You are viewing a plain text version of this content. The canonical link for it is here.
Posted to muse-user@ws.apache.org by Alexander Willner <wi...@cs.uni-bonn.de> on 2008/01/22 16:30:42 UTC
Problem with XmlUtils.toString and WSS4J
Hello everyone,
there seems to be a serious problem with XmlUtils.toString(Doc) and
WSS4J. When you convert a document to its XML representation and then
back to a document again, it can't be validated by WSS4J anymore. This
happens e.g. when receiving a SOAP message via the MiniServlet.
I've written a JUnit test to show the problem:
-------------------------------------------------------------------------------------------
public final void testSignatureToString() throws IOException,
SAXException,
SignatureNotFoundException {
/* Create valid signed example
-------------------------------------- */
Document request =
createExampleRequestWithoutSignature
(this.exampleRequestWithoutSignature);
Document response = this.secureHandler.addSignature(request);
String responseString = XmlUtils.toString(response);
/*
------------------------------------------------------------------ */
/* Check example
---------------------------------------------------- */
boolean check = this.signer.checkSignature(response);
Assert.assertTrue("Signature is valid!", check);
/*
------------------------------------------------------------------ */
/* Create a copy (e.g. receive example via Webservice
--------------- */
Document newResponse = XmlUtils.createDocument(responseString);
String newResponseString = XmlUtils.toString(newResponse);
Assert.assertTrue("Strings are equal", newResponseString
.equals(responseString));
/*
------------------------------------------------------------------ */
/*
------------------------------------------------------------------ */
check = this.signer.checkSignature(newResponse);
Assert.assertTrue("Signature is valid", check); // this fails!!!
/*
------------------------------------------------------------------ */
}
-------------------------------------------------------------------------------------------
The solution here is to use XMLUtils.PrettyDocumentToString(Doc) [1]
instead of XmlUtils.toString(Doc):
-------------------------------------------------------------------------------------------
public final void testSignatureToString() throws IOException,
SAXException,
SignatureNotFoundException {
/* Create valid signed example
-------------------------------------- */
Document request =
createNspExampleRequestWithoutSignature
(this.nspExampleRequestWithoutSignature);
this.secureHandler.setAddSignatureFlag(true);
Document response = this.secureHandler.addSignature(request);
String responseString =
XMLUtils.PrettyDocumentToString(response);
/*
------------------------------------------------------------------ */
/* Check example
---------------------------------------------------- */
boolean check = this.signer.checkSignature(response);
Assert.assertTrue("Signature is valid!", check);
/*
------------------------------------------------------------------ */
/* Create a copy (e.g. receive example via Webservice
--------------- */
Document newResponse = XmlUtils.createDocument(responseString);
String newResponseString =
XMLUtils.PrettyDocumentToString(newResponse);
String newResponseString2 = XmlUtils.toString(newResponse);
System.out.println("Test1: ---------");
System.out.println(newResponseString);
System.out.println("Test2: ---------");
System.out.println(newResponseString2);
Assert.assertTrue("Strings are equal", newResponseString
.equals(responseString));
/*
------------------------------------------------------------------ */
/*
------------------------------------------------------------------ */
check = this.signer.checkSignature(newResponse);
Assert.assertTrue("Signature is valid", check);
/*
------------------------------------------------------------------ */
}
-------------------------------------------------------------------------------------------
Regards, Alex
[1] http://ws.apache.org/wss4j/apidocs/org/apache/ws/security/util/XMLUtils.html#PrettyDocumentToString(org.w3c.dom.Document)
---------------------------------------------------------------------
To unsubscribe, e-mail: muse-user-unsubscribe@ws.apache.org
For additional commands, e-mail: muse-user-help@ws.apache.org
Re: Problem with XmlUtils.toString and WSS4J
Posted by Alexander Willner <wi...@cs.uni-bonn.de>.
Dear David,
thank you for the reply. But since I'm working on a Java w3c-Document
objects, I think white spaces are not the problem here. But I'll do
some further investigation.
Regards, Alex
Am 22.01.2008 um 17:42 schrieb <da...@bt.com> <david.brossard@bt.com
>:
> Hi,
>
> Wouldn't this be due to the extra space that can be found around
> elements (space used for pretty formatting). That would account for
> the
> fact the PrettyDocumentToString method works.
