a Document representing the SOAP Envelope (doc)

	// add ws security header
	WSSecHeader secHeader = new WSSecHeader();
	secHeader.setMustUnderstand(false);
	secHeader.insertSecurityHeader(doc);

	// sign with client private key
	WSSecSignature signer = new WSSecSignature();
	signer.setUserInfo("55ce69717372baf27f2862857a9dd2db_50e417e0-e461-474b-96e2-077b80325612", "george");
	signer.setKeyIdentifierType(WSConstants.BST_DIRECT_REFERENCE);
	signer.setSignatureAlgorithm(XMLSignature.ALGO_ID_SIGNATURE_RSA_SHA1);
	Document signDoc = signer.build(doc, crypto, secHeader);
	
	// put signDoc into a SOAPMessage		
	MessageFactory factory = MessageFactory.newInstance();
	ByteArrayOutputStream out = new ByteArrayOutputStream();
	XMLUtils.outputDOM(signDoc, out, true);
	ByteArrayInputStream in = new ByteArrayInputStream(out.toString().getBytes());
	SOAPMessage outMessage = factory.createMessage(null, in);

	// save the request message to a file
	OutputStream req = new FileOutputStream(new File(requestFile));
	outMessage.writeTo(req);
	req.close();

	//Send the message
	response = connection.call(outMessage, targetURL);
         

I send the same XML message from both clients and save the signed request SOAP messages for comparison.
The messages both look similar with the exception of the DigestValue and SignatureValue elements and some namespaces use.

Is there a better way to build the SOAPMessage to be sent in the snippet of code above which preserves the signed message? It looks like the construction of the SOAPMessage is modifying the signed content in some way which prevents verification from succeeding.

I've attached two example client SOAP message request files which have been signed -
a) dev-axis-wss4j-signed-request.xml - the signed request from the Axis/WSS4J client
b) dev-wss4j-signed-request.xml - the signed request from the "WSS4J only" client         

Any help would be much appreciated.

Thanks
George