Announcement Announcement Module
Collapse
No announcement yet.
Spring WS Security Signature Failure Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Spring WS Security Signature Failure

    Greetings,

    I'm trying to implement Spring WS Security using XwsSecurityInterceptor on both the server side and the client side. The problem that I'm having is with signature verification. The xws-security module seems to be coming up with different signatures for the exact same data, and I can't figure out why.

    Here is the pertinent data from the client side logs:
    Code:
    FINE: Signing with key: Sun RSA private CRT key, 2048 bits
      modulus:          19268414009502364593678986386433586776907709821264660524153781172975472972207456682483320344847922946655155846923457222890512204327581069998869532217887521958508953168422488512183934812306862130899629280095407354530830174738673481767970812931311831879386096632467492430834216304085848620060515985079968223162475157644796292656455916409552929593908423569994810400253145749522191964980336626587754739064026982785315902053983259119689746579083631716740830039981900775688008702517471154260085543730481638958321469421419773859825545544699030152481044315791041714040827876531613935266855562745706615880237808103211630866303
      public exponent:  65537
    
    FINE: Data to be signed/verified:PGRzOlNpZ25lZEluZm8geG1sbnM6ZHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNp
    ZyMiPjxkczpDYW5vbmljYWxpemF0aW9uTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5v
    cmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIj48L2RzOkNhbm9uaWNhbGl6YXRpb25NZXRob2Q+PGRz
    OlNpZ25hdHVyZU1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1s
    ZHNpZyNyc2Etc2hhMSI+PC9kczpTaWduYXR1cmVNZXRob2Q+PGRzOlJlZmVyZW5jZSBVUkk9IiNY
    V1NTR0lELTEyMzgwOTc4ODM3MTQyMTkwMTEyNzMiPjxkczpEaWdlc3RNZXRob2QgQWxnb3JpdGht
    PSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjc2hhMSI+PC9kczpEaWdlc3RNZXRo
    b2Q+PGRzOkRpZ2VzdFZhbHVlPlZXK0NPS0xQUzlYQ0FkaGNFNGlaL1pCL1BUTT08L2RzOkRpZ2Vz
    dFZhbHVlPjwvZHM6UmVmZXJlbmNlPjwvZHM6U2lnbmVkSW5mbz4=
    ...
    <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
    <ds:DigestValue>VW+COKLPS9XCAdhcE4iZ/ZB/PTM=</ds:DigestValue>
    Pertinent data from the server side logs
    Code:
    FINE: verifying with key: Sun RSA public key, 2048 bits
      modulus: 19268414009502364593678986386433586776907709821264660524153781172975472972207456682483320344847922946655155846923457222890512204327581069998869532217887521958508953168422488512183934812306862130899629280095407354530830174738673481767970812931311831879386096632467492430834216304085848620060515985079968223162475157644796292656455916409552929593908423569994810400253145749522191964980336626587754739064026982785315902053983259119689746579083631716740830039981900775688008702517471154260085543730481638958321469421419773859825545544699030152481044315791041714040827876531613935266855562745706615880237808103211630866303
      public exponent: 65537
    ...
    ds:SignedInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:CanonicalizationMethod><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></ds:SignatureMethod><ds:Reference URI="#XWSSGID-1238097883714219011273"><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod><ds:DigestValue>VW+COKLPS9XCAdhcE4iZ/ZB/PTM=</ds:DigestValue></ds:Reference></ds:SignedInfo>
    ...
    FINE: Data to be signed/verified:PGRzOlNpZ25lZEluZm8geG1sbnM6ZHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNp
    ZyMiPjxkczpDYW5vbmljYWxpemF0aW9uTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5v
    cmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIj48L2RzOkNhbm9uaWNhbGl6YXRpb25NZXRob2Q+PGRz
    OlNpZ25hdHVyZU1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1s
    ZHNpZyNyc2Etc2hhMSI+PC9kczpTaWduYXR1cmVNZXRob2Q+PGRzOlJlZmVyZW5jZSBVUkk9IiNY
    V1NTR0lELTEyMzgwOTc4ODM3MTQyMTkwMTEyNzMiPjxkczpEaWdlc3RNZXRob2QgQWxnb3JpdGht
    PSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjc2hhMSI+PC9kczpEaWdlc3RNZXRo
    b2Q+PGRzOkRpZ2VzdFZhbHVlPlZXK0NPS0xQUzlYQ0FkaGNFNGlaL1pCL1BUTT08L2RzOkRpZ2Vz
    dFZhbHVlPjwvZHM6UmVmZXJlbmNlPjwvZHM6U2lnbmVkSW5mbz4=
    ...
    INE: Expected digest: VW+COKLPS9XCAdhcE4iZ/ZB/PTM=
    Mar 26, 2009 1:04:45 PM org.jcp.xml.dsig.internal.dom.DOMReference validate
    FINE: Actual digest: xkXPBLrSLsh+93gH83x+ttM2WII=
    Mar 26, 2009 1:04:45 PM org.jcp.xml.dsig.internal.dom.DOMXMLSignature validate
    FINE: Reference[#XWSSGID-1238097883714219011273] is valid: false
    Mar 26, 2009 1:04:45 PM org.jcp.xml.dsig.internal.dom.DOMXMLSignature validate
    FINE: Couldn't validate the References
    As you can see, it seems both the client and the server, digest the exact same data and come up with different results. Both sides of this message are using the exact same libraries. I'm sure I'm missing something, I just can't tell what it is I'm missing.

