Announcement Announcement Module
Collapse
No announcement yet.
WSS4J on Websphere 7 Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • WSS4J on Websphere 7

    Hi All,

    I have implemented a WSS4J client and server on WAS 7 and I cannot validate the signature.

    I get the following error:
    Could not validate request: The signature or decryption was invalid; nested exception is org.apache.ws.security.WSSecurityException: The signature or decryption was invalid

    The same code works on tomcat perfectly well.

    The problem seems to be the canonicalization of the SignedInfo. This is the signingInfo from the signing operation.

    Code:
    Canonicalized SignedInfo:
    [12/18/12 17:00:29:738 EST] 00000028  1 UOW= source=org.apache.jcp.xml.dsig.internal.dom.DOMSignedInfo class=org.apache.jcp.xml.dsig.internal.dom.DOMSignedInfo method=canonicalize org= prod= component= thread=[WebContainer : 2]
              <ds:SignedInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="soapenc soapenv xsd xsi"></ec:InclusiveNamespaces></ds:CanonicalizationMethod><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></ds:SignatureMethod><ds:Reference URI="#id-29"><ds:Transforms><ds:Transform Algorit
    hm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="soapenc xsd xsi"></ec:InclusiveNamespaces></ds:Transform></ds:Transforms><ds:DigestMethod Algorithm="http
    ://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod><ds:DigestValue>er0JY1hbu31Jei0LlckfGJ/Y6jU=</ds:DigestValue></ds:Reference></ds:SignedInfo>
    [12/18/12 17:00:29:738 EST] 00000028  1 UOW= source=org.apache.jcp.xml.dsig.internal.dom.DOMSignedInfo class=org.apache.jcp.xml.dsig.internal.dom.DOMSignedInfo method=canonicalize org= prod= component= thread=[WebContainer : 2]
    
    Data to be signed/verified:PGRzOlNpZ25lZEluZm8geG1sbnM6ZHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyMiPjxkczpDYW5vbmljYWxpemF0aW9uTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIj48ZWM6SW5jbHVz
    aXZlTmFtZXNwYWNlcyB4bWxuczplYz0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIiBQcmVmaXhMaXN0PSJzb2FwZW5jIHNvYXBlbnYgeHNkIHhzaSI+PC9lYzpJbmNsdXNpdmVOYW1lc3BhY2VzPjwvZHM6Q2Fub25pY2FsaXphdGlvbk1ldGhvZD48ZHM6U2lnbmF0dXJlTWV0aG9kIEFsZ
    29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI3JzYS1zaGExIj48L2RzOlNpZ25hdHVyZU1ldGhvZD48ZHM6UmVmZXJlbmNlIFVSST0iI2lkLTI5Ij48ZHM6VHJhbnNmb3Jtcz48ZHM6VHJhbnNmb3JtIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG
    4jIj48ZWM6SW5jbHVzaXZlTmFtZXNwYWNlcyB4bWxuczplYz0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIiBQcmVmaXhMaXN0PSJzb2FwZW5jIHhzZCB4c2kiPjwvZWM6SW5jbHVzaXZlTmFtZXNwYWNlcz48L2RzOlRyYW5zZm9ybT48L2RzOlRyYW5zZm9ybXM+PGRzOkRpZ2VzdE1ldGh
    vZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNzaGExIj48L2RzOkRpZ2VzdE1ldGhvZD48ZHM6RGlnZXN0VmFsdWU+ZXIwSlkxaGJ1MzFKZWkwTGxja2ZHSi9ZNmpVPTwvZHM6RGlnZXN0VmFsdWU+PC9kczpSZWZlcmVuY2U+PC9kczpTaWduZWRJbmZvPg==

    and this is the signedInfo from the verification of the signature:

    Code:
    Canonicalized SignedInfo:
    [12/18/12 17:00:29:910 EST] 00000026  1 UOW= source=org.apache.jcp.xml.dsig.internal.dom.DOMSignedInfo class=org.apache.jcp.xml.dsig.internal.dom.DOMSignedInfo method=canonicalize org= prod= component= thread=[WebContainer : 0]
              <ds:SignedInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns
    :xsi="http://www.w3.org/2001/XMLSchema-instance"><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="soapenc soapenv xsd xs
    i"></ec:InclusiveNamespaces></ds:CanonicalizationMethod><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></ds:SignatureMethod><ds:Reference URI="#id-29"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/
    2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="soapenc xsd xsi"></ec:InclusiveNamespaces></ds:Transform></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/
    xmldsig#sha1"></ds:DigestMethod><ds:DigestValue>er0JY1hbu31Jei0LlckfGJ/Y6jU=</ds:DigestValue></ds:Reference></ds:SignedInfo>
    [12/18/12 17:00:29:910 EST] 00000026  1 UOW= source=org.apache.jcp.xml.dsig.internal.dom.DOMSignedInfo class=org.apache.jcp.xml.dsig.internal.dom.DOMSignedInfo method=canonicalize org= prod= component= thread=[WebContainer : 0]
              Data to be signed/verified:PGRzOlNpZ25lZEluZm8geG1sbnM6ZHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyMiIHhtbG5zOnNvYXBlbmM9Imh0dHA6Ly9zY2hlbWFzLnhtbHNvYXAub3JnL3NvYXAvZW5jb2RpbmcvIiB4bWxuczpzb2FwZW52PSJodHRwOi8vc2NoZW1hcy54
    bWxzb2FwLm9yZy9zb2FwL2VudmVsb3BlLyIgeG1sbnM6eHNkPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYSIgeG1sbnM6eHNpPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYS1pbnN0YW5jZSI+PGRzOkNhbm9uaWNhbGl6YXRpb25NZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczL
    m9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiPjxlYzpJbmNsdXNpdmVOYW1lc3BhY2VzIHhtbG5zOmVjPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiIFByZWZpeExpc3Q9InNvYXBlbmMgc29hcGVudiB4c2QgeHNpIj48L2VjOkluY2x1c2l2ZU5hbWVzcGFjZXM+PC9kczpDYW5vbmljYW
    xpemF0aW9uTWV0aG9kPjxkczpTaWduYXR1cmVNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjcnNhLXNoYTEiPjwvZHM6U2lnbmF0dXJlTWV0aG9kPjxkczpSZWZlcmVuY2UgVVJJPSIjaWQtMjkiPjxkczpUcmFuc2Zvcm1zPjxkczpUcmFuc2Zvcm0gQWxnb3JpdGhtPSJ
    odHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiPjxlYzpJbmNsdXNpdmVOYW1lc3BhY2VzIHhtbG5zOmVjPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiIFByZWZpeExpc3Q9InNvYXBlbmMgeHNkIHhzaSI+PC9lYzpJbmNsdXNpdmVOYW1lc3BhY2VzPjwvZHM6VHJh
    bnNmb3JtPjwvZHM6VHJhbnNmb3Jtcz48ZHM6RGlnZXN0TWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI3NoYTEiPjwvZHM6RGlnZXN0TWV0aG9kPjxkczpEaWdlc3RWYWx1ZT5lcjBKWTFoYnUzMUplaTBMbGNrZkdKL1k2alU9PC9kczpEaWdlc3RWYWx1ZT48L2RzOlJlZ
    mVyZW5jZT48L2RzOlNpZ25lZEluZm8+
    The actual and expected digests are identical on WAS7.

    I am using PARENT-LAST classloading for the xerces, xalan and xml-sec libraries.

    The configuration for my spring-ws
    Code:
      <bean id="crypto"  class="org.springframework.ws.soap.security.wss4j.support.CryptoFactoryBean">
           <property name="keyStorePassword" value="Password1"/>
    	   <property name="keyStoreLocation" value="classpath:/signing.jks"/>
       </bean>
       
       <bean id="wsSecDigSign" class="org.springframework.ws.soap.security.wss4j.Wss4jSecurityInterceptor">
    		<property name="securementActions" value="Signature"/>
    		<property name="securementSignatureKeyIdentifier" value="DirectReference"/>
    		<property name="securementUsername" value="signing"/>
    		<property name="securementPassword" value="Password1"/>
    		<property name="securementSignatureCrypto" ref="crypto"/>
       </bean>
       
       <sws:interceptors>
          <bean id="wsSecDigSignValidator" class="org.springframework.ws.soap.security.wss4j.Wss4jSecurityInterceptor">
    		<property name="validationActions" value="Signature"/>
    		<property name="validationSignatureCrypto" ref="crypto"/>
    	</bean>
       </sws:interceptors>
        
       <bean id="externalWebServiceTemplate" class="org.springframework.ws.client.core.WebServiceTemplate">
        	<constructor-arg ref="messageFactory"/>
            <property name="marshaller" ref="jaxbMarshaller"/>
            <property name="unmarshaller" ref="jaxbMarshaller"/>
            <property name="defaultUri" value="https://server:9443/Security/idmWebServices"/>
            <property name="interceptors">   
                <list>
                   <ref bean="wsSecDigSign"/> 
                </list>
       	</property>
        </bean>
        
        <bean id="messageFactory" class="org.springframework.ws.soap.saaj.SaajSoapMessageFactory"/>
          
