You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@ws.apache.org by "Colm O hEigeartaigh (JIRA)" <ji...@apache.org> on 2010/11/11 18:35:14 UTC

[jira] Resolved: (WSS-181) Signature verification should not fail due to default namespaces added after singing when using exclusive canonicalization

     [ https://issues.apache.org/jira/browse/WSS-181?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Colm O hEigeartaigh resolved WSS-181.
-------------------------------------

    Resolution: Won't Fix


I'm marking this issue as won't-fix, as it's not a WSS4J problem.

Possibly setting the Axis configuration "enableNamespacePrefixOptimization" to false might solve it.

See this thread for more details on a similar problem:

http://www.mail-archive.com/wss4j-dev@ws.apache.org/msg01909.html

Colm.

> Signature verification should not fail due to default namespaces added after singing when using exclusive canonicalization
> --------------------------------------------------------------------------------------------------------------------------
>
>                 Key: WSS-181
>                 URL: https://issues.apache.org/jira/browse/WSS-181
>             Project: WSS4J
>          Issue Type: Bug
>          Components: WSS4J Core
>    Affects Versions: 1.5.7
>         Environment: tomcat + axis 1.4 + wss4j 1.5.7
>            Reporter: Nitin Handa
>            Assignee: Ruchith Udayanga Fernando
>            Priority: Blocker
>         Attachments: wss4j.log
>
>
> Signature verification failing but it should not when using exclusive canonicalization.
> Below timestamp element was signed by owsm:-
> <wsu:Timestamp xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="Timestamp-iZia05BtcBfzdM8WfpM1fA22">
> <wsu:Created ValueType="http://www.w3.org/2001/XMLSchema/dateTime">2009-04-20T17:09:24Z</wsu:Created>
> <wsu:Expires ValueType="http://www.w3.org/2001/XMLSchema/dateTime">2009-04-20T17:14:24Z</wsu:Expires></wsu:Timestamp>
> while below timestamp element was received by wss4j:-
> <wsu:Timestamp xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" *xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" *wsu:Id="Timestamp-iZia05BtcBfzdM8WfpM1fA22">
> <wsu:Created ValueType="http://www.w3.org/2001/XMLSchema/dateTime">2009-04-20T17:09:24Z</wsu:Created>
> <wsu:Expires ValueType="http://www.w3.org/2001/XMLSchema/dateTime">2009-04-20T17:14:24Z</wsu:Expires></wsu:Timestamp> 
> note that default namespace is also there so wss4j verification failed while it should be ignored as this default namespace is unused.
> This same case is with STR and BST too..
> Canonicalized STR & BST at wss4j end used default namespace which canonicalization

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For additional commands, e-mail: dev-help@ws.apache.org