Announcement Announcement Module
Collapse
No announcement yet.
Spring WS-Security: Signature verification failed Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Spring WS-Security: Signature verification failed

    I am new to Spring WS and I make some changes to the airline-server & airline-client-spring-ws sample to try the WS signature. However, server can verify the client request but client fails to verify the server response with following error: Would any experts here give me a helping hand? thanks
    Code:
    May 29, 2012 4:29:15 PM com.sun.xml.wss.impl.dsig.KeySelectorImpl resolveToken
    SEVERE: WSS1364: Unable to validate certificate
    May 29, 2012 4:29:15 PM com.sun.xml.wss.impl.dsig.KeySelectorImpl resolve
    SEVERE: WSS1353: Error occurred while resolving key information
    Throwable occurred: com.sun.xml.wss.impl.WssSoapFaultException: Certificate validation failed
    	at com.sun.xml.wss.impl.SecurableSoapMessage.newSOAPFaultException(SecurableSoapMessage.java:336)
    	at com.sun.xml.wss.impl.dsig.KeySelectorImpl.resolveToken(KeySelectorImpl.java:1332)
    	at com.sun.xml.wss.impl.dsig.KeySelectorImpl.resolve(KeySelectorImpl.java:640)
    	at com.sun.xml.wss.impl.dsig.KeySelectorImpl.select(KeySelectorImpl.java:246)
    	at org.jcp.xml.dsig.internal.dom.DOMXMLSignature$DOMSignatureValue.validate(Unknown Source)
    	at org.jcp.xml.dsig.internal.dom.DOMXMLSignature.validate(Unknown Source)
    	at com.sun.xml.wss.impl.dsig.SignatureProcessor.verify(SignatureProcessor.java:786)
    	at com.sun.xml.wss.impl.filter.SignatureFilter.process(SignatureFilter.java:537)
    	at com.sun.xml.wss.impl.HarnessUtil.processWSSPolicy(HarnessUtil.java:93)
    	at com.sun.xml.wss.impl.HarnessUtil.processDeep(HarnessUtil.java:268)
    	at com.sun.xml.wss.impl.SecurityRecipient.processMessagePolicy(SecurityRecipient.java:863)
    	at com.sun.xml.wss.impl.SecurityRecipient.processMessagePolicy(SecurityRecipient.java:815)
    	at com.sun.xml.wss.impl.SecurityRecipient.validateMessage(SecurityRecipient.java:256)
    	at com.sun.xml.wss.impl.misc.XWSSProcessor2_0Impl.verifyInboundMessage(XWSSProcessor2_0Impl.java:148)
    	at org.springframework.ws.soap.security.xwss.XwsSecurityInterceptor.validateMessage(XwsSecurityInterceptor.java:162)
    	at org.springframework.ws.soap.security.AbstractWsSecurityInterceptor.handleResponse(AbstractWsSecurityInterceptor.java:235)
    	at org.springframework.ws.client.core.WebServiceTemplate.triggerHandleResponse(WebServiceTemplate.java:732)
    	at org.springframework.ws.client.core.WebServiceTemplate.doSendAndReceive(WebServiceTemplate.java:595)
    	at org.springframework.ws.client.core.WebServiceTemplate.sendAndReceive(WebServiceTemplate.java:537)
    	at org.springframework.ws.client.core.WebServiceTemplate.doSendAndReceive(WebServiceTemplate.java:492)
    	at org.springframework.ws.client.core.WebServiceTemplate.sendSourceAndReceiveToResult(WebServiceTemplate.java:436)
    	at org.springframework.ws.client.core.WebServiceTemplate.sendSourceAndReceiveToResult(WebServiceTemplate.java:427)
    	at org.springframework.ws.client.core.WebServiceTemplate.sendSourceAndReceiveToResult(WebServiceTemplate.java:417)
    Client securityPolicy.xml
    Code:
    <?xml version="1.0" encoding="UTF-8"?>
    <xwss:SecurityConfiguration dumpMessages="true"
    	xmlns:xwss="http://java.sun.com/xml/ns/xwss/config">
    	<xwss:Sign includeTimestamp="true">
    	</xwss:Sign>
    	<xwss:RequireSignature requireTimestamp="true" />
    </xwss:SecurityConfiguration>
    client spring config
    Code:
    <?xml version="1.0" encoding="UTF-8"?>
    <beans xmlns="http://www.springframework.org/schema/beans"
    	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    	xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd">
    
