You are viewing a plain text version of this content. The canonical link for it is here.

Posted to fx-dev@ws.apache.org by Jim Hildebrand <ji...@mqsoftware.com> on 2007/05/24 19:26:18 UTC

redundant ds: namespace declarations from wss4j

Hi,
 
I am building a web service client using wss4j 1.5 calling a .NET service (WSE 2.0).  The code generates a signature for the Body and several Header addressing elements.  The signed document looks OK except that all elements within the Signature element have redundant declarations of the ds: namespace.  And, the request is being rejected by the service.  Unfortunately, I've gotten no info from the service provider on what's failing.. I'm working on that.  In the meantime, they've sent me an example of a working request, also generated by Axis/wss4j.
 
The beginning of the signature in my failing request is -
   <ds:Signature Id="Signature-1694736358" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
    <ds:SignedInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
     <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
     <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
 [... rest of signature deleted]
 
The beginning of the signature in their example is - 
 
   <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
    <SignedInfo>
     <ds:CanonicalizationMethod
      Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"
      xmlns:ds="http://www.w3.org/2000/09/xmldsig#" />
     <SignatureMethod
      Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />

 [... rest of signature deleted.  CanonicalizationMethod is the only element that explicity used the ds: prefix.  The rest have no prefix, and are included in the default namespace scope]
 
BTW, my client is implemented in the WebSphere Message Broker, not Axis, so wss4j plus the org.apache.axis.utils.XMLUtils class is the only Axis code I'm using.  The rest of the SOAP construction is being done in the broker.
 
Question:  Is there a way to get wss4j to suppress the redundant namespace declarations and use a default namespace declaration for the ds: stuff?
 
Everything I've read says that the two signatures are canonically the same (per c14n), but it seems I'm going to have to make mine use the default namespace pattern to be acceptable to .NET.
 
Cheers, Jim


---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org

RE: redundant ds: namespace declarations from wss4j

Posted by Jim Hildebrand <ji...@mqsoftware.com>.

Werner, thanks for your prompt response.  Indeed, something else was wrong (multiple things, actually).  Those have been cleaned up and the request now validates, even with redundant namespace decls.  I'll definitely investigate the XMLUtils methods to try to clean up the Signature, since the resulting XML is about 4 times as big as it needs to be.  Thanks again.
 
Cheers, Jim

________________________________

From: Dittmann, Werner [mailto:werner.dittmann@nsn.com]
Sent: Fri 5/25/2007 1:14 AM
To: Jim Hildebrand; wss4j-dev@ws.apache.org
Subject: AW: redundant ds: namespace declarations from wss4j



Jim,

the WSS4J Axis handler (I understand that you does not use
it) performs a c14n processing as one of its last steps
before sending the SOAP request. This last c14n step
cleans up (removes) redundant namespaces that were
inserted during previous processing steps. Pls have a
look at the WSS4J handler and the call to
XMLUtils.outputDOM(...) .

On the other hand: having redunant namespaces does not
cause a signature verification failure. As you say c14n
takes care of NS handling. IMHO something else may be
wrong. .NET often requires Adressing and/or Timestamp
elements in addition to Signature - thus it is really
important to get the real reason why the request fails,
for example if "Signature verfication" fails of if other
elements are missing.

