Announcement Announcement Module
No announcement yet.
Problem with WSS4J, verifiying WSS signatures and decryption (spring WS 2.0) Page Title Module
Move Remove Collapse
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • Problem with WSS4J, verifiying WSS signatures and decryption (spring WS 2.0)

    I have a problem with WSS4J in Spring WS 2.0-M2 (also in M1) failing at verifying signatures and decrypting messages. I'm using SOAPUI for testing the WS. The outgoing signatures and encriptions made by WSS4J work flawlessly.
    I want to focus first in the signature verification problem. I think all is correctly configured because what I get in the log is:
    167869 [ajp-8009-1] WARN oreFactoryBean - Creating empty key store
    167872 [ajp-8009-1] DEBUG k.KeyStoreCallbackHandler - Loaded default key store
    172688 [ajp-8009-1] DEBUG curityInterceptor - Validating message [SaajSoapMessage {}CFDRequest] with actions [UsernameToken Timestamp ]
    173131 [ajp-8009-1] DEBUG - SignatureMethodURI =
    173133 [ajp-8009-1] DEBUG - jceSigAlgorithm = SHA1withRSA
    173134 [ajp-8009-1] DEBUG - jceSigProvider = SunRsaSign
    173141 [ajp-8009-1] DEBUG - PublicKey = Sun RSA public key, 1024 bits
    173182 [ajp-8009-1] DEBUG - verify 1 References
    173234 [ajp-8009-1] DEBUG - I am not requested to follow nested Manifests
    173370 [ajp-8009-1] WARN - Verification failed for URI "#id-4"
    173373 [ajp-8009-1] WARN - Expected Digest: hXKZipZz4iwo0O0YH2WQEPMA05I=
    173375 [ajp-8009-1] WARN - Actual Digest: b1fEdlGF3CaSUvYCcn0f1qBQfsc=
    173376 [ajp-8009-1] DEBUG - The Reference has Type
    173391 [ajp-8009-1] WARN curityInterceptor - Could not validate request: The signature or decryption was invalid; nested exception is The signature or decryption was invalid
    173392 [ajp-8009-1] DEBUG curityInterceptor - No exception resolver present, creating basic soap fault

    I think the important part is this:
    Expected Digest: hXKZipZz4iwo0O0YH2WQEPMA05I=
    Actual Digest: b1fEdlGF3CaSUvYCcn0f1qBQfsc=

    I think something in the stack is changing in some way the message so the hash changes and it doesn't validate. The Spring-ws 2.0-M2 includes jars for Xalan 2.7.1 and Xerces 2.8.1, so I included Xalan 2.7.1 in the project (not using maven), you need to also include the serializer.jar from Xalan for Xalan to work, so I included it but the error is the same.
    Then included Xerces 2.8.1 and xml-apis-1.3.04.jar and had the same error. (To include Xalan and Xerces don't make any difference)

    I'm not affraid of making debugging work, but I don't know where to start. I'm using SHA1 with RSA, because somewhere someone said that is the only one algorithm that works, but in fact, using SHA1 with DSA is the same error (because the error is in the hash part, not even close to the digital signature)

    Also Someone said that using AXIOM instead of SAAJ in the server might resolve the issue, but how do you do that? I can't find anything on how to use AXIOM in spring-ws inside the servlet container.

    I hope someone can give me some leads on what to do.

  • #2
    Well, I droped Soap-UI and making a homebrew client (using spring-ws), the signature validates!!! (using Spring-WS 2.0 for both client and server)
    I even made some classes to glue the WSS4J and my UserDetailsService using de common name (CN) of the X509 certificate as username. I would like to donate this code, who I do that?
    Now I'm stuck with the server-decryption part. I don't know know why, but the server fails silently at decrypting (I don't know if it is even trying)
    the only error I get in the log is:

    350162 [http-8080-1] WARN - No endpoint mapping found for [SaajSoapMessage {}EncryptedData]

    and my config is:
    <bean class=" ing.PayloadRootQNameEndpointMapping">
    <property name="mappings">
    <prop key="{}CFDRequest">cfdApiEndpoint</prop>
    <property name="interceptors">
    <ref local="wss4j"/>
    <!-- <ref local="xwsSecurityInterceptor"/>-->
    <bean class=" rceptor.PayloadLoggingInterceptor"/>

    Maybe PayloadRootQNameEndpointMapping is not the correct type of mapping to use with an encrypted payload, because it will try to find the element name *before* decrypting.

    Also I'm somewhat nervous that the only working client is made with Spring-WS

    I would appreciate any help.



    • #3
      Same issue?

      I think I'm getting the same issue with Spring WS 2.0.0M2 when testing with SOAPUI 2.0.2. I tried with SOAPUI 3.5 and get the same issue.

      We've migrated some existing WS code from using SOAPMessageFactory and Xws Security to AxiomMessageFactory and Wss4j security for performance reasons and are running into this issue. The same code and keystore etc was working for the authentication with Xws security, but does not seem to work with Wss4j & Spring WS 2.0.0M2.

      We've migrated from Spring 2.0.8 and Spring WS Core1.0.3 to Spring 3.0.1 and therefore had to take Spring WS 2.0.0M2 as it seems this is the only version currently that will work with Spring 3.0.1 (Spring WS Security 1.5.9 still has code dependencies back to Spring Security 2.0.0 so this won't work for us).

      When you say that the code works with a homebrew client, you wrote a client using the same Spring WS and security jars to call your WS endpoint and the security works ok? Any thoughts on whether this is an issue with SOAPUI or the Spring security/WS code?


      • #4
        The issue I'm seeing with Wss4j and the signature validation failing is only on incoming SOAP requests that contain a SOAP attachment. For other endpoints that don't define any SOAP attachments in the request, these work as expected and validate successfully.

        I created a Jira entry for this: