ws-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Marc Giger (JIRA)" <>
Subject [jira] [Commented] (WSS-508) When using "add inclusive prefixes" and EXC C14N - signature cannot be validated
Date Wed, 27 Aug 2014 17:39:58 GMT


Marc Giger commented on WSS-508:

Hi Gene,
I just committed a second similar fix for a case that I've missed yesterday. I'm pretty confident
that these fixes will solves your issue because I was able to reproduce the issue with the
IBM SAAJ-Impl. Since you have a UT token in your request it is very likely that my last fix
solves the issue. So please try again with the next santuario 2.0.2-SNAPSHOT. If it still
doesn't work for you please ensure the following points:
- No WSS4J update is required - simply replace your santuario 2.0.x jar (xmlsec.jar) with
the new xmlsec-2.0.2-SNAPSHOT
- Since the issue is on the consumer side please update it here, to be on the safe side update
producer and consumer
- Ensure that no other xmlsec version is on the classpath or that the jdk internal one is
used. You may set a break-point in XmlWriterToTree.writeStartElement()
and call newElem.getParentNode() at the end of the method in the debugger. If it is returning
the parent node (i.e. it is not null) then the right version should be in use.


> When using "add inclusive prefixes" and EXC C14N - signature cannot be validated
> --------------------------------------------------------------------------------
>                 Key: WSS-508
>                 URL:
>             Project: WSS4J
>          Issue Type: Bug
>          Components: WSS4J Core
>    Affects Versions: 2.0.0, 2.0.1
>         Environment: WAS 7.x, IBM JDK 1.6, WebSphere JAX-WS stack, MS Windows.
>            Reporter: Gene B.
>            Assignee: Colm O hEigeartaigh
>         Attachments: log 01 - signature verification failed with InclusiveNamespaces
PrefixList.txt, log 02 - signature verification ok - signed by SOAP UI.txt, log_03a - consumer
- sign message use InclusiveNamespaces prefix list.txt, log_03b - provider - signature verification
failed.txt, request1-printedby-provider-signedby-soapui.xml, request1-printedby-provider-signedby-wss4j.xml
> Security implemented using WSS4J securement/validation action approach. We are trying
to sign the body.
> The provider is a JAX-WS service running on WebSphere JAX-WS stack. Custom handler uses
WSS4j to validate security. 
> The consumer is a WebSphere JAX-WS dispatch client – also attaching custom security
> Signature can be validated on the provider side when EXC C14N canonicalization is specified
with BST compliance flag relaxed. That is because when we chose to add “InclusiveNamespaces”
“PrefixList” on the consumer side, verification fails. When the same test is done with
the SOAP UI – signature verifies Ok – so I am blaming the consumer – the signing process
- not verification process.
> I am attaching a log file which shows verification failure when the InclusiveNamespaces
option is used. If not for this option – this verification would’ve been a success.

This message was sent by Atlassian JIRA

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message