    	<bean id="messageFactory" class="org.springframework.ws.soap.saaj.SaajSoapMessageFactory" />
    
    	<bean id="abstractClient" abstract="true">
    		<constructor-arg ref="messageFactory" />
    		<property name="defaultUri"
    			value="http://localhost:18080/SpringWS-airline-server/services" />
    	</bean>
    
    	<bean id="marshaller" class="org.springframework.oxm.xmlbeans.XmlBeansMarshaller" />
    
    	<bean id="getFlights" parent="abstractClient"
    		class="org.springframework.ws.samples.airline.client.sws.GetFlights">
    		<property name="marshaller" ref="marshaller" />
    		<property name="unmarshaller" ref="marshaller" />
    	</bean>
    
    	<bean id="getFrequentFlyerMileage" parent="abstractClient"
    		class="org.springframework.ws.samples.airline.client.sws.GetFrequentFlyerMileage">
    		<property name="interceptors" ref="securityInterceptor2" />
    	</bean>
    
    	<bean id="securityInterceptor"
    		class="org.springframework.ws.soap.security.wss4j.Wss4jSecurityInterceptor">
    		<property name="securementActions" value="UsernameToken" />
    		<property name="securementUsername" value="john" />
    		<property name="securementPassword" value="changeme" />
    	</bean>
    
    	<bean id="securityInterceptor2"
    		class="org.springframework.ws.soap.security.xwss.XwsSecurityInterceptor">
    		<property name="secureRequest" value="true" />
    		<property name="secureResponse" value="true" />
    		<property name="policyConfiguration"
    			value="classpath:org/springframework/ws/samples/airline/client/sws/securityPolicy.xml" />
    		<property name="callbackHandlers">
    			<list>				
    				<bean id="keyStoreHandler"
    					class="org.springframework.ws.soap.security.xwss.callback.KeyStoreCallbackHandler">
    					<property name="keyStore" ref="keyStore" />
    					<property name="trustStore" ref="trustStore" />
    					<property name="defaultAlias" value="WASClientCertificate" />
    					<property name="privateKeyPassword" value="sslwebsv" />
    				</bean>
    			</list>
    		</property>
    	</bean>
    
    
    	<bean id="keyStore"
    		class="org.springframework.ws.soap.security.support.KeyStoreFactoryBean">
    		<property name="location"
    			value="file:///G:/COMMON/Kelvin/SSLCert/ClientKeyStore/ClientKeyStore.jks" />
    		<property name="password" value="sslwebsv" />
    	</bean>
    
    	<bean id="trustStore"
    		class="org.springframework.ws.soap.security.support.KeyStoreFactoryBean">
    		<property name="location"
    			value="file:///G:/COMMON/Kelvin/SSLCert/ClientTrustStore/ClientTrustStore.jks" />
    		<property name="password" value="sslwebsv" />
    	</bean>
    
    </beans>
    Server securityPolicy.xml
    Code:
    <?xml version="1.0" encoding="UTF-8"?>
    <xwss:SecurityConfiguration dumpMessages="true"
    	xmlns:xwss="http://java.sun.com/xml/ns/xwss/config">
    	<xwss:Sign includeTimestamp="true">
    	</xwss:Sign>
    	<xwss:RequireSignature requireTimestamp="true" />
    </xwss:SecurityConfiguration>
    Server Spring config:
    Code:
    <?xml version="1.0" encoding="UTF-8"?>
    <beans xmlns="http://www.springframework.org/schema/beans"
    	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:context="http://www.springframework.org/schema/context"
    	xmlns:sws="http://www.springframework.org/schema/web-services"
    	xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
           http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.0.xsd
           http://www.springframework.org/schema/web-services http://www.springframework.org/schema/web-services/web-services-2.0.xsd">
    