Regards,
Werner

> -----Ursprüngliche Nachricht-----
> Von: ext Jim Hildebrand [mailto:jimh@mqsoftware.com]
> Gesendet: Donnerstag, 24. Mai 2007 19:26
> An: wss4j-dev@ws.apache.org
> Betreff: redundant ds: namespace declarations from wss4j
>
> Hi,
> 
> I am building a web service client using wss4j 1.5 calling a
> .NET service (WSE 2.0).  The code generates a signature for
> the Body and several Header addressing elements.  The signed
> document looks OK except that all elements within the
> Signature element have redundant declarations of the ds:
> namespace.  And, the request is being rejected by the
> service.  Unfortunately, I've gotten no info from the service
> provider on what's failing.. I'm working on that.  In the
> meantime, they've sent me an example of a working request,
> also generated by Axis/wss4j.
> 
> The beginning of the signature in my failing request is -
>    <ds:Signature Id="Signature-1694736358"
> xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
>     <ds:SignedInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
>      <ds:CanonicalizationMethod
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"
> xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
>      <ds:SignatureMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"
> xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
>  [... rest of signature deleted]
> 
> The beginning of the signature in their example is -
> 
>    <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
>     <SignedInfo>
>      <ds:CanonicalizationMethod
>       Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"
>       xmlns:ds="http://www.w3.org/2000/09/xmldsig#" />
>      <SignatureMethod
>       Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
>
>  [... rest of signature deleted.  CanonicalizationMethod is
> the only element that explicity used the ds: prefix.  The
> rest have no prefix, and are included in the default namespace scope]
> 
> BTW, my client is implemented in the WebSphere Message
> Broker, not Axis, so wss4j plus the
> org.apache.axis.utils.XMLUtils class is the only Axis code
> I'm using.  The rest of the SOAP construction is being done
> in the broker.
> 
> Question:  Is there a way to get wss4j to suppress the
> redundant namespace declarations and use a default namespace
> declaration for the ds: stuff?
> 
> Everything I've read says that the two signatures are
> canonically the same (per c14n), but it seems I'm going to
> have to make mine use the default namespace pattern to be
> acceptable to .NET.
> 
> Cheers, Jim
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
> For additional commands, e-mail: wss4j-dev-help@ws.apache.org
>
>



---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org

RE: redundant ds: namespace declarations from wss4j

Posted by Jim Hildebrand <ji...@mqsoftware.com>.

Werner, thanks for your prompt response.  Indeed, something else was wrong (multiple things, actually).  Those have been cleaned up and the request now validates, even with redundant namespace decls.  I'll definitely investigate the XMLUtils methods to try to clean up the Signature, since the resulting XML is about 4 times as big as it needs to be.  Thanks again.
 
Cheers, Jim

________________________________

From: Dittmann, Werner [mailto:werner.dittmann@nsn.com]
Sent: Fri 5/25/2007 1:14 AM
To: Jim Hildebrand; wss4j-dev@ws.apache.org
Subject: AW: redundant ds: namespace declarations from wss4j



Jim,

the WSS4J Axis handler (I understand that you does not use
it) performs a c14n processing as one of its last steps
before sending the SOAP request. This last c14n step
cleans up (removes) redundant namespaces that were
inserted during previous processing steps. Pls have a
look at the WSS4J handler and the call to
XMLUtils.outputDOM(...) .

On the other hand: having redunant namespaces does not
cause a signature verification failure. As you say c14n
takes care of NS handling. IMHO something else may be
wrong. .NET often requires Adressing and/or Timestamp
elements in addition to Signature - thus it is really
important to get the real reason why the request fails,
for example if "Signature verfication" fails of if other
elements are missing.

