You are viewing a plain text version of this content. The canonical link for it is here.
Posted to fx-dev@ws.apache.org by "Chris Nappin (JIRA)" <ji...@apache.org> on 2005/09/06 10:06:30 UTC
[jira] Created: (WSS-19) c14n algorithm doesn't support default namespaces
c14n algorithm doesn't support default namespaces
-------------------------------------------------
Key: WSS-19
URL: http://issues.apache.org/jira/browse/WSS-19
Project: WSS4J
Type: Bug
Environment: WSS4J 1.1.0, Axis 1.2.1, Sun JDK 1.5.0-03, Xerces 2.6.2 (as part of JBoss 4.0.2)
Reporter: Chris Nappin
Assigned to: Davanum Srinivas
There appears to be a fault with the c14n algorithm in wss4j, in that it doesn't handle default namespaces correctly, and valid documents fail verification.
When signing and sending the following SOAP body with WSS4J:
<Nominal xmlns="http://www.test.com/Test">
<name>Bert</name>
<number>1234</number>
</Nominal>
The c14n algorithm changes it to:
<ns1:Nominal xmlns="http://www.test.com/Test" xmlns:ns1="http://www.test.com/Test">
<ns1:name>Bert</ns1:name>
<ns1:number>1234</ns1:number>
</ns1:Nominal>
Note it hasn't understood the default namespace, but has left it on.
On the server side, this document always fails to validate and WSS4J throws a security exception, for example:
Verification failed for URI "#id-20214052"
org.apache.ws.security.WSSecurityException: The signature verification failed at
org.apache.ws.security.WSSecurityEngine.verifyXMLSignature(WSSecurityEngine.java:644)
..etc..
If the client and server code and configuration is left identical, but the document changed to use explicit namespaces as follows:
<myns:Nominal xmlns:myns="http://www.test.com/Test">
<myns:name>Bert</myns:name>
<myns:number>1234</myns:number>
</myns:Nominal>
This is then unaltered by the wss4j on the wire, and the server verifies the signature as valid.
If you require any any further details (e.g. the full client code, property files etc), please email me.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
Re: [jira] Created: (WSS-19) c14n algorithm doesn't support
default namespaces
Posted by David Del Vecchio <dd...@virginia.edu>.
This might actually be an Axis problem, related to the following bug:
http://issues.apache.org/jira/browse/AXIS-1624
In general, Axis does not necessarily preserve canonicalization when in
processes incoming/outgoing messages. So what may be happening is that Axis
modifies the prefixes before the c14n code and WSS4J ever see the message.
The c14n stuff might actually be working correctly, but since it's running
on a modified message, you'd never know it.
The canonicalization and XML signature support is provided by the XML
security library (http://xml.apache.org/security). You might want to try
using that library's APIs to run your sample XML through the canonicalizer
directly and see if it gives you the expected result.
David
On Tue, 6 Sep 2005 10:06:30 +0200 (CEST)
"Chris Nappin (JIRA)" <ji...@apache.org> wrote:
> c14n algorithm doesn't support default namespaces
> -------------------------------------------------
>
> Key: WSS-19
> URL: http://issues.apache.org/jira/browse/WSS-19
> Project: WSS4J
> Type: Bug
> Environment: WSS4J 1.1.0, Axis 1.2.1, Sun JDK 1.5.0-03, Xerces 2.6.2 (as
>part of JBoss 4.0.2)
> Reporter: Chris Nappin
> Assigned to: Davanum Srinivas
>
>
> There appears to be a fault with the c14n algorithm in wss4j, in that it
>doesn't handle default namespaces correctly, and valid documents fail
>verification.
>
> When signing and sending the following SOAP body with WSS4J:
>
> <Nominal xmlns="http://www.test.com/Test">
> <name>Bert</name>
> <number>1234</number>
> </Nominal>
>
> The c14n algorithm changes it to:
>
> <ns1:Nominal xmlns="http://www.test.com/Test"
>xmlns:ns1="http://www.test.com/Test">
> <ns1:name>Bert</ns1:name>
> <ns1:number>1234</ns1:number>
> </ns1:Nominal>
>
> Note it hasn't understood the default namespace, but has left it on.
>
> On the server side, this document always fails to validate and WSS4J
>throws a security exception, for example:
>
> Verification failed for URI "#id-20214052"
> org.apache.ws.security.WSSecurityException: The signature verification
>failed at
> org.apache.ws.security.WSSecurityEngine.verifyXMLSignature(WSSecurityEngine.java:644)
> ..etc..
