You are viewing a plain text version of this content. The canonical link for it is here.
Posted to wss4j-dev@ws.apache.org by George Cowe <gc...@origoservices.com> on 2007/04/02 14:46:58 UTC
FW: wss4j without Axis Signature verification problem
I have managed to resolve this problem. It was caused by an Axis 1.3 error.
Although my client code does not specifically include any axis classes it seems that the default implementation when creating a javax.xml.soap.SOAPMessage using the javax.xml.soap.MessageFactory.newInstance() method was actually using org.apache.axis.soap.MessageImpl from the Axis 1.3 jar.
It seems that unless you are using Axis 1.3 with the WSS4J handlers at both ends of the conversation this would never work.
I upgraded to Axis 1.4 and the problem went away.
Not really a WSS4J problem at all!!
George
-----Original Message-----
From: George Cowe [mailto:gcowe@origoservices.com]
Sent: 27 March 2007 11:29
To: wss4j-dev@ws.apache.org
Subject: wss4j without Axis Signature verification problem
Hi
I have used Axis 1.3 and WSS4J 1.5.1 to create a secure web service running on Tomcat.
The web service requires messages to be signed with an x509 certificates private key.
When using an Axis 1.3 and WSS4J 1.5.1 client to sign the message everything works ok - no interoperability issues.
However when I attempt to use only the WSS4J 1.5.1 APIs (no Axis) at the client side, the signature fails to verify correctly on the server side and produces this warning.
WARN org.apache.xml.security.signature.Reference - Verification failed for URI "#id-25589390"
Obviously this is something to do with the fact that I'm not using Axis to construct the SOAP message at the client!
This is the WSS4J API client code snippet which starts with a Document representing the SOAP Envelope (doc)
// add ws security header
WSSecHeader secHeader = new WSSecHeader();
secHeader.setMustUnderstand(false);
secHeader.insertSecurityHeader(doc);
// sign with client private key
WSSecSignature signer = new WSSecSignature();
signer.setUserInfo("55ce69717372baf27f2862857a9dd2db_50e417e0-e461-474b-96e2-077b80325612", "george");
signer.setKeyIdentifierType(WSConstants.BST_DIRECT_REFERENCE);
signer.setSignatureAlgorithm(XMLSignature.ALGO_ID_SIGNATURE_RSA_SHA1);
Document signDoc = signer.build(doc, crypto, secHeader);
// put signDoc into a SOAPMessage
MessageFactory factory = MessageFactory.newInstance();
ByteArrayOutputStream out = new ByteArrayOutputStream();
XMLUtils.outputDOM(signDoc, out, true);
ByteArrayInputStream in = new ByteArrayInputStream(out.toString().getBytes());
SOAPMessage outMessage = factory.createMessage(null, in);
// save the request message to a file
OutputStream req = new FileOutputStream(new File(requestFile));
outMessage.writeTo(req);
req.close();
//Send the message
response = connection.call(outMessage, targetURL);
I send the same XML message from both clients and save the signed request SOAP messages for comparison.
The messages both look similar with the exception of the DigestValue and SignatureValue elements and some namespaces use.
Is there a better way to build the SOAPMessage to be sent in the snippet of code above which preserves the signed message? It looks like the construction of the SOAPMessage is modifying the signed content in some way which prevents verification from succeeding.
I've attached two example client SOAP message request files which have been signed -
a) dev-axis-wss4j-signed-request.xml - the signed request from the Axis/WSS4J client
b) dev-wss4j-signed-request.xml - the signed request from the "WSS4J only" client
Any help would be much appreciated.
Thanks
George
--
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.5.446 / Virus Database: 268.18.18/734 - Release Date: 26/03/2007 14:31