Announcement Announcement Module
Collapse
No announcement yet.
WS-Security: Signature verification failed Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • WS-Security: Signature verification failed

    Hi,

    I'm new to the Spring WS framework and need help securing a simple WS with WS-Security (I'm basically securing the "echo" sample).

    I've configured my client and server sides according to the documentation guidelines. Based on the information listed below, I'd appreciate if anyone could help me figuring out why I can't get past the signature verification step (WssSoapFaultException: Signature verification failed).

    Thanks.

    Eric

    ************************

    Client side:

    Very simple right now, the goal is to sign outgoing messages only.


    Client config files:
    Code:
    1/ SecurityPolicy.xml 
    <xwss:SecurityConfiguration 	xmlns:xwss="http://java.sun.com/xml/ns/xwss/config" 	dumpMessages="true">	
    	<xwss:Sign id="signature">
    		<xwss:X509Token certificateAlias="wsclient"/>
    	</xwss:Sign>		
    </xwss:SecurityConfiguration>
    
    2/ ApplicationContext.xml
    <?xml version="1.0" encoding="UTF-8"?>
    
    <beans xmlns="http://www.springframework.org/schema/beans"
        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
        xmlns:util="http://www.springframework.org/schema/util"
        xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.5.xsd
        http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd">
    
        
        <bean id="messageFactory" class="org.springframework.ws.soap.saaj.SaajSoapMessageFactory"/>
    
        <bean id="abstractClient" abstract="true">
            <constructor-arg ref="messageFactory"/>
            <property name="destinationProvider">
                <bean class="org.springframework.ws.client.support.destination.Wsdl11DestinationProvider">
                   
                    <property name="wsdl" value="http://localhost:8889/echo/echo.wsdl"/>
                </bean>
            </property>
        </bean>
    
        <bean id="marshaller" class="org.springframework.oxm.xmlbeans.XmlBeansMarshaller"/>
    
        <bean id="testAll" parent="abstractClient"
              class="com.oracle.connector.spml.test.TestAll">
            
    	<property name="xwssMessageSigner" ref="xwssMessageSigner"/>          
        </bean>
       
        
        <bean id="xwssMessageSigner" class="com.oracle.connector.spml.message.XwssMessageSigner">  
          <constructor-arg value="classpath:securityPolicy.xml"/>  
          <constructor-arg>  
            <bean class="org.springframework.ws.soap.security.xwss.callback.KeyStoreCallbackHandler">  
       		<property name="keyStore" ref="keyStore" />  
        		<property name="defaultAlias" value="wsclient"/>  
        		<property name="privateKeyPassword" value="xxxxxxxx"/>  
        		<property name="trustStore" ref="trustStore" />  
       	</bean>  
          </constructor-arg>          
       </bean>  
     
        <bean id="keyStoreHandler" class="org.springframework.ws.soap.security.xwss.callback.KeyStoreCallbackHandler">
            <property name="trustStore" ref="trustStore"/>
    	<property name="keyStore" ref="keyStore"/>
        </bean>
    
        <bean id="trustStore" class="org.springframework.ws.soap.security.support.KeyStoreFactoryBean">
            <property name="location" value="classpath:truststore.jks"/>
            <property name="password" value="xxxxxxxx"/>
        </bean>
        
        <bean id="keyStore" class="org.springframework.ws.soap.security.support.KeyStoreFactoryBean">
            <property name="location" value="classpath:keystore.jks"/	
            <property name="password" value="xxxxxxxx"/>
        </bean>
       
    </beans>
    On the client side, my keystore.jks contains two entries. My client key entry and the CA cert used to sign my client certificate.

    Your keystore contains 2 entries

    wsclient, Sep 14, 2009, keyEntry,
    Certificate fingerprint (MD5): 1A:E5:CC:BE:C2D:12:B8:77:1BC:6D:56:C4:B7:33
    cacert, Sep 16, 2009, trustedCertEntry,
    Certificate fingerprint (MD5): D5:E2:3F1:69:E9:83:08:38:A0:E5C:87:11:FD:FC


    On the server side (WS running under Tomcat 6.0) config files are:

    Code:
    1/ SecurityPolicy.xml
    
    <xwss:SecurityConfiguration xmlns:xwss="http://java.sun.com/xml/ns/xwss/config" dumpMessages="true">
    	<xwss:RequireSignature />	
    </xwss:SecurityConfiguration>
    
    2/ spring-ws-servlet.xml
    
    <?xml version="1.0" encoding="UTF-8"?>
    <beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
           xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd">
    
        <description>
            This web application context contains Spring-WS beans. The beans defined in this context are automatically
            detected by Spring-WS, similar to the way Controllers are picked up in Spring Web MVC.
        </description>
    
        <bean id="payloadMapping" class="org.springframework.ws.server.endpoint.mapping.PayloadRootQNameEndpointMapping">
            <description>
                This endpoint mapping uses the qualified name of the payload (body contents) to determine the endpoint for
                an incoming message. Every message is passed to the default endpoint. Additionally, messages are logged
                using the logging interceptor.
            </description>
            <property name="defaultEndpoint" ref="echoEndpoint"/>
            <property name="interceptors">
                <list>
                    <!-- ref local="validatingInterceptor"/-->
                    <ref local="loggingInterceptor"/>
                    <ref local="wsSecurityInterceptor"/>                 
                </list>
            </property>
        </bean>
        
    	<bean id="wsSecurityInterceptor"  
            class="org.springframework.ws.soap.security.xwss.XwsSecurityInterceptor">  
    		<property name="policyConfiguration" value="/WEB-INF/securityPolicy.xml"/>  
    		<property name="callbackHandlers">  
    	    	<list>  
    	      		<ref bean="keyStoreHandler"/>  
    						