>
> Remember the way signature works: a hash of the XML document is taken
> then signed. Obviously, if there's additional (or fewer) whitespace,
> the
> hash changes which results in the signature being invalid...
>
> Hope this helps...
>
> David.
>
>
> David Brossard
> _______________________
> Linkedin Profile: http://www.linkedin.com/in/davidbrossard
> _______________________
>
> -----Original Message-----
> From: Alexander Willner [mailto:willner@cs.uni-bonn.de]
> Sent: 22 January 2008 15:31
> To: muse-user@ws.apache.org
> Subject: Problem with XmlUtils.toString and WSS4J
>
> Hello everyone,
>
> there seems to be a serious problem with XmlUtils.toString(Doc) and
> WSS4J. When you convert a document to its XML representation and then
> back to a document again, it can't be validated by WSS4J anymore. This
> happens e.g. when receiving a SOAP message via the MiniServlet.
> I've written a JUnit test to show the problem:
>
> ------------------------------------------------------------------------
> -------------------
> public final void testSignatureToString() throws IOException,
> SAXException,
> SignatureNotFoundException {
>
> /* Create valid signed example
> -------------------------------------- */
> Document request =
>
> createExampleRequestWithoutSignature
> (this.exampleRequestWithoutSignature);
> Document response = this.secureHandler.addSignature(request);
> String responseString = XmlUtils.toString(response);
> /*
> ------------------------------------------------------------------ */
>
>
> /* Check example
> ---------------------------------------------------- */
> boolean check = this.signer.checkSignature(response);
> Assert.assertTrue("Signature is valid!", check);
> /*
> ------------------------------------------------------------------ */
>
>
> /* Create a copy (e.g. receive example via Webservice
> --------------- */
> Document newResponse = XmlUtils.createDocument(responseString);
> String newResponseString = XmlUtils.toString(newResponse);
> Assert.assertTrue("Strings are equal", newResponseString
> .equals(responseString));
> /*
> ------------------------------------------------------------------ */
>
>
> /*
> ------------------------------------------------------------------ */
> check = this.signer.checkSignature(newResponse);
> Assert.assertTrue("Signature is valid", check); // this fails!!!
> /*
> ------------------------------------------------------------------
> */ }
> ------------------------------------------------------------------------
> -------------------
>
> The solution here is to use XMLUtils.PrettyDocumentToString(Doc) [1]
> instead of XmlUtils.toString(Doc):
>
> ------------------------------------------------------------------------
> -------------------
> public final void testSignatureToString() throws IOException,
> SAXException,
> SignatureNotFoundException {
>
> /* Create valid signed example
> -------------------------------------- */
> Document request =
>
> createNspExampleRequestWithoutSignature
> (this.nspExampleRequestWithoutSignature);
> this.secureHandler.setAddSignatureFlag(true);
> Document response = this.secureHandler.addSignature(request);
> String responseString =
> XMLUtils.PrettyDocumentToString(response);
> /*
> ------------------------------------------------------------------ */
>
>
> /* Check example
> ---------------------------------------------------- */
> boolean check = this.signer.checkSignature(response);
> Assert.assertTrue("Signature is valid!", check);
> /*
> ------------------------------------------------------------------ */
>
>
> /* Create a copy (e.g. receive example via Webservice
> --------------- */
> Document newResponse = XmlUtils.createDocument(responseString);
> String newResponseString =
> XMLUtils.PrettyDocumentToString(newResponse);
> String newResponseString2 = XmlUtils.toString(newResponse);
> System.out.println("Test1: ---------");
> System.out.println(newResponseString);
> System.out.println("Test2: ---------");
> System.out.println(newResponseString2);
>
> Assert.assertTrue("Strings are equal", newResponseString
> .equals(responseString));
> /*
> ------------------------------------------------------------------ */
>
>
> /*
> ------------------------------------------------------------------ */
> check = this.signer.checkSignature(newResponse);
> Assert.assertTrue("Signature is valid", check);
> /*
> ------------------------------------------------------------------
> */ }
> ------------------------------------------------------------------------
> -------------------
>
>
> Regards, Alex
>
> [1]
> http://ws.apache.org/wss4j/apidocs/org/apache/ws/security/util/XMLUtils
> .
> html#PrettyDocumentToString(org.w3c.dom.Document)
---------------------------------------------------------------------
To unsubscribe, e-mail: muse-user-unsubscribe@ws.apache.org
For additional commands, e-mail: muse-user-help@ws.apache.org
RE: Problem with XmlUtils.toString and WSS4J
Posted by da...@bt.com.