>
> If the client and server code and configuration is left identical, but the
>document changed to use explicit namespaces as follows:
>
> <myns:Nominal xmlns:myns="http://www.test.com/Test">
> <myns:name>Bert</myns:name>
> <myns:number>1234</myns:number>
> </myns:Nominal>
>
> This is then unaltered by the wss4j on the wire, and the server verifies
>the signature as valid.
>
> If you require any any further details (e.g. the full client code,
>property files etc), please email me.
>
> --
> This message is automatically generated by JIRA.
> -
> If you think it was sent incorrectly contact one of the administrators:
> http://issues.apache.org/jira/secure/Administrators.jspa
> -
>For more information on JIRA, see:
> http://www.atlassian.com/software/jira
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
>For additional commands, e-mail: wss4j-dev-help@ws.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
Re: [jira] Created: (WSS-19) c14n algorithm doesn't support
default namespaces
Posted by David Del Vecchio <dd...@virginia.edu>.
This might actually be an Axis problem, related to the following bug:
http://issues.apache.org/jira/browse/AXIS-1624
In general, Axis does not necessarily preserve canonicalization when in
processes incoming/outgoing messages. So what may be happening is that Axis
modifies the prefixes before the c14n code and WSS4J ever see the message.
The c14n stuff might actually be working correctly, but since it's running
on a modified message, you'd never know it.
The canonicalization and XML signature support is provided by the XML
security library (http://xml.apache.org/security). You might want to try
using that library's APIs to run your sample XML through the canonicalizer
directly and see if it gives you the expected result.
David
On Tue, 6 Sep 2005 10:06:30 +0200 (CEST)
"Chris Nappin (JIRA)" <ji...@apache.org> wrote:
> c14n algorithm doesn't support default namespaces
> -------------------------------------------------
>
> Key: WSS-19
> URL: http://issues.apache.org/jira/browse/WSS-19
> Project: WSS4J
> Type: Bug
> Environment: WSS4J 1.1.0, Axis 1.2.1, Sun JDK 1.5.0-03, Xerces 2.6.2 (as
>part of JBoss 4.0.2)
> Reporter: Chris Nappin
> Assigned to: Davanum Srinivas
>
>
> There appears to be a fault with the c14n algorithm in wss4j, in that it
>doesn't handle default namespaces correctly, and valid documents fail
>verification.
>
> When signing and sending the following SOAP body with WSS4J:
>
> <Nominal xmlns="http://www.test.com/Test">
> <name>Bert</name>
> <number>1234</number>
> </Nominal>
>
> The c14n algorithm changes it to:
>
> <ns1:Nominal xmlns="http://www.test.com/Test"
>xmlns:ns1="http://www.test.com/Test">
> <ns1:name>Bert</ns1:name>
> <ns1:number>1234</ns1:number>
> </ns1:Nominal>
>
> Note it hasn't understood the default namespace, but has left it on.
>
> On the server side, this document always fails to validate and WSS4J
>throws a security exception, for example:
>
> Verification failed for URI "#id-20214052"
> org.apache.ws.security.WSSecurityException: The signature verification
>failed at
> org.apache.ws.security.WSSecurityEngine.verifyXMLSignature(WSSecurityEngine.java:644)
> ..etc..
>
> If the client and server code and configuration is left identical, but the
>document changed to use explicit namespaces as follows:
>
> <myns:Nominal xmlns:myns="http://www.test.com/Test">
> <myns:name>Bert</myns:name>
> <myns:number>1234</myns:number>
> </myns:Nominal>
>
> This is then unaltered by the wss4j on the wire, and the server verifies
>the signature as valid.
>
> If you require any any further details (e.g. the full client code,
>property files etc), please email me.
>
> --
> This message is automatically generated by JIRA.
> -
> If you think it was sent incorrectly contact one of the administrators:
> http://issues.apache.org/jira/secure/Administrators.jspa
> -
>For more information on JIRA, see:
> http://www.atlassian.com/software/jira
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
>For additional commands, e-mail: wss4j-dev-help@ws.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
[jira] Closed: (WSS-19) c14n algorithm doesn't support default
namespaces
Posted by "Werner Dittmann (JIRA)" <ji...@apache.org>.
