Axis namespace rewriting on web service responses and WS-Security

[Brian Nielsen <bn...@systematic.dk>]

Hi.

I have a problem with Axis 1.4 regarding namespace rewriting and WS-Security.

I call a BEA ALSB Proxy Service that signs the response message. The response message includes WS-Addressing elements, using the namespace prefix "wsa", and they are included in the signature.
If I verify the signature using WSS4J directly (no Axis is involved) everything is fine. However, if I use WSS4J with Axis, the signature references to the WS-Adressing elements results in "Verification failed" (as seen in the WSS4J log). All other references in the signature results in "Verification successful". The difference in the two scenarios are that Axis seems to rewrite the "wsa" prefix to "ns1", "ns2" and so on for each WS-Addressing element. This obviously would cause the signature to become invalid. The funny thing is that only WS-Addressing elements are rewritten.

Below are snippets from the response in the two scenarios.

Is there anything I can do to avoid this problem other than changing the policy file on the ALSB to not include WS-Addressing in the signature?`
I have already inserted
<parameter name="enableNamespacePrefixOptimization"
           value="false" />
in the client-config.wsdd file.


Snippet from response without Axis (i.e. what BEA ALSB sends as a response):

           <soapenv:Header
                      xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing"
                      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                      xmlns:xsd="http://www.w3.org/2001/XMLSchema">
                      <tns:eFPIHeader wsu:Id="eFPIHeader_EhIeyih0WH3Lv2Zm"
                                 xmlns:tns="http://xsd.efpi.dk/2007/03/30/eFPI-DokUdv/Header-eFPI-Kvittering"
                                 xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
                                 <ToAktoerID>AfsenderAktoer</ToAktoerID>
                                 <eFPIsagsID>
                                            uuid:6d9d75a0-f88b-11db-9403-cce216df29cd
                                 </eFPIsagsID>
                                 <ToAktoersSagsReference>
                                            Afsender Reference
                                 </ToAktoersSagsReference>
                      </tns:eFPIHeader>
                      <wsa:MessageID soapenv:mustUnderstand="0">
                                 uuid:38adc450-f8b6-11db-b677-abd29d2f5002
                      </wsa:MessageID>
                      <wsa:To soapenv:mustUnderstand="0" wsu:Id="To_lQbzP9FIe8j4eOYE"
                                 xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
                                 http://localhost:7001/DokUdv.eFPI
                      </wsa:To>
                      <wsa:Action soapenv:mustUnderstand="0">
                                 http://service.efpi.dk/2007/03/30/DokUdv.eFPI/SendDokPak
                      </wsa:Action>
                      <wsa:From soapenv:mustUnderstand="0">
                                 <wsa:Address>
                                            http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
                                 </wsa:Address>
                      </wsa:From>


Snippet from response using Axis client:

<?xml version="1.0" encoding="us-ascii"?>
<soapenv:Envelope
           xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
           <soapenv:Header>
                      <tns:eFPIHeader wsu:Id="eFPIHeader_K9TlAs8dvbW9xaCs"
                                 xmlns:tns="http://xsd.efpi.dk/2007/03/30/eFPI-DokUdv/Header-eFPI-Kvittering"
                                 xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
                                 <ToAktoerID>AfsenderAktoer</ToAktoerID>
                                 <eFPIsagsID>
                                            uuid:6d9d75a0-f88b-11db-9403-cce216df29cd
                                 </eFPIsagsID>
                                 <ToAktoersSagsReference>
                                            Afsender Reference
                                 </ToAktoersSagsReference>
                      </tns:eFPIHeader>
                      <ns1:MessageID soapenv:mustUnderstand="0"
                                 xmlns:ns1="http://schemas.xmlsoap.org/ws/2004/08/addressing">
                                 uuid:4c4954e0-f8cd-11db-b9e2-a3c96c42c75e
                      </ns1:MessageID>
                      <ns2:To wsu:Id="id-20870565" soapenv:mustUnderstand="0"
                                 xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
                                 xmlns:ns2="http://schemas.xmlsoap.org/ws/2004/08/addressing">
                                 http://localhost:7001/DokUdv.eFPI
                      </ns2:To>
                      <ns3:Action wsu:Id="id-27109735" soapenv:mustUnderstand="0"
                                 xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
                                 xmlns:ns3="http://schemas.xmlsoap.org/ws/2004/08/addressing">
                                 http://service.efpi.dk/2007/03/30/DokUdv.eFPI/SendDokPak
                      </ns3:Action>
                      <ns4:From soapenv:mustUnderstand="0"
                                 xmlns:ns4="http://schemas.xmlsoap.org/ws/2004/08/addressing">
                                 <ns4:Address>
                                            http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
                                 </ns4:Address>
                      </ns4:From>


Regards,

Brian Nielsen


---------------------------------------------------------------------
To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
For additional commands, e-mail: axis-user-help@ws.apache.org