Hi,
Wouldn't this be due to the extra space that can be found around
elements (space used for pretty formatting). That would account for the
fact the PrettyDocumentToString method works.
Remember the way signature works: a hash of the XML document is taken
then signed. Obviously, if there's additional (or fewer) whitespace, the
hash changes which results in the signature being invalid...
Hope this helps...
David.
David Brossard
_______________________
Linkedin Profile: http://www.linkedin.com/in/davidbrossard
_______________________
-----Original Message-----
From: Alexander Willner [mailto:willner@cs.uni-bonn.de]
Sent: 22 January 2008 15:31
To: muse-user@ws.apache.org
Subject: Problem with XmlUtils.toString and WSS4J
Hello everyone,
there seems to be a serious problem with XmlUtils.toString(Doc) and
WSS4J. When you convert a document to its XML representation and then
back to a document again, it can't be validated by WSS4J anymore. This
happens e.g. when receiving a SOAP message via the MiniServlet.
I've written a JUnit test to show the problem:
------------------------------------------------------------------------
-------------------
public final void testSignatureToString() throws IOException,
SAXException,
SignatureNotFoundException {
/* Create valid signed example
-------------------------------------- */
Document request =
createExampleRequestWithoutSignature
(this.exampleRequestWithoutSignature);
Document response = this.secureHandler.addSignature(request);
String responseString = XmlUtils.toString(response);
/*
------------------------------------------------------------------ */
/* Check example
---------------------------------------------------- */
boolean check = this.signer.checkSignature(response);
Assert.assertTrue("Signature is valid!", check);
/*
------------------------------------------------------------------ */
/* Create a copy (e.g. receive example via Webservice
--------------- */
Document newResponse = XmlUtils.createDocument(responseString);
String newResponseString = XmlUtils.toString(newResponse);
Assert.assertTrue("Strings are equal", newResponseString
.equals(responseString));
/*
------------------------------------------------------------------ */
/*
------------------------------------------------------------------ */
check = this.signer.checkSignature(newResponse);
Assert.assertTrue("Signature is valid", check); // this fails!!!
/*
------------------------------------------------------------------ */ }
------------------------------------------------------------------------
-------------------
The solution here is to use XMLUtils.PrettyDocumentToString(Doc) [1]
instead of XmlUtils.toString(Doc):
------------------------------------------------------------------------
-------------------
public final void testSignatureToString() throws IOException,
SAXException,
SignatureNotFoundException {
/* Create valid signed example
-------------------------------------- */
Document request =
createNspExampleRequestWithoutSignature
(this.nspExampleRequestWithoutSignature);
this.secureHandler.setAddSignatureFlag(true);
Document response = this.secureHandler.addSignature(request);
String responseString =
XMLUtils.PrettyDocumentToString(response);
/*
------------------------------------------------------------------ */
/* Check example
---------------------------------------------------- */
boolean check = this.signer.checkSignature(response);
Assert.assertTrue("Signature is valid!", check);
/*
------------------------------------------------------------------ */
/* Create a copy (e.g. receive example via Webservice
--------------- */
Document newResponse = XmlUtils.createDocument(responseString);
String newResponseString =
XMLUtils.PrettyDocumentToString(newResponse);
String newResponseString2 = XmlUtils.toString(newResponse);
System.out.println("Test1: ---------");
System.out.println(newResponseString);
System.out.println("Test2: ---------");
System.out.println(newResponseString2);
Assert.assertTrue("Strings are equal", newResponseString
.equals(responseString));
/*
------------------------------------------------------------------ */
/*
------------------------------------------------------------------ */
check = this.signer.checkSignature(newResponse);
Assert.assertTrue("Signature is valid", check);
/*
------------------------------------------------------------------ */ }
------------------------------------------------------------------------
-------------------
Regards, Alex
[1]
http://ws.apache.org/wss4j/apidocs/org/apache/ws/security/util/XMLUtils.
html#PrettyDocumentToString(org.w3c.dom.Document)
---------------------------------------------------------------------
To unsubscribe, e-mail: muse-user-unsubscribe@ws.apache.org
For additional commands, e-mail: muse-user-help@ws.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: muse-user-unsubscribe@ws.apache.org
For additional commands, e-mail: muse-user-help@ws.apache.org