    Here's my securityPolicy.xmls
    Code:
    Client:
    
    <xwss:SecurityConfiguration dumpMessages="true" xmlns:xwss="http://java.sun.com/xml/ns/xwss/config">
    	<xwss:Sign includeTimestamp="false"/>
    </xwss:SecurityConfiguration>
    
    Server:
    <xwss:SecurityConfiguration dumpMessages="true" xmlns:xwss="http://java.sun.com/xml/ns/xwss/config">
    	<xwss:RequireSignature requireTimestamp="false"/>
    </xwss:SecurityConfiguration>
    Here's the pertinent info from the applicationContexts:

    Code:
    SERVER side:
    	<bean id="keyStoreHandler" 
    		class="org.springframework.ws.soap.security.xwss.callback.KeyStoreCallbackHandler">
    		<property name="keyStore" ref="keyStore"/>
    		<property name="trustStore" ref="trustStore"/>
    <!-- This is only required if I'm encrypting or signing messages -->
    		<property name="privateKeyPassword" value="1qaz!QAZ"/>
    	</bean>
    	
    	<bean id="trustStore" 
    		class="org.springframework.ws.soap.security.support.KeyStoreFactoryBean">
    		<property name="location" value="classpath:/TrustStore"/>
    		<property name="password" value="1qaz!QAZ"/>
    	</bean>
    	
    	<bean id="keyStore"
    		class="org.springframework.ws.soap.security.support.KeyStoreFactoryBean">
    		<property name="location" value="classpath:/ACSServerStore"/>
    		<property name="password" value="1qaz!QAZ"/>
    	</bean>
    	<bean id="wsSecurityInterceptor"
    		class="org.springframework.ws.soap.security.xwss.XwsSecurityInterceptor">
    		<property name="policyConfiguration" value="classpath:/securityPolicy.xml"/>
    		<property name="callbackHandlers">
    			<list>
    				<ref bean="keyStoreHandler"/>
    				<ref bean="springSecurityCertificateHandler"/>
    			</list>
    		</property>
    	</bean>
    CLIENT SIDE:
        <bean id="webServiceTemplate" class="org.springframework.ws.client.core.WebServiceTemplate">
            <constructor-arg ref="messageFactory"/>
            <property name="defaultUri" value="https://johna.ccbill.com:8443/AuthControlService/"/>
            <property name="marshaller" ref="marshaller"/>
            <property name="unmarshaller" ref="marshaller"/>
            <property name="interceptors">
            	<list>
            		<ref bean="securityInterceptor"/>
            	</list>
            </property>
        	<property name="messageSender">
        	    <bean class="org.springframework.ws.transport.http.CommonsHttpMessageSender">
        	    </bean>
        	</property>
        </bean>
    	<bean id="securityInterceptor"
    		class="org.springframework.ws.soap.security.xwss.XwsSecurityInterceptor">
    		<property name="policyConfiguration" value="classpath:/com/ccbill/acs/tests/securityPolicy.xml"/>
    		<property name="callbackHandlers">
    			<list>
    				<ref bean="keyStoreHandler"/>
    			</list>
    		</property>
    	</bean>
    	
    	<bean id="keyStoreHandler" 
    		class="org.springframework.ws.soap.security.xwss.callback.KeyStoreCallbackHandler">
    		<property name="keyStore" ref="keyStore"/>
    		<property name="trustStore" ref="trustStore"/>
    		<property name="privateKeyPassword" value="1qaz!QAZ"/>
    		<property name="defaultAlias" value="dbclient"/>
    	</bean>
    	
    	<bean id="keyStore" 
    		class="org.springframework.ws.soap.security.support.KeyStoreFactoryBean">
    		<property name="location" value="classpath:/com/ccbill/acs/tests/DBClientStore"/>
    		<property name="password" value="1qaz!QAZ"/>
    	</bean>
    	
    	<bean id="trustStore"
    		class="org.springframework.ws.soap.security.support.KeyStoreFactoryBean">
    		<property name="location" value="classpath:/TrustStore"/>
    		<property name="password" value="1qaz!QAZ"/>
    	</bean>

    Any help or ideas is appreciated.

  • #2
    Solved

    I really couldn't locate a specific cause, but I refactored my project to use JDK1.5 and Tomcat 5.5 and that didn't help.

    I finally replaced the xerces, xml-security and xalan jars that shipped with Spring-WS-1.5.4 with the latest from each respective project. It now works.

    Comment


    • #3
      Originally posted by john_anderson_ii View Post
      I really couldn't locate a specific cause, but I refactored my project to use JDK1.5 and Tomcat 5.5 and that didn't help.