    	<sws:annotation-driven />
    
    	<sws:interceptors>
    		<bean
    			class="org.springframework.ws.server.endpoint.interceptor.PayloadLoggingInterceptor" />
    		<bean
    			class="org.springframework.ws.soap.server.endpoint.interceptor.PayloadValidatingInterceptor">
    			<property name="xsdSchemaCollection" ref="schemaCollection" />
    			<property name="validateRequest" value="true" />
    			<property name="validateResponse" value="true" />
    		</bean>
    		<sws:payloadRoot localPart="GetFrequentFlyerMileageRequest"
    			namespaceUri="http://www.springframework.org/spring-ws/samples/airline/schemas/messages">
    			<bean
    				class="org.springframework.ws.soap.security.xwss.XwsSecurityInterceptor">
    				<property name="secureRequest" value="true" />
    				<property name="secureResponse" value="true" />
    				<property name="policyConfiguration"
    					value="classpath:org/springframework/ws/samples/airline/security/securityPolicy.xml" />
    				<property name="callbackHandlers">
    					<list>
    						<!-- <bean class="org.springframework.ws.soap.security.xwss.callback.SpringDigestPasswordValidationCallbackHandler"> -->
    						<!-- <property name="userDetailsService" ref="securityService"/> -->
    						<!-- </bean> -->
    						<bean id="keyStoreHandler"
    							class="org.springframework.ws.soap.security.xwss.callback.KeyStoreCallbackHandler">
    							<property name="keyStore" ref="keyStore" />
    							<property name="trustStore" ref="trustStore" />
    							<property name="defaultAlias" value="WASServerCertificate" />
    							<property name="privateKeyPassword" value="sslwebsv" />
    						</bean>
    					</list>
    				</property>
    			</bean>
    		</sws:payloadRoot>
    	</sws:interceptors>
    
    	<context:component-scan base-package="org.springframework.ws.samples.airline.ws" />
    
    	<bean id="messageFactory" class="org.springframework.ws.soap.saaj.SaajSoapMessageFactory" />
    
    	<bean id="messageReceiver"
    		class="org.springframework.ws.soap.server.SoapMessageDispatcher" />
    
    	<bean id="schemaCollection"
    		class="org.springframework.xml.xsd.commons.CommonsXsdSchemaCollection">
    		<description>
    			This bean wrap the messages.xsd (which imports
    			types.xsd), and inlines
    			them as a one.
            </description>
    		<property name="xsds" value="/messages.xsd" />
    		<property name="inline" value="true" />
    	</bean>
    
    	<bean id="keyStore"
    		class="org.springframework.ws.soap.security.support.KeyStoreFactoryBean">
    		<property name="location"
    			value="file:///G:/COMMON/Kelvin/SSLCert/ServerKeyStore/ServerKeyStore.jks" />
    		<property name="password" value="sslwebsv" />
    	</bean>
    
    	<bean id="trustStore"
    		class="org.springframework.ws.soap.security.support.KeyStoreFactoryBean">
    		<property name="location"
    			value="file:///G:/COMMON/Kelvin/SSLCert/ServerTrustStore/ServerTrustStore.jks" />
    		<property name="password" value="sslwebsv" />
    	</bean>
    
    </beans>
    Last edited by kelvinlaw; May 29th, 2012, 05:03 AM.

