You are viewing a plain text version of this content. The canonical link for it is here.
Posted to rampart-dev@ws.apache.org by Hans-Bernhard Friedrich <H....@levigo.de> on 2010/02/15 11:29:50 UTC

Client request always reveives WSSecurityException (The signature verification failed)

Hi,

I work on a webservice test client and I always receive the same error 
when I try to make a request to our clients webservice. 

"org.apache.ws.security.WSSecurityException (The signature verification 
failed)"

- Our client's webservice is axis-based, more I don't know

- I use rampart 1.3 and Axis2 1.4.1, EclipseEE
- I generated the customers WSDLs with axis2 1.4.1 in EclipseEE
- I received certificates of our customer and imported them to a keystore
- I set up the the security using outflow configuration. I know it's 
deprecated but I seemed easier to me just singing the time stamp and not 
the body in programmatically than using a policy.xml. 
- I also set up a client using a policy.xml signing the body but reveice 
the same error

- I read all I could find on the web and in mailinglists but nothing 
helped:
- XML is UTF-B
- JVM argument "language=EN" didn't help
- Mixing different Axis2 and rampart versions didn't help
- Changing xmlsec1.4.0. jar to  1.4.1 or 1.4.2 didn't help
- The certs are have not expired

Question:
- Does the exception really mean the SOAP-Envelope has been changed after 
is was singed? Are there any other reasons this exception could be thrown?

- What is about the "Pretty Printing" of the XML issue I've found on the 
mailing list. This this really solved in axis2 1.4.1?
- Is there a way to set up namespace optimation and pretty printing 
manually in axis2 like in axis 1?
- Could somethig else be wrong with the certificates?

The thing is when I use the a modified sample using a policy.xml I get the 
same Exception

- Is there anything I could tell our client to changed what could help me?

What did I do special:
- Wrote a little Handler to avoid "mustunderstand"-Problem in the 
response: I Set all headers in the responseto processed. The error also 
occurs if I don't engage my handler

Here is my Security setup using outflowConfiguration:

...options.setProperty(WSSHandlerConstants.OUTFLOW_SECURITY, 
getOutflowConfiguration());
...
private  Parameter getOutflowConfiguration() {
        OutflowConfiguration ofc = new OutflowConfiguration();
        ofc.setActionItems("Timestamp Signature");
        ofc.setSignatureParts("{Element}{
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
}Timestamp");
        ofc.setUser("fcms-aci");
        ofc.setPasswordCallbackClass("de.aci.handler.PWCBHandler");
        ofc.setSignaturePropRefId("cyrpto_props"); 
        ofc.setSignatureKeyIdentifier(WSSHandlerConstants.
X509_KEY_IDENTIFIER);
        return ofc.getProperty();
    }


The PWCBHandler is the same as in all Samples. I just changed the alias 
and the password


Does anybody has an idea what I do wrong?

Thank youso  very much in advance for any ideas!!!! 

Greetings 
Hans