You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cxf.apache.org by Teppo Jalava <tj...@gmail.com> on 2014/12/02 12:36:25 UTC
Signing and validating arbitrary XML documents is affected by CXF (3.0.2)
Hi,
I've got this project where I have to integrate to a web service provided
by a local bank. The message format consists of an XML document, called
ApplicationRequest, which has to be signed and embedded as a base64binary
into the SOAP-message. The SOAP-message is also signed (with the same key).
Sounds kinda stupid but there's some legacy stuff involved etc.
Anyway, the problem I have is that I can sign the ApplicationRequest only
once. Or, more precisely, I can create a valid signature of the
ApplicationRequest only before I make the first call to the web service.
After the first call, subsequential signatures won't validate, neither if I
try to validate them myself, or at the server.
I'm using the basic javax.xml.crypto-packages of the JDK to sign and
validate the ApplicationRequest and WSS4JInterceptors to handle the signing
of the SOAP-messages. I've created a small project based on the CXF's
ws-security samples where the problem can be reproduced. The project is
here: https://github.com/tjjalava/ws-security-sample.
It's more than likely that I've just done something wrong, since I haven't
done much ws-projects in a while, but I just can't figure out why this is
happening. So any help or suggestions will be appreciated.
- Teppo
Re: Signing and validating arbitrary XML documents is affected by CXF (3.0.2)
Posted by Teppo Jalava <tj...@gmail.com>.
That did solve it, thank you very much!
t.
> On 2.12.2014, at 18.18, Colm O hEigeartaigh <co...@apache.org> wrote:
>
> If you use the Apache Santuario JSR105 provider in SignUtil it works:
> "org.apache.jcp.xml.dsig.internal.dom.XMLDSigRI". Not entirely sure why,
> but possibly there is a problem with switching from the JDK JSR
> implementation to Apache Santuario as used by CXF for WS-Security.
>
> Colm.
>
> On Tue, Dec 2, 2014 at 11:36 AM, Teppo Jalava <tj...@gmail.com> wrote:
>
>> Hi,
>>
>> I've got this project where I have to integrate to a web service provided
>> by a local bank. The message format consists of an XML document, called
>> ApplicationRequest, which has to be signed and embedded as a base64binary
>> into the SOAP-message. The SOAP-message is also signed (with the same key).
>> Sounds kinda stupid but there's some legacy stuff involved etc.
>>
>> Anyway, the problem I have is that I can sign the ApplicationRequest only
>> once. Or, more precisely, I can create a valid signature of the
>> ApplicationRequest only before I make the first call to the web service.
>> After the first call, subsequential signatures won't validate, neither if I
>> try to validate them myself, or at the server.
>>
>> I'm using the basic javax.xml.crypto-packages of the JDK to sign and
>> validate the ApplicationRequest and WSS4JInterceptors to handle the signing
>> of the SOAP-messages. I've created a small project based on the CXF's
>> ws-security samples where the problem can be reproduced. The project is
>> here: https://github.com/tjjalava/ws-security-sample.
>>
>> It's more than likely that I've just done something wrong, since I haven't
>> done much ws-projects in a while, but I just can't figure out why this is
>> happening. So any help or suggestions will be appreciated.
>>
>> - Teppo
>>
>
>
>
> --
> Colm O hEigeartaigh
>
> Talend Community Coder
> http://coders.talend.com
Re: Signing and validating arbitrary XML documents is affected by CXF (3.0.2)
Posted by Colm O hEigeartaigh <co...@apache.org>.
If you use the Apache Santuario JSR105 provider in SignUtil it works:
"org.apache.jcp.xml.dsig.internal.dom.XMLDSigRI". Not entirely sure why,
but possibly there is a problem with switching from the JDK JSR
implementation to Apache Santuario as used by CXF for WS-Security.
Colm.
On Tue, Dec 2, 2014 at 11:36 AM, Teppo Jalava <tj...@gmail.com> wrote:
> Hi,
>
> I've got this project where I have to integrate to a web service provided
> by a local bank. The message format consists of an XML document, called
> ApplicationRequest, which has to be signed and embedded as a base64binary
> into the SOAP-message. The SOAP-message is also signed (with the same key).
> Sounds kinda stupid but there's some legacy stuff involved etc.
>
> Anyway, the problem I have is that I can sign the ApplicationRequest only
> once. Or, more precisely, I can create a valid signature of the
> ApplicationRequest only before I make the first call to the web service.
> After the first call, subsequential signatures won't validate, neither if I
> try to validate them myself, or at the server.
>
> I'm using the basic javax.xml.crypto-packages of the JDK to sign and
> validate the ApplicationRequest and WSS4JInterceptors to handle the signing
> of the SOAP-messages. I've created a small project based on the CXF's
> ws-security samples where the problem can be reproduced. The project is
> here: https://github.com/tjjalava/ws-security-sample.
>
> It's more than likely that I've just done something wrong, since I haven't
> done much ws-projects in a while, but I just can't figure out why this is
> happening. So any help or suggestions will be appreciated.
>
> - Teppo
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com