  • #2
    Client SOAP Request:
    Code:
    <SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
      <SOAP-ENV:Header>
    <wsse:Security SOAP-ENV:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
          <wsu:Timestamp Id="XWSSGID-1338187957034-1800618422" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
            <wsu:Created>2012-05-28T06:52:36Z</wsu:Created>
            <wsu:Expires>2012-05-28T06:57:36Z</wsu:Expires>
          </wsu:Timestamp>
          <wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" Id="XWSSGID-1338187954588187747087" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">MIIBxzCCATCgAwIBAgIET5UQtjANBgkqhkiG9w0BAQUFADAoMRIwEAYDVQQLEwlJQk1DbGllbnQxEjAQBgNVBAMTCWxvY2FsaG9zdDAeFw0xMjA0MjMwODIwMDZaFw0yMjA0MjEwODIwMDZaMCgxEjAQBgNVBAsTCUlCTUNsaWVudDESMBAGA1UEAxMJbG9jYWxob3N0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCZhJkjmk2VLexXeaz1VcrycekZEFQeA5JDCslVx08F9+zoERl6CrXdDd8tJtrFyi8uz4cwgEtW8VRVhgTESg5oeUWHCNbzU7ASzVkws4PWMa+Lw4hyt2u00L1cGyrh6o67Z/LWUOD5mGg15zV1s/mElGtsG8/A+M22nRmSKBcMQwIDAQABMA0GCSqGSIb3DQEBBQUAA4GBADMPZNvBcx+qZdd4ugEMNn5+t2zrLhRPyq3jAmFwQanLyR8r2Xs4xy7piZ2qBg0MKLQUBEQ3ercv/blLla7rB2yfX+a1PzV/FXcHCWQEZ70hM0Twb04csUL67cCOxVNghOhH3wWsvzCmL9pFoM3xmuPm9b+L3nuNPYtjps4y7baC</wsse:BinarySecurityToken>
          <ds:Signature Id="XWSSGID-13381879545861320996289" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
            <ds:SignedInfo>
              <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                <InclusiveNamespaces PrefixList="wsse SOAP-ENV" xmlns="http://www.w3.org/2001/10/xml-exc-c14n#"/>
              </ds:CanonicalizationMethod>
              <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
              <ds:Reference URI="#XWSSGID-1338187957033-2080574596">
                <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                <ds:DigestValue>Kj1csKoQw6xoK+tmGe2GpIuiWic=</ds:DigestValue>
              </ds:Reference>
              <ds:Reference URI="#XWSSGID-1338187957034-1800618422">
                <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                <ds:DigestValue>G/1Zkl8jf+P6vdUZlSzRkT5/NjM=</ds:DigestValue>
              </ds:Reference>
            </ds:SignedInfo>
            <ds:SignatureValue>GdwgkpI4R84B42ejdjRMliDqwjyjfYx0PrRktUtUSpY7EOMn6duJWfzWxATTJdgpfVYy/iRL3C/r
    Ev9w/NnintIh3S/4y4TpRNMePoY2aTno6EkAied4mKrs+h8qMwBAALyYZKcGY4/DuT3DC5tUHP6T
    dKqFt/eG1e4eXLefWOw=</ds:SignatureValue>
            <ds:KeyInfo>
              <wsse:SecurityTokenReference Id="XWSSGID-13381879570201094426210" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
    <wsse:Reference URI="#XWSSGID-1338187954588187747087" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
    </wsse:SecurityTokenReference>
            </ds:KeyInfo>
          </ds:Signature>
        </wsse:Security>
      </SOAP-ENV:Header>
      <SOAP-ENV:Body Id="XWSSGID-1338187957033-2080574596" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
        <GetFrequentFlyerMileageRequest xmlns="http://www.springframework.org/spring-ws/samples/airline/schemas/messages"/>
      </SOAP-ENV:Body>
    </SOAP-ENV:Envelope>
    Server Soap Response:
    Code:
    <SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
      <SOAP-ENV:Header>
