You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cxf.apache.org by Giriraj Bhojak <gi...@gmail.com> on 2014/02/23 08:41:47 UTC
Unable to verify signature with Apache CXF and WSS4J on Websphere
Application Server 8.5
Hello,
I am pretty sure someone must have faced this issue earlier.
I have a cxf client deployed under a web-module A on WAS 8.5 with versions
as cxf 2.7.8 and a wss4j 1.6.13.
The service provider B is on Tomcat with similar configuration.
I had to set the class loader policy for web project to parent last and I
also disabled Websphere's JAXWS engine.
I have been able to send a message from A to B without any issues.
UserNameToken profile worked as well.
But when I send a signature from A to B, I keep getting following during
verification on the provider on tomcat:
[2/23/14 2:32:31:347 EST] 000000d1 webapp E
com.ibm.ws.webcontainer.webapp.WebApp logServletError SRVE0293E: [Servlet
Error]-[WSClientServlet]: javax.xml.ws.soap.SOAPFaultException: The
signature or decryption was invalid
at
org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:157)
at com.sun.proxy.$Proxy476.getResponse(Unknown Source)
at com.test.controller.WSClientServlet.doGet(WSClientServlet.java:67)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:575)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:668)
at
com.ibm.ws.webcontainer.servlet.ServletWrapper.service(ServletWrapper.java:1225)
at
com.ibm.ws.webcontainer.servlet.ServletWrapper.handleRequest(ServletWrapper.java:775)
at
com.ibm.ws.webcontainer.servlet.ServletWrapper.handleRequest(ServletWrapper.java:457)
at
com.ibm.ws.webcontainer.servlet.ServletWrapperImpl.handleRequest(ServletWrapperImpl.java:178)
at
com.ibm.ws.webcontainer.filter.WebAppFilterManager.invokeFilters(WebAppFilterManager.java:1032)
at com.ibm.ws.webcontainer.webapp.WebApp.handleRequest(WebApp.java:3761)
at
com.ibm.ws.webcontainer.webapp.WebGroup.handleRequest(WebGroup.java:304)
at
com.ibm.ws.webcontainer.WebContainer.handleRequest(WebContainer.java:975)
at
com.ibm.ws.webcontainer.WSWebContainer.handleRequest(WSWebContainer.java:1662)
at
com.ibm.ws.webcontainer.channel.WCChannelLink.ready(WCChannelLink.java:195)
at
com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.handleDiscrimination(HttpInboundLink.java:459)
at
com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.handleNewRequest(HttpInboundLink.java:526)
at
com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.processRequest(HttpInboundLink.java:312)
at
com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.ready(HttpInboundLink.java:283)
at
com.ibm.ws.tcp.channel.impl.NewConnectionInitialReadCallback.sendToDiscriminators(NewConnectionInitialReadCallback.java:214)
at
com.ibm.ws.tcp.channel.impl.NewConnectionInitialReadCallback.complete(NewConnectionInitialReadCallback.java:113)
at
com.ibm.ws.tcp.channel.impl.AioReadCompletionListener.futureCompleted(AioReadCompletionListener.java:165)
at
com.ibm.io.async.AbstractAsyncFuture.invokeCallback(AbstractAsyncFuture.java:217)
at
com.ibm.io.async.AsyncChannelFuture.fireCompletionActions(AsyncChannelFuture.java:161)
at com.ibm.io.async.AsyncFuture.completed(AsyncFuture.java:138)
at com.ibm.io.async.ResultHandler.complete(ResultHandler.java:204)
at
com.ibm.io.async.ResultHandler.runEventProcessingLoop(ResultHandler.java:775)
at com.ibm.io.async.ResultHandler$2.run(ResultHandler.java:905)
at com.ibm.ws.util.ThreadPool$Worker.run(ThreadPool.java:1815)
Caused by: org.apache.cxf.binding.soap.SoapFault: The signature or
decryption was invalid
at
org.apache.cxf.binding.soap.interceptor.Soap11FaultInInterceptor.unmarshalFault(Soap11FaultInInterceptor.java:84)
at
org.apache.cxf.binding.soap.interceptor.Soap11FaultInInterceptor.handleMessage(Soap11FaultInInterceptor.java:51)
at
org.apache.cxf.binding.soap.interceptor.Soap11FaultInInterceptor.handleMessage(Soap11FaultInInterceptor.java:40)
at
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:272)
at
org.apache.cxf.interceptor.AbstractFaultChainInitiatorObserver.onMessage(AbstractFaultChainInitiatorObserver.java:113)
at
org.apache.cxf.binding.soap.interceptor.CheckFaultInterceptor.handleMessage(CheckFaultInterceptor.java:69)
at
org.apache.cxf.binding.soap.interceptor.CheckFaultInterceptor.handleMessage(CheckFaultInterceptor.java:34)
at
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:272)
at org.apache.cxf.endpoint.ClientImpl.onMessage(ClientImpl.java:835)
at
org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponseInternal(HTTPConduit.java:1612)
at
org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponse(HTTPConduit.java:1503)
at
org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1310)
at
org.apache.cxf.io.CacheAndWriteOutputStream.postClose(CacheAndWriteOutputStream.java:50)
at
org.apache.cxf.io.CachedOutputStream.close(CachedOutputStream.java:223)
at
org.apache.cxf.transport.AbstractConduit.close(AbstractConduit.java:56)
at org.apache.cxf.transport.http.HTTPConduit.close(HTTPConduit.java:628)
at
org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(MessageSenderInterceptor.java:62)
at
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:272)
at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:565)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:474)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:377)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:330)
at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:96)
at
org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:135)
Using in and out interceptors, I compared the outbound message on A and
inbound message on B.
Both are identical. So I am at a loss to understand why this does not work.
Using a unit test, I am able to send the same message with a signature and
the provider is able to verify the signature as well. There are no errors.
I am using X509 certificates.
I found the problem in the class
org.apache.jcp.xml.dsig.internal.dom.DOMSignatureMethod at method
verify(Key, SignedInfo, byte[], XMLValidateContext) from xmlsec-1.5.6.jar.
The call 'return signature.verify(sig); ' returns false.
I am not sure what went wrong when using the same client on Websphere.
Could someone please provide me assistance?
Thanks,
Giriraj.
Re: Unable to verify signature with Apache CXF and WSS4J on Websphere Application Server 8.5
Posted by ashish <as...@gmail.com>.
cxf newbie <ca...@...> writes:>
>
> Sorry, you were right:
>
> I put this in client class:
> Map<String, Object> ctx = ((BindingProvider)port).getRequestContext();
> ctx.put(WSHandlerConstants.IS_BSP_COMPLIANT, "false");
>
> Now it works, but without timestamp reference.
> Interesting, <Body> is correctly signed and validated.
>
> If I put <sp:IncludeTimestamp> in policy file:
> <wsu:Timestamp wsu:Id="TS-5A28482C0A57755103139419734630013">
> <wsu:Created>2014-03-07T13:02:26.300Z</wsu:Created>
> <wsu:Expires>2014-03-07T13:07:26.300Z</wsu:Expires>
> </wsu:Timestamp>
>
> then I get:
> Digest value: OMNbo25276XKjodI3T60RuR1nh8=
> Calculated digest value: olWImZ1Re/74QV8+56VdoWpwjcs=
>
> DOMReferencer class:
> validationStatus = Arrays.equals(digestValue, calcDigestValue);
> This one returns false.
>
> Thanks.
>
> --
> View this message in context: http://cxf.547215.n5.nabble.com/Unable-to-
verify-signature-with-Apache-CXF-and-WSS4J-on-Websphere-Application-Server-
8-5-tp5740358p5740957.html
> Sent from the cxf-user mailing list archive at Nabble.com.
>
>
Hi,
I am facing same issue my stand alone program is working fine but when
deploy in WAS 8.5.5 is failing with "An error occurred when verifying
security for the message"
The difference I noticed in request is the
ec:InclusiveNamespaces has been added in CanonicalizationMethod and
Transform tag has different value than stand alone program
StandAlone (which is good):
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-
c14n#">
<ec:InclusiveNamespaces xmln s:ec="http://www.w3.org/2001/10/xml-exc-c14n#"
PrefixList="soap"/>
</ds:CanonicalizationMethod>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" >
<ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"
PrefixList="wsse soap"/>
</ds:Transform>
With WAS (which is failing)
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-
c14n#">
<ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"
PrefixList="soap soapenc xsd xsi"/>
</ds:CanonicalizationMethod>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"
PrefixList=""/>
</ds:Transform>
I tried to remove this by
Map<String, Object> ctx = ((BindingProvider) port).getRequestContext();
ctx.put(WSHandlerConstants.IS_BSP_COMPLIANT, "false");
but no luck. I am using WAS8.5.5 and CXF 3.1.5.
If you pass through with this error Please help me.
Thanks
Re: Unable to verify signature with Apache CXF and WSS4J on
Websphere Application Server 8.5
Posted by cxf newbie <ca...@gmail.com>.
Sorry, you were right:
I put this in client class:
Map<String, Object> ctx = ((BindingProvider)port).getRequestContext();
ctx.put(WSHandlerConstants.IS_BSP_COMPLIANT, "false");
Now it works, but without timestamp reference.
Interesting, <Body> is correctly signed and validated.
If I put <sp:IncludeTimestamp> in policy file:
<wsu:Timestamp wsu:Id="TS-5A28482C0A57755103139419734630013">
<wsu:Created>2014-03-07T13:02:26.300Z</wsu:Created>
<wsu:Expires>2014-03-07T13:07:26.300Z</wsu:Expires>
</wsu:Timestamp>
then I get:
Digest value: OMNbo25276XKjodI3T60RuR1nh8=
Calculated digest value: olWImZ1Re/74QV8+56VdoWpwjcs=
DOMReferencer class:
validationStatus = Arrays.equals(digestValue, calcDigestValue);
This one returns false.