[ http://issues.apache.org/jira/browse/WSS-19?page=all ]
Werner Dittmann closed WSS-19:
------------------------------
Resolution: Won't Fix
IMHO this behaviour is due to some Axis1 settings that try to optimize namespace usage.
WSS4J can't do anything about this.
> c14n algorithm doesn't support default namespaces
> -------------------------------------------------
>
> Key: WSS-19
> URL: http://issues.apache.org/jira/browse/WSS-19
> Project: WSS4J
> Type: Bug
> Environment: WSS4J 1.1.0, Axis 1.2.1, Sun JDK 1.5.0-03, Xerces 2.6.2 (as part of JBoss 4.0.2)
> Reporter: Chris Nappin
> Assignee: Davanum Srinivas
>
> There appears to be a fault with the c14n algorithm in wss4j, in that it doesn't handle default namespaces correctly, and valid documents fail verification.
> When signing and sending the following SOAP body with WSS4J:
> <Nominal xmlns="http://www.test.com/Test">
> <name>Bert</name>
> <number>1234</number>
> </Nominal>
> The c14n algorithm changes it to:
> <ns1:Nominal xmlns="http://www.test.com/Test" xmlns:ns1="http://www.test.com/Test">
> <ns1:name>Bert</ns1:name>
> <ns1:number>1234</ns1:number>
> </ns1:Nominal>
> Note it hasn't understood the default namespace, but has left it on.
> On the server side, this document always fails to validate and WSS4J throws a security exception, for example:
> Verification failed for URI "#id-20214052"
> org.apache.ws.security.WSSecurityException: The signature verification failed at
> org.apache.ws.security.WSSecurityEngine.verifyXMLSignature(WSSecurityEngine.java:644)
> ..etc..
> If the client and server code and configuration is left identical, but the document changed to use explicit namespaces as follows:
> <myns:Nominal xmlns:myns="http://www.test.com/Test">
> <myns:name>Bert</myns:name>
> <myns:number>1234</myns:number>
> </myns:Nominal>
> This is then unaltered by the wss4j on the wire, and the server verifies the signature as valid.
> If you require any any further details (e.g. the full client code, property files etc), please email me.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
[jira] Closed: (WSS-19) c14n algorithm doesn't support default
namespaces
Posted by "Werner Dittmann (JIRA)" <ji...@apache.org>.
[ http://issues.apache.org/jira/browse/WSS-19?page=all ]
Werner Dittmann closed WSS-19:
------------------------------
Resolution: Won't Fix
IMHO this behaviour is due to some Axis1 settings that try to optimize namespace usage.
WSS4J can't do anything about this.
> c14n algorithm doesn't support default namespaces
> -------------------------------------------------
>
> Key: WSS-19
> URL: http://issues.apache.org/jira/browse/WSS-19
> Project: WSS4J
> Type: Bug
> Environment: WSS4J 1.1.0, Axis 1.2.1, Sun JDK 1.5.0-03, Xerces 2.6.2 (as part of JBoss 4.0.2)
> Reporter: Chris Nappin
> Assignee: Davanum Srinivas
>
> There appears to be a fault with the c14n algorithm in wss4j, in that it doesn't handle default namespaces correctly, and valid documents fail verification.
> When signing and sending the following SOAP body with WSS4J:
> <Nominal xmlns="http://www.test.com/Test">
> <name>Bert</name>
> <number>1234</number>
> </Nominal>
> The c14n algorithm changes it to:
> <ns1:Nominal xmlns="http://www.test.com/Test" xmlns:ns1="http://www.test.com/Test">
> <ns1:name>Bert</ns1:name>
> <ns1:number>1234</ns1:number>
> </ns1:Nominal>
> Note it hasn't understood the default namespace, but has left it on.
> On the server side, this document always fails to validate and WSS4J throws a security exception, for example:
> Verification failed for URI "#id-20214052"
> org.apache.ws.security.WSSecurityException: The signature verification failed at
> org.apache.ws.security.WSSecurityEngine.verifyXMLSignature(WSSecurityEngine.java:644)
> ..etc..
> If the client and server code and configuration is left identical, but the document changed to use explicit namespaces as follows:
> <myns:Nominal xmlns:myns="http://www.test.com/Test">
> <myns:name>Bert</myns:name>
> <myns:number>1234</myns:number>
> </myns:Nominal>
> This is then unaltered by the wss4j on the wire, and the server verifies the signature as valid.
> If you require any any further details (e.g. the full client code, property files etc), please email me.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org