        <sws:static-wsdl id="idmWebServices" location="/WEB-INF/idm.wsdl"/>
        
        <bean id="proxy" class="au.gov.customs.idmWebService.IdmWebServiceProxy"/>
    Using the following libraries:

    aopalliance-1.0.jar
    log4j-1.2.16.jar
    org.springframework.transaction-3.0.5.RELEASE.jar
    spring-security-core-3.0.5.RELEASE.jar
    asm-3.3.jar
    opensaml-2.5.1-1.jar
    org.springframework.web-3.0.5.RELEASE.jar
    spring-security-ldap-3.0.5.RELEASE.jar
    openws-1.4.2-1.jar
    org.springframework.web.servlet-3.0.5.RELEASE.jar
    spring-security-taglibs-3.0.5.RELEASE.jar
    cglib-2.2.jar
    org.springframework.aop-3.0.5.RELEASE.jar
    spring-security-web-3.0.5.RELEASE.jar
    com.ibm.ws.webservices.thinclient_7.0.0.jar
    org.springframework.asm-3.0.5.RELEASE.jar
    serializer-2.7.1.jar
    spring-ws-2.1.0.RELEASE-all.jar
    org.springframework.beans-3.0.5.RELEASE.jar
    spring-ldap-1.3.0.RELEASE-all.jar
    stax-1.2.0.jar
    commons-configuration-1.6.jar
    org.springframework.context-3.0.5.RELEASE.jar
    spring-ldap-core-1.3.0.RELEASE.jar
    stax-api-1.0.1.jar
    commons-dbutils-1.3.jar
    org.springframework.context.support-3.0.5.RELEASE.jar
    spring-ldap-core-tiger-1.3.0.RELEASE.jar
    wss4j-1.6.8.jar
    commons-fileupload-1.2.2.jar
    org.springframework.core-3.0.5.RELEASE.jar
    spring-ldap-test-1.3.0.RELEASE.jar
    xalan-2.7.1.jar
    commons-io-2.0.1.jar
    org.springframework.expression-3.0.5.RELEASE.jar
    spring-modules-validation.jar
    xercesImpl-2.9.1.jar
    commons-lang-2.3.jar
    org.springframework.jdbc-3.0.5.RELEASE.jar
    spring-security-acl-3.0.5.RELEASE.jar
    xml-apis-1.3.04.jar
    commons-logging-1.1.1.jar
    org.springframework.oxm-3.0.5.RELEASE.jar
    spring-security-aspects-3.0.5.RELEASE.jar
    xmlsec-1.5.3.jar
    commons-pool-1.3.jar
    org.springframework.test-3.0.0.M3.jar
    spring-security-cas-client-3.0.5.RELEASE.jar
    xmltooling-1.3.2-1.jar
    joda-time-1.6.2.jar
    org.springframework.test-3.0.5.RELEASE.jar
    spring-security-config-3.0.5.RELEASE.jar
    Has anyone run into any similar issue? Am I missing something simple?

  • #2
    Hi,

    I have a similar problem.

    Encyrption/Signature works on Tomcat; but the same application on WebSphere does not. I receive The signature or decryption was invalid; nested exception is org.apache.ws.security.WSSecurityException: The signature or decryption was invalid.

    The difference in the output between Tomcat and Websphere is PrefixList attribute of of ec:InclusiveNamespaces element.

    Websphere:
    <ec:InclusiveNamespaces PrefixList="soapenc soapenv xsd xsi"
    xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>

    Tomcat:
    <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"
    PrefixList="SOAP-ENV"/>


    Have you fond any solution to this problem?

    Comment


    • #3
      Originally posted by javak View Post
      Hi,

      I have a similar problem.

      Encyrption/Signature works on Tomcat; but the same application on WebSphere does not. I receive The signature or decryption was invalid; nested exception is org.apache.ws.security.WSSecurityException: The signature or decryption was invalid.

      The difference in the output between Tomcat and Websphere is PrefixList attribute of of ec:InclusiveNamespaces element.

      Websphere:
      <ec:InclusiveNamespaces PrefixList="soapenc soapenv xsd xsi"
      xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>

      Tomcat:
      <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"
      PrefixList="SOAP-ENV"/>


      Have you fond any solution to this problem?
      Unfortunately I didn't come up with a solution for this. My web services weren't external facing they were internal to my application so I was able to lock down the IP addresses using an alternate method. In theory, replacing the implementations of the jars responsible for the canonicalization of the WS on websphere with the tomcat versions should work (and changing the classloader to child first) however I got a whole bunch of mismatches (missing methods mainly) when I attempted this and I ran out of time with trying to sort it out. Sorry I can't be of more help.

      Comment

      Working...
      X