Announcement Announcement Module
Collapse
No announcement yet.
Problem producing valid signature with XWSS for WSS4j with spring ws version 1.0 Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Problem producing valid signature with XWSS for WSS4j with spring ws version 1.0

    I'm having problems with the signing of my Soap request client side with XWSS invoking a WSS4J (Axis 2 secured with rampart) webservice.
    Currently i need to use an older version of spring and spring webservices on an old application.
    My spring-version is 2.0.8 and 1.0.0
    This is probably related to http://jira.springframework.org/browse/SWS-345 and http://forum.springsource.org/archiv...p/t-52489.html

    In the new application i will be able to use the latest version of spring and spring webservices.
    But first of course the old application needs to be able to handle it.

    Using Axis generated client code together with rampart i'm able to succesfully invoke the method.
    But i don't wish to use generated code.
    Using spring together with xwss and castor gives me a much cleaner solution.
    Apart from the fact that it won't work of course :-(

    The response i'm always receiving is :
    "Signature failed to validate. Reference: #XWSSGID-1247474613236121428576 does not validate."
    So i suspect something goes wriong with the digest value creation or transformation.

    In order to secure my message i use the following (no client side interceptors on webservice template yet).

    ----------8<----------8<----------8<----------8<----------8<----------8<
    public class XwssMessageSecurerFactory {

    private final XWSSProcessor processor;

    public XwssMessageSecurerFactory(Resource policyFile, KeyStoreCallbackHandler keystoreHandler) throws Exception {
    InputStream in = null;
    try {
    in = policyFile.getInputStream();
    XWSSProcessorFactory factory = XWSSProcessorFactory.newInstance();
    processor = factory.createProcessorForSecurityConfiguration(in , keystoreHandler);
    }
    finally {
    if (in != null) {
    in.close();
    }
    }
    }

    /**
    * This is redudant for Spring webservices 1.5.
    * Then there are client side interceptors.
    *
    * @return
    */
    public WebServiceMessageCallback createSecurerCallback() {
    return
    new WebServiceMessageCallback() {
    public void doWithMessage(WebServiceMessage message) throws IOException {
    SaajSoapMessage origSaajMessage = (SaajSoapMessage) message;
    SOAPMessage origSoapMessage = origSaajMessage.getSaajMessage();
    try {
    ProcessingContext context = processor.createProcessingContext(origSaajMessage. getSaajMessage());
    context.setSOAPMessage(origSoapMessage);
    //Set security on message.
    SOAPMessage securedSoapMessage = processor.secureOutboundMessage(context);
    //http://jira.springframework.org/browse/SWS-345
    securedSoapMessage.saveChanges();
    origSaajMessage.setSaajMessage(securedSoapMessage) ;
    }
    catch (Exception exc) {
    exc.printStackTrace();
    throw new XwsSecuritySecurementException(exc.getMessage());
    }
    }
    };
    }
    }
    ----------8<----------8<----------8<----------8<----------8<----------8<

    And for completeness sake the XWSS client security policy file.

    ----------8<----------8<----------8<----------8<----------8<----------8<
    <?xml version="1.0" encoding="UTF-8"?>
    <xwss:SecurityConfiguration dumpMessages="true" xmlns:xwss="http://java.sun.com/xml/ns/xwss/config"
    xmlns:wss="http://uri.etsi.org/01903/v1.1.1#">
    <xwss:Timestamp/>
    <xwss:Sign includeTimestamp="false">
    <xwss:X509Token certificateAlias="CertificateAlias"
    keyReferenceType="Direct"
    valueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"
    encodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"
    strId="MyCertificate"
    />
    <xwss:CanonicalizationMethod disableInclusivePrefix="true" />
    <xwss:SignatureMethod algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
    <xwss:SignatureTarget type="xpath"
    value="./SOAP-ENV:Envelope/SOAP-ENV:Body"><!-- type="qname" value="SOAP-BODY" -->
    <xwssigestMethod algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
    <xwss:Transform algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" disableInclusivePrefix="true" />
    </xwss:SignatureTarget>
    <xwss:SignatureTarget type="xpath"
    value="./SOAP-ENV:Envelope/SOAP-ENV:Header/wsse:Security/wsse:BinarySecurityToken">
    <xwssigestMethod algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
    <xwss:Transform algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" disableInclusivePrefix="true"/>
    </xwss:SignatureTarget>
    <xwss:SignatureTarget type="xpath"
    value="./SOAP-ENV:Envelope/SOAP-ENV:Header/wsse:Security/wsu:Timestamp">
    <xwssigestMethod algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
    <xwss:Transform algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" disableInclusivePrefix="true"/>
    </xwss:SignatureTarget>
    </xwss:Sign>
    </xwss:SecurityConfiguration>
    ----------8<----------8<----------8<----------8<----------8<----------8<

    Any ideas?
    Will i be able to get this to work easily with the latest version of spring webservices?

    Thanks in advance.

  • #2
    I did a test with spring 2.5.6 and spring webservices 1.5.7. using the XwsSecurityInterceptor and Wss4jSecurityInterceptor for invoking an Axis2 with rampart secured webservice. For the Xws interceptor the same error occurs. With the Wss4j interceptor the signature is valid and the request is accepted by the server.

    Comment

    Working...
    X