    <wsse:Security SOAP-ENV:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
          <wsu:Timestamp Id="XWSSGID-1338187957741-277282419" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
            <wsu:Created>2012-05-28T06:52:37Z</wsu:Created>
            <wsu:Expires>2012-05-28T06:57:37Z</wsu:Expires>
          </wsu:Timestamp>
          <wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" Id="XWSSGID-13381879400691360022552" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">MIIBxzCCATCgAwIBAgIET5URATANBgkqhkiG9w0BAQUFADAoMRIwEAYDVQQLEwlJQk1TZXJ2ZXIxEjAQBgNVBAMTCWxvY2FsaG9zdDAeFw0xMjA0MjMwODIxMjFaFw0yMjA0MjEwODIxMjFaMCgxEjAQBgNVBAsTCUlCTVNlcnZlcjESMBAGA1UEAxMJbG9jYWxob3N0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCwMgqCl2ANT6nlpwk6+6NTMDcNegpx83FI4wBUlT1JCIOxek6Are9BLYsL2F+SNefLHdzihM2YTfEmlzUWL1eBWpydiLH5P52yeB5RdK3hnph1jU6sDSgetUhl6TFw7cAuTyG/a7FL6ecHGIO4qSehin1ethIzwPs2w4LuindtowIDAQABMA0GCSqGSIb3DQEBBQUAA4GBAETITar0bL9b8L2r4Rxw32zQxCCm9x7v0ox4J4BVWL6boNGQEYgQpVlNu9RZvnwyix/Ajp2nCCQLKZpbGB/GiljJxcNQq4jLQzzn5c5tDRF0DncWE/rEXUmJWp3L1m/eSOZkVSbKo137iw0BAZAbYSmvCQhUu1C9I50VmUvLkAiS</wsse:BinarySecurityToken>
          <ds:Signature Id="XWSSGID-1338187940065982883741" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
            <ds:SignedInfo>
              <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                <InclusiveNamespaces PrefixList="wsse SOAP-ENV" xmlns="http://www.w3.org/2001/10/xml-exc-c14n#"/>
              </ds:CanonicalizationMethod>
              <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
              <ds:Reference URI="#XWSSGID-13381879577411029700770">
                <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                <ds:DigestValue>4x4mupCvHbmmKrUqOW0awB52i1o=</ds:DigestValue>
              </ds:Reference>
              <ds:Reference URI="#XWSSGID-1338187957741-277282419">
                <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                <ds:DigestValue>Z9gSlgDHoT52Z2/pte842vvKVfs=</ds:DigestValue>
              </ds:Reference>
            </ds:SignedInfo>
            <ds:SignatureValue>CxwsRTZaWbgqP4L+uuH+Ppk9es2qLK/DekUAOyVdlSTH88Ie704Tll2jYhXEl2k59Fvs+bxpiy+q
    7CvukXc9lwfLj/PblYhyO7C29Ok0fvj1pn8A0M9AVLfiDzSvu9aZFlDeq98Lg7+aMWbRPvVwUon9
    65dgRSUMYMBXB//msB4=</ds:SignatureValue>
            <ds:KeyInfo>
              <wsse:SecurityTokenReference Id="XWSSGID-1338187957739-1738789238" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
    <wsse:Reference URI="#XWSSGID-13381879400691360022552" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
    </wsse:SecurityTokenReference>
            </ds:KeyInfo>
          </ds:Signature>
        </wsse:Security>
      </SOAP-ENV:Header>
      <SOAP-ENV:Body Id="XWSSGID-13381879577411029700770" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
        <GetFrequentFlyerMileageResponse xmlns="http://www.springframework.org/spring-ws/samples/airline/schemas/messages">0</GetFrequentFlyerMileageResponse>
      </SOAP-ENV:Body>
    </SOAP-ENV:Envelope>

    Comment


    • #3
      The trust store might be missing the certificate. See this post for more details

      http://techieocean.blogspot.com/2013...exception.html

      Comment

      Working...
      X