Announcement Announcement Module
Collapse
No announcement yet.
Namespace changing with XWSS secured messages Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Namespace changing with XWSS secured messages

    Hello,
    I have a client sending signed SOAP messages using the XwsSecurityInterceptor but the server after the message signature is verified, is not routing to the correct (payload) endpoint. Looking at the payload after the signature verification is complete, I can see that the namespace of the message we used in the request is getting blanked out and also other attributes are getting added as well.
    Here is the SOAP message from the client:
    Code:
    INFO: ==== Sending Message Start ====
    <?xml version="1.0" encoding="UTF-8"?>
    <SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
    <SOAP-ENV:Header>
    <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" SOAP-ENV:mustUnderstand="1">
    <wsse:BinarySecurityToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="XWSSGID-1213323935616761466631">MIICzjCCAjcCCQDKOSruUPzf2TANBgkqhkiG9w0BAQUFADCBpzELMAkGA1UEBhMCQVUxFjAUBgNV
    BAgTDU5ld1NvdXRoV2FsZXMxEDAOBgNVBAcTB05vcndlc3QxFjAUBgNVBAoTDVdvb2x3b3J0aHNM
    dGQxDDAKBgNVBAsTA0lDQzEZMBcGA1UEAxMQTm9uUHJvZFNpZ25pbmdDQTEtMCsGCSqGSIb3DQEJ
    ARYeYWJyaWdodG1vb3JlQHdvb2x3b3J0aHMuY29tLmF1MB4XDTA4MDYxMTAyNTYxNVoXDTA4MDcx
    MTAyNTYxNVowga4xCzAJBgNVBAYTAkFVMRYwFAYDVQQIEw1OZXdTb3V0aFdhbGVzMQ8wDQYDVQQH
    EwZTeWRuZXkxFjAUBgNVBAoTDVdvb2x3b3J0aHNMdGQxDTALBgNVBAsTBEFEQ0MxIDAeBgNVBAMT
    F05vblByb2RQQVBTU2lnbjIwMDgwNjExMS0wKwYJKoZIhvcNAQkBFh5hYnJpZ2h0bW9vcmVAd29v
    bHdvcnRocy5jb20uYXUwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAL4cCNsj4icWYpk467L9
    wfexCSw9QywugZVY+dfSKglgOR+V/ZXxz8dBY2TJezRoiecMrCSo8dYFYqPz5jroBBt5zgOZQkdt
    ff4k4dLPOwbCLmFkyT90CWHoPn1w8yCFJK1UMRp6zejpltBLjxIZYB2f8BmJGC5ixohg3XqxRPhx
    AgMBAAEwDQYJKoZIhvcNAQEFBQADgYEAoG4E9FG9GFyn7QikO8V+sq1GqnGgnLur9k2ClB0Fye6D
    /hP+WmLu1Jjgv+8bseTpKewcucIBVXh4wupWPL9YWhVdj0ZRkN4pi1935FB2nhUwdAY2OPXbtTNE
    RmQV4JTDwT0UIM1tvHWw66nQdnGFoJOBG3LscfQsVYSbvOjBx5I=</wsse:BinarySecurityToken>
    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
    <ds:SignedInfo>
    <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
    <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
    <ds:Reference URI="#XWSSGID-12133239412411266694577">
    <ds:Transforms>
    <ds:Transform Algorithm="http://www.w3.org/TR/1999/REC-xpath-19991116">
    <ds:XPath>./SOAP-ENV:Envelope/SOAP-ENV:Header/wsse:Security/ds:Signature[1]/ds:KeyInfo/wsse:SecurityTokenReference</ds:XPath>
    </ds:Transform>
    <ds:Transform Algorithm="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform">
    <wsse:TransformationParameters>
    <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
    </wsse:TransformationParameters>
    </ds:Transform>
    </ds:Transforms>
    <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
    <ds:DigestValue>2jmj7l5rSw0yVb/vlWAYkK/YBwk=</ds:DigestValue>
    </ds:Reference>
    </ds:SignedInfo>
    <ds:SignatureValue>QnS4SXbnvdclfot20xCVOdv1kQrbjr0mbCEMSp9ylQYo7os4SZL86NyoPXw22HpBanpOKOmYYRwm
    p3WuRDmH+fsEzOFcxqIuF/K8J1m2yiBMFojRxVb0HTESCl6nhxR4XxIWhQ9jAtXqckkcDdt9GO1L
    D0Q2M+qxtcGh5Cft1A8=</ds:SignatureValue>
    <ds:KeyInfo>
    <wsse:SecurityTokenReference xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="XWSSGID-12133239411791943987162">
    <wsse:Reference URI="#XWSSGID-1213323935616761466631" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
    </wsse:SecurityTokenReference>
    </ds:KeyInfo>
    </ds:Signature>
    </wsse:Security>
    </SOAP-ENV:Header>
    <SOAP-ENV:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="XWSSGID-12133239412411266694577">
    <ActivityStatementRequest xmlns="urn:B2C:Customer:PAP:ActivityStatementRequest_v1.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" dateTime="2008-03-04T08:20:06.123456" sequenceNumber="44527670" xsi:schemaLocation="urn:B2C:Customer:PAP:ActivityStatementRequest_v1.0 C:\projects\pap\pap-core\src\main\resources\xsd\portal\Portal-ActivityStatement.xsd">
    	<DateRange fromDate="2008-03-04" toDate="2008-05-21"/>
    	<CardInfo tokenNumber="99999987777777777777"/>
    	<CardInfo tokenNumber="99999986666666666666"/>
    </ActivityStatementRequest>
    </SOAP-ENV:Body>
    </SOAP-ENV:Envelope>
    ==== Sending Message End  ====
    The namespace we use to route to the endpoint is xmlns="urn:B2C:Customer:PAP:ActivityStatementReque st_v1.0" which is in the message on the ActivityStatementRequest payload element in the soap body. However, it is missing on the server:

    Code:
    INFO: ==== Received Message Start ====
    <?xml version="1.0" encoding="UTF-8"?>
    <SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
    <SOAP-ENV:Header>
    <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" SOAP-ENV:mustUnderstand="1">
    <wsse:BinarySecurityToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="XWSSGID-1213323374040257701632">MIICzjCCAjcCCQDKOSruUPzf2TANBgkqhkiG9w0BAQUFADCBpzELMAkGA1UEBhMCQVUxFjAUBgNV
    BAgTDU5ld1NvdXRoV2FsZXMxEDAOBgNVBAcTB05vcndlc3QxFjAUBgNVBAoTDVdvb2x3b3J0aHNM
    dGQxDDAKBgNVBAsTA0lDQzEZMBcGA1UEAxMQTm9uUHJvZFNpZ25pbmdDQTEtMCsGCSqGSIb3DQEJ
    ARYeYWJyaWdodG1vb3JlQHdvb2x3b3J0aHMuY29tLmF1MB4XDTA4MDYxMTAyNTYxNVoXDTA4MDcx
    MTAyNTYxNVowga4xCzAJBgNVBAYTAkFVMRYwFAYDVQQIEw1OZXdTb3V0aFdhbGVzMQ8wDQYDVQQH
    EwZTeWRuZXkxFjAUBgNVBAoTDVdvb2x3b3J0aHNMdGQxDTALBgNVBAsTBEFEQ0MxIDAeBgNVBAMT
    F05vblByb2RQQVBTU2lnbjIwMDgwNjExMS0wKwYJKoZIhvcNAQkBFh5hYnJpZ2h0bW9vcmVAd29v
    bHdvcnRocy5jb20uYXUwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAL4cCNsj4icWYpk467L9
    wfexCSw9QywugZVY+dfSKglgOR+V/ZXxz8dBY2TJezRoiecMrCSo8dYFYqPz5jroBBt5zgOZQkdt
    ff4k4dLPOwbCLmFkyT90CWHoPn1w8yCFJK1UMRp6zejpltBLjxIZYB2f8BmJGC5ixohg3XqxRPhx
    AgMBAAEwDQYJKoZIhvcNAQEFBQADgYEAoG4E9FG9GFyn7QikO8V+sq1GqnGgnLur9k2ClB0Fye6D
    /hP+WmLu1Jjgv+8bseTpKewcucIBVXh4wupWPL9YWhVdj0ZRkN4pi1935FB2nhUwdAY2OPXbtTNE
    RmQV4JTDwT0UIM1tvHWw66nQdnGFoJOBG3LscfQsVYSbvOjBx5I=</wsse:BinarySecurityToken>
    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
    <ds:SignedInfo>
    <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
    <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
    <ds:Reference URI="#XWSSGID-1213323376289497205683">
    <ds:Transforms>
    <ds:Transform Algorithm="http://www.w3.org/TR/1999/REC-xpath-19991116">
    <ds:XPath>./SOAP-ENV:Envelope/SOAP-ENV:Header/wsse:Security/ds:Signature[1]/ds:KeyInfo/wsse:SecurityTokenReference</ds:XPath>
    </ds:Transform>
    <ds:Transform Algorithm="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform">
    <wsse:TransformationParameters>
    <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
    </wsse:TransformationParameters>
    </ds:Transform>
    </ds:Transforms>
    <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
    <ds:DigestValue>2jmj7l5rSw0yVb/vlWAYkK/YBwk=</ds:DigestValue>
    </ds:Reference>
    </ds:SignedInfo>
    <ds:SignatureValue>LqOvkNKpzTJ66CYAr10MDQlXzJjw81KuvXMC4KvzU4m9lDdYgiVdA+QyHqOo7OE8QZfPfwWoQ9Vq
    kJ20bk+eJGhQ/JEyPvISi74Q0CW6ZGo+ph2ffy/8qNNxdj2OyIxw0qn1TosPU5p+iQYG27OLAHUd
    8RKed1SG1e9TXfczGvM=</ds:SignatureValue>
    <ds:KeyInfo>
    <wsse:SecurityTokenReference xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="XWSSGID-1213323376211997721545">
    <wsse:Reference URI="#XWSSGID-1213323374040257701632" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
    </wsse:SecurityTokenReference>
    </ds:KeyInfo>
    </ds:Signature>
    </wsse:Security>
    </SOAP-ENV:Header>
    <SOAP-ENV:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="XWSSGID-1213323376289497205683">
    <ActivityStatementRequest xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" dateTime="2008-03-04T08:20:06.123456" sequenceNumber="936197564" xsi:schemaLocation="urn:B2C:Customer:PAP:ActivityStatementRequest_v1.0 C:\projects\pap\pap-core\src\main\resources\xsd\portal\Portal-ActivityStatement.xsd">
    <DateRange fromDate="2008-03-04" toDate="2008-05-21"/>
    <CardInfo tokenNumber="99999987777777777777"/>
    <CardInfo tokenNumber="99999986666666666666"/>
    </ActivityStatementRequest>
    </SOAP-ENV:Body>
    </SOAP-ENV:Envelope>
    ==== Received Message End  ====
    The payload extracted out by my endpoint exception resolver looks like this:

    Code:
    <?xml version="1.0" encoding="UTF-8"?><ActivityStatementRequest xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" dateTime="2008-03-04T08:20:06.123456" sequenceNumber="936197564" xmlns="" xsi:schemaLocation="urn:B2C:Customer:PAP:ActivityStatementRequest_v1.0 C:\projects\pap\pap-core\src\main\resources\xsd\portal\Portal-ActivityStatement.xsd">  ...
    	
    </ActivityStatementRequest>
    Am I missing some configuration in the interceptor or policy files?
    Thanks
    Alan

  • #2
    So XWSS is changing attributes and namespaces? To make sure, you can add debugging instructions to the XWSS policy file, something like:

    Code:
    <xwss:SecurityConfiguration dumpMessages=“true" xmlns:xwss="http://java.sun.com/xml/ns/xwss/config">
        <xwss:RequireUsernameToken passwordDigestRequired="false" nonceRequired="false"/>
    </xwss:SecurityConfiguration>

    Comment


    • #3
      dumpMessages="true" is in my config file - is there are any other attribute?
      I posted the result of the message dump in my post.

      I came across this JIRA issue, http://jira.springframework.org/browse/SWS-207, and the entry:
      I also see same problem as Sandeep mentioned, and the cause for the same is that "The resulting xml is semantically identical to the source but not textually". I did see few namespace missing from the resulting xml. This causes the signature validation to fail.

      I believe that XML transformation is done by the Core module and Security module rebuilds the XML for verification, but the resultant xml is not complete. Is there a way to get the original XML (Original SOAP message received) and use that for verification.
      I know this was to do with the WSS4J interceptor, but could my current problem be related somehow?

      I appreciate your response anyway. This problem is killing me!
      Regards
      Alan

      Comment

      Working...
      X