    	    	</list>  
    	    </property>    		
    	</bean>
    
    	
    	
    	<bean id="keyStoreHandler"  
        	class="org.springframework.ws.soap.security.xwss.callback.KeyStoreCallbackHandler">  
    		<property name="trustStore" ref="trustStore"/>  
    		<property name="keyStore" ref="keyStore"/>  
    	</bean>  
      
    	<bean id="trustStore"  
        	class="org.springframework.ws.soap.security.support.KeyStoreFactoryBean">  
    		<property name="location" value="/WEB-INF/MyTruststore.jks"/>  
    		<property name="password" value="xxxxxxxx"/>  
    	</bean>
    
    	<bean id="keyStore"  
        	class="org.springframework.ws.soap.security.support.KeyStoreFactoryBean">  
    		<property name="location" value="/WEB-INF/keystore.jks"/>  
    		<property name="password" value="xxxxxxxx"/>  
    	</bean>
    	 
        <bean id="validatingInterceptor"
              class="org.springframework.ws.soap.server.endpoint.interceptor.PayloadValidatingInterceptor">
            <description>
                This interceptor validates both incoming and outgoing message contents according to the 'echo.xsd' XML
                Schema file.
            </description>
            <property name="xsdSchema" ref="schema"/>
            <property name="validateRequest" value="true"/>
            <property name="validateResponse" value="true"/>		     
        </bean>
        
        
        
    
        <bean id="loggingInterceptor" class="org.springframework.ws.server.endpoint.interceptor.PayloadLoggingInterceptor">
            <description>
                This interceptor logs the message payload.
            </description>
        </bean>
    
        <bean id="echoEndpoint" class="org.springframework.ws.samples.echo.ws.EchoEndpoint">
            <description>
                This endpoint handles echo requests.
            </description>
            <property name="echoService" ref="echoService"/>
        </bean>
    
        <bean id="echo" class="org.springframework.ws.wsdl.wsdl11.DefaultWsdl11Definition">
            <description>
                This bean definition represents a WSDL definition that is generated at runtime. It can be retrieved by
                going to /echo/echo.wsdl (i.e. the bean name corresponds to the filename).
            </description>
            <property name="schema" ref="schema"/>
            <property name="portTypeName" value="Echo"/>
            <property name="locationUri" value="http://localhost:8080/echo/services"/>
        </bean>
    
        <bean id="schema" class="org.springframework.xml.xsd.SimpleXsdSchema">
            <description>
                This bean definition contains the XSD schema.
            </description>
            <property name="xsd" value="/WEB-INF/echo.xsd"/>
        </bean>
    
        <bean id="echoService" class="org.springframework.ws.samples.echo.service.impl.EchoServiceImpl">
            <description>
                This bean is our "business" service.
            </description>
        </bean>
    
    </beans>
    In my server truststore.jks I have the certificate of the CA that signed my client certificate:


    Your keystore contains 1 entry

    cacert, Sep 16, 2009, trustedCertEntry,
    Certificate fingerprint (MD5): D5:E2:3F1:69:E9:83:08:38:A0:E5C:87:11:FD:FC


    So based on my understanding, everything seems setup properly for signing outgoing messages on the client side and verifying the signature on the server side.

    Attached are the trace from the client side (clienttrc.txt) and the trace on Tomcat's stdout.log.

  • #2
    I should have added the following trace (server side):

    Code:
    Sep 17, 2009 1:05:32 PM org.jcp.xml.dsig.internal.dom.DOMReference dereference
    FINE: URIDereferencer class name: com.sun.xml.wss.impl.dsig.DSigResolver
    Sep 17, 2009 1:05:32 PM org.jcp.xml.dsig.internal.dom.DOMReference dereference
    FINE: Data class name: org.jcp.xml.dsig.internal.dom.DOMSubTreeData
    Sep 17, 2009 1:05:32 PM org.jcp.xml.dsig.internal.dom.ApacheCanonicalizer canonicalize
    FINE: Created canonicalizer for algorithm: http://www.w3.org/TR/2001/REC-xml-c14n-20010315
    Sep 17, 2009 1:05:32 PM org.jcp.xml.dsig.internal.dom.DOMReference validate
    FINE: Expected digest: 5PLy7Ll2rlocuUvb/qZJRNBUNoY=
    Sep 17, 2009 1:05:32 PM org.jcp.xml.dsig.internal.dom.DOMReference validate
    FINE: Actual digest: AcyJdQbOYaF9a1VSVPFCJX+pTg0=
    Sep 17, 2009 1:05:32 PM org.jcp.xml.dsig.internal.dom.DOMXMLSignature validate
    FINE: Reference[#XWSSGID-1253207131209759568492] is valid: false
    Sep 17, 2009 1:05:32 PM org.jcp.xml.dsig.internal.dom.DOMXMLSignature validate
    FINE: Couldn't validate the References

    Comment


    • #3
      singature verification faild...

      Hi everybody,

      i know this is an old Thread but i have the same problem.

      There are some little difference between my configuration and his one:
      tomcat 5.5
      jdk 1.5.0.16
      spring-ws security 1.5

      I think there is a problem with the keystore...is it possible?

      How i could test the keystore? or...how i can be sure to generate a valid key pair?

      Any help will be very appreciate...
      Laions

      Comment


      • #4
        certificate validation

        hi laions,
        have you figured out what is the problem.
        I am new to web services and spring, Do you mind sharing how you made the code work and is possible can you kindly share your code. I desperately need it.

        Thanks.

        Comment

        Working...
        X