Regards,
Werner

> -----Ursprüngliche Nachricht-----
> Von: ext Jim Hildebrand [mailto:jimh@mqsoftware.com]
> Gesendet: Donnerstag, 24. Mai 2007 19:26
> An: wss4j-dev@ws.apache.org
> Betreff: redundant ds: namespace declarations from wss4j
>
> Hi,
> 
> I am building a web service client using wss4j 1.5 calling a
> .NET service (WSE 2.0).  The code generates a signature for
> the Body and several Header addressing elements.  The signed
> document looks OK except that all elements within the
> Signature element have redundant declarations of the ds:
> namespace.  And, the request is being rejected by the
> service.  Unfortunately, I've gotten no info from the service
> provider on what's failing.. I'm working on that.  In the
> meantime, they've sent me an example of a working request,
> also generated by Axis/wss4j.
> 
> The beginning of the signature in my failing request is -
>    <ds:Signature Id="Signature-1694736358"
> xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
>     <ds:SignedInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
>      <ds:CanonicalizationMethod
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"
> xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
>      <ds:SignatureMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"
> xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
>  [... rest of signature deleted]
> 
> The beginning of the signature in their example is -
> 
>    <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
>     <SignedInfo>
>      <ds:CanonicalizationMethod
>       Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"
>       xmlns:ds="http://www.w3.org/2000/09/xmldsig#" />
>      <SignatureMethod
>       Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
>
>  [... rest of signature deleted.  CanonicalizationMethod is
> the only element that explicity used the ds: prefix.  The
> rest have no prefix, and are included in the default namespace scope]
> 
> BTW, my client is implemented in the WebSphere Message
> Broker, not Axis, so wss4j plus the
> org.apache.axis.utils.XMLUtils class is the only Axis code
> I'm using.  The rest of the SOAP construction is being done
> in the broker.
> 
> Question:  Is there a way to get wss4j to suppress the
> redundant namespace declarations and use a default namespace
> declaration for the ds: stuff?
> 
> Everything I've read says that the two signatures are
> canonically the same (per c14n), but it seems I'm going to
> have to make mine use the default namespace pattern to be
> acceptable to .NET.
> 
> Cheers, Jim
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
> For additional commands, e-mail: wss4j-dev-help@ws.apache.org
>
>



---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org

AW: redundant ds: namespace declarations from wss4j

Posted by "Dittmann, Werner" <we...@nsn.com>.

Jim,

the WSS4J Axis handler (I understand that you does not use
it) performs a c14n processing as one of its last steps
before sending the SOAP request. This last c14n step
cleans up (removes) redundant namespaces that were
inserted during previous processing steps. Pls have a
look at the WSS4J handler and the call to
XMLUtils.outputDOM(...) . 

On the other hand: having redunant namespaces does not
cause a signature verification failure. As you say c14n
takes care of NS handling. IMHO something else may be
wrong. .NET often requires Adressing and/or Timestamp
elements in addition to Signature - thus it is really
important to get the real reason why the request fails,
for example if "Signature verfication" fails of if other
elements are missing.

Regards,
Werner

> -----Ursprüngliche Nachricht-----
> Von: ext Jim Hildebrand [mailto:jimh@mqsoftware.com] 
> Gesendet: Donnerstag, 24. Mai 2007 19:26
> An: wss4j-dev@ws.apache.org
> Betreff: redundant ds: namespace declarations from wss4j
> 
> Hi,
>  
> I am building a web service client using wss4j 1.5 calling a 
> .NET service (WSE 2.0).  The code generates a signature for 
> the Body and several Header addressing elements.  The signed 
> document looks OK except that all elements within the 
> Signature element have redundant declarations of the ds: 
> namespace.  And, the request is being rejected by the 
> service.  Unfortunately, I've gotten no info from the service 
> provider on what's failing.. I'm working on that.  In the 
> meantime, they've sent me an example of a working request, 
> also generated by Axis/wss4j.
>  
> The beginning of the signature in my failing request is -
>    <ds:Signature Id="Signature-1694736358" 
> xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
>     <ds:SignedInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
>      <ds:CanonicalizationMethod 
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" 
> xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
>      <ds:SignatureMethod 
> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" 
> xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
>  [... rest of signature deleted]
>  
> The beginning of the signature in their example is - 
>  
>    <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
>     <SignedInfo>
>      <ds:CanonicalizationMethod
>       Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"
>       xmlns:ds="http://www.w3.org/2000/09/xmldsig#" />
>      <SignatureMethod
>       Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
> 
>  [... rest of signature deleted.  CanonicalizationMethod is 
> the only element that explicity used the ds: prefix.  The 
> rest have no prefix, and are included in the default namespace scope]
>  
> BTW, my client is implemented in the WebSphere Message 
> Broker, not Axis, so wss4j plus the 
> org.apache.axis.utils.XMLUtils class is the only Axis code 
> I'm using.  The rest of the SOAP construction is being done 
> in the broker.
>  
> Question:  Is there a way to get wss4j to suppress the 
> redundant namespace declarations and use a default namespace 
> declaration for the ds: stuff?
>  
> Everything I've read says that the two signatures are 
> canonically the same (per c14n), but it seems I'm going to 
> have to make mine use the default namespace pattern to be 
> acceptable to .NET.
>  
> Cheers, Jim
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
> For additional commands, e-mail: wss4j-dev-help@ws.apache.org
> 
> 