Thanks.
--
View this message in context: http://cxf.547215.n5.nabble.com/Unable-to-verify-signature-with-Apache-CXF-and-WSS4J-on-Websphere-Application-Server-8-5-tp5740358p5740957.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: Unable to verify signature with Apache CXF and WSS4J on
Websphere Application Server 8.5
Posted by cxf newbie <ca...@gmail.com>.
Hi Giriraj,
Thanks for your reply.
I added
<jaxws:properties>
...
<entry key="ws-security.is-bsp-compliant" value="false"/>
</jaxws:properties>
on the client and ws side.
Also upgraded from cxf 2.7.5 to cxf 2.7.10 (xmlsec-1.5.6), but did not help.
I am not quite sure about this, but after extensive debugging I noticed
additional attributes in <ds:Signature> tag and child tags, which were not
in original message.
Maybe I look in the wrong direction but <Signature> tag in
DOMXMLSignature.DOMSignatureValue.sigValueElem has different namespaces than
DOMXMLSignature.ownerDoc <Signature> tag.
Thanks.
--
View this message in context: http://cxf.547215.n5.nabble.com/Unable-to-verify-signature-with-Apache-CXF-and-WSS4J-on-Websphere-Application-Server-8-5-tp5740358p5740953.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: Unable to verify signature with Apache CXF and WSS4J on Websphere
Application Server 8.5
Posted by Giriraj Bhojak <gi...@gmail.com>.
BSP compliance is enabled by default.
I debugged a lot and identified BSP specific attributes/namespaces being
added to KeyInfo element. So the signature was actually invalid.
Disabling BSP compliance did the trick for me, for now. I may have to find
another alternative in future.
Hope this helps your case.
Thanks,
Giriraj.
On Tue, Mar 4, 2014 at 1:12 PM, cxf newbie <ca...@gmail.com> wrote:
> Hi,
>
> I also have similar problem:
>
>
> http://cxf.547215.n5.nabble.com/WebSphere-8-wss4j-and-cxf-signature-validation-td5739363.html
>
> Did you make any progress ?
>
> I tried some options:
>
> 1. Verifying certificate chain.
> 2. Adding Bouncy Castle as provider to WSSConfig instead of IBMJCE.
> 3. Avoiding xmlsec at all (unsuccsessfully).
> 4. Logging and wiresharking request and response.
>
> But no use.
>
> I tried to sign Body and Timestamp tag.
> Also noticed that Body attribute "wsu:Id" is placed before "xmlns:wsu"
> attribute when response message leaves web service. When the same response
> comes to client side their order is swapped.
> I am signing body and timestamp.
>
> As you already noticed "PARENT_LAST" and osgi may be problem:
> http://veithen.blogspot.com/2013/10/broken-by-design-websphere-stax.html
>
> Also look at this:
>
> http://blog.lodeblomme.be/2011/09/27/apache-cxf-ws-security-the-signature-or-decryption-was-invalid
> They say it may be problem with Linux or even Java 6.
>
> I can not debugg "verify" method because I haven't source for IBMJCE and
> debugger behaves very strangely evevn when Bouncy Castle is used.
>
> Cheers
>
>
>
> --
> View this message in context:
> http://cxf.547215.n5.nabble.com/Unable-to-verify-signature-with-Apache-CXF-and-WSS4J-on-Websphere-Application-Server-8-5-tp5740358p5740804.html
> Sent from the cxf-user mailing list archive at Nabble.com.
>
Re: Unable to verify signature with Apache CXF and WSS4J on
Websphere Application Server 8.5
Posted by cxf newbie <ca...@gmail.com>.
Hi,
I also have similar problem:
http://cxf.547215.n5.nabble.com/WebSphere-8-wss4j-and-cxf-signature-validation-td5739363.html
Did you make any progress ?
I tried some options:
1. Verifying certificate chain.
2. Adding Bouncy Castle as provider to WSSConfig instead of IBMJCE.
3. Avoiding xmlsec at all (unsuccsessfully).
4. Logging and wiresharking request and response.
But no use.
I tried to sign Body and Timestamp tag.
Also noticed that Body attribute "wsu:Id" is placed before "xmlns:wsu"
attribute when response message leaves web service. When the same response
comes to client side their order is swapped.
I am signing body and timestamp.
As you already noticed "PARENT_LAST" and osgi may be problem:
http://veithen.blogspot.com/2013/10/broken-by-design-websphere-stax.html
Also look at this:
http://blog.lodeblomme.be/2011/09/27/apache-cxf-ws-security-the-signature-or-decryption-was-invalid
They say it may be problem with Linux or even Java 6.
I can not debugg "verify" method because I haven't source for IBMJCE and
debugger behaves very strangely evevn when Bouncy Castle is used.
Cheers
--
View this message in context: http://cxf.547215.n5.nabble.com/Unable-to-verify-signature-with-Apache-CXF-and-WSS4J-on-Websphere-Application-Server-8-5-tp5740358p5740804.html
Sent from the cxf-user mailing list archive at Nabble.com.