      I finally replaced the xerces, xml-security and xalan jars that shipped with Spring-WS-1.5.4 with the latest from each respective project. It now works.
      This is a little late, as you were experiencing this problem a while ago - but what error were you getting? Did you resolve it?

      I have some code that is quite similar to yours, though it is using x509. When trying to authenticate the user, I see the following error(s) on the server:
      Code:
      May 29, 2009 4:33:35 PM com.sun.xml.wss.impl.dsig.SignatureProcessor verify
      SEVERE: WSS1315: Signature Verification Failed
      May 29, 2009 4:33:35 PM com.sun.xml.wss.impl.dsig.SignatureProcessor verify
      SEVERE: WSS1338: Error occured in verifying the signature
      I've been unable to figure out what the cause of this error is.

      Comment


      • #4
        If you are using tomcat, you can add the following to tomcat's conf/logging.properties file, and in the logs you should get a dump of the data that is being digested. If both the client side and server side are digesting the exact same data, but coming up with a different message digest result than we do indeed have the same problem.

        Code:
        org.jcp.xml.dsig.internal.dom.level= FINEST
        I've fixed this problem in two different ways.

        The first is a little fuzzy, since it's been so long, but I think I grabbed the xmlsec source from apache and the xws-security source from glassfish, built them, and replaced the jars shipped with spring-ws 1.5.4. I don't remember which replacement of jars actually fixed the problem. I'm suspecting it was the newer version of xmlsec. Since xws-security depends on xmlsec, I probably would have tried xws-security, the top of the dependency chain first, and then gone down the dependency chain from there.

        The next way I fixed this problem was simply to upgrade to spring-ws 1.5.6. I did this when I changed the project from ant to maven without any problems or changes to my code. I thought I might need to replace the errant jars again, but the problem seems to be worked out in the new version of spring-ws.

        Comment


        • #5
          Thanks for the quick response.

          I am using Tomcat (6.0.14). I have tried Jetty (via the Maven plugin), and actually get a *different* error. I have obtained the same negative results using Spring WS 1.5.6 and 1.5.7. So, I'll try your first suggestion on Monday.

          At this point, I really have no idea what the problem is - so I'm hoping extensive trial and error will shine a light in the right direction. If I have positive results, I'll be sure to let you know.

          Have a good weekend,
          -Dave

          Comment


          • #6
            Originally posted by john_anderson_ii View Post
            The next way I fixed this problem was simply to upgrade to spring-ws 1.5.6. I did this when I changed the project from ant to maven without any problems or changes to my code. I thought I might need to replace the errant jars again, but the problem seems to be worked out in the new version of spring-ws.
            Hhhm; we must have run into somewhat similar problems, although it I am getting almost the exact same results you are.

            I've actually tried using spring-ws 1.5.4, 1.5.6, and 1.5.7 - all to no avail. I tried to replicate your solution by excluding references to all three of those libraries in my POM file.

            Code:
            		<dependency>
            			<groupId>org.springframework.ws</groupId>
            			<artifactId>spring-ws-security</artifactId>
            			<version>1.5.4</version>
            			<exclusions>
            				<exclusion>
            					<groupId>com.sun.xml.wss</groupId>
            					<artifactId>xws-security</artifactId>
            				</exclusion>
            				<exclusion>
            					<groupId>org.apache.santuario</groupId>
            					<artifactId>xmlsec</artifactId>
            				</exclusion>
            				<exclusion>
            					<groupId>xalan</groupId>
            					<artifactId>xalan</artifactId>
            				</exclusion>
            				<exclusion>
            					<groupId>xerces</groupId>
            					<artifactId>xercesImpl</artifactId>
            				</exclusion>
            			</exclusions>
            		</dependency>
            The app actually still works. Apparently, Xalan, Xerces, and Xmlsec were not being used. The XWS-Security classes are contained in the Java Web Services stack (obtained here :https://metro.dev.java.net/1.2/ ). I am using version 1.2 - perhaps that is the key difference.

            I subsequently tried to pull in a specific XWS library, but I got the same results.

            Code:
            		<dependency>
            			<groupId>com.sun.xml.wss</groupId>
            			<artifactId>xws-security</artifactId>
            			<version>2.0-FCS</version>
            		</dependency>
            I suspect what I have is *almost* working. Oddly, I have the same service working with the same form of authentication using the Spring WSS implementation ( http://static.springsource.org/sprin...ty-interceptor ). I could just give up and use that approach; but I would like to know why this isn't working.

            If I have any luck, I'll be sure to share.

            Thanks,
            -Dave

            Comment


            • #7
              Hi, I'm sorry to revive this thread after so long, but I'm having the same problem as described here, the xws-security module seems to be coming up with different digests for the exact same data, I've tried the suggested solutions described, but with no luck. I'm using spring-ws 2.1.1. I would appreciate any help.

              Thank you for your time,

              Sebastian Montero

              Comment

              Working...
              X