---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org

AW: redundant ds: namespace declarations from wss4j

Posted by "Dittmann, Werner" <we...@nsn.com>.

Jim,

the WSS4J Axis handler (I understand that you does not use
it) performs a c14n processing as one of its last steps
before sending the SOAP request. This last c14n step
cleans up (removes) redundant namespaces that were
inserted during previous processing steps. Pls have a
look at the WSS4J handler and the call to
XMLUtils.outputDOM(...) . 

On the other hand: having redunant namespaces does not
cause a signature verification failure. As you say c14n
takes care of NS handling. IMHO something else may be
wrong. .NET often requires Adressing and/or Timestamp
elements in addition to Signature - thus it is really
important to get the real reason why the request fails,
for example if "Signature verfication" fails of if other
elements are missing.

Regards,
Werner

> -----Ursprüngliche Nachricht-----
> Von: ext Jim Hildebrand [mailto:jimh@mqsoftware.com] 
> Gesendet: Donnerstag, 24. Mai 2007 19:26
> An: wss4j-dev@ws.apache.org
> Betreff: redundant ds: namespace declarations from wss4j
> 
> Hi,
>  
> I am building a web service client using wss4j 1.5 calling a 
> .NET service (WSE 2.0).  The code generates a signature for 
> the Body and several Header addressing elements.  The signed 
> document looks OK except that all elements within the 
> Signature element have redundant declarations of the ds: 
> namespace.  And, the request is being rejected by the 
> service.  Unfortunately, I've gotten no info from the service 
> provider on what's failing.. I'm working on that.  In the 
> meantime, they've sent me an example of a working request, 
> also generated by Axis/wss4j.
>  
> The beginning of the signature in my failing request is -
>    <ds:Signature Id="Signature-1694736358" 
> xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
>     <ds:SignedInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
>      <ds:CanonicalizationMethod 
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" 
> xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
>      <ds:SignatureMethod 
> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" 
> xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
>  [... rest of signature deleted]
>  
> The beginning of the signature in their example is - 
>  
>    <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
>     <SignedInfo>
>      <ds:CanonicalizationMethod
>       Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"
>       xmlns:ds="http://www.w3.org/2000/09/xmldsig#" />
>      <SignatureMethod
>       Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
> 
>  [... rest of signature deleted.  CanonicalizationMethod is 
> the only element that explicity used the ds: prefix.  The 
> rest have no prefix, and are included in the default namespace scope]
>  
> BTW, my client is implemented in the WebSphere Message 
> Broker, not Axis, so wss4j plus the 
> org.apache.axis.utils.XMLUtils class is the only Axis code 
> I'm using.  The rest of the SOAP construction is being done 
> in the broker.
>  
> Question:  Is there a way to get wss4j to suppress the 
> redundant namespace declarations and use a default namespace 
> declaration for the ds: stuff?
>  
> Everything I've read says that the two signatures are 
> canonically the same (per c14n), but it seems I'm going to 
> have to make mine use the default namespace pattern to be 
> acceptable to .NET.
>  
> Cheers, Jim
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
> For additional commands, e-mail: wss4j-dev-help@ws.apache.org
> 
> 

---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org