ws-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Al Ramsey <aram...@vecna.com>
Subject Re: Validation failing due to empty namespace in tag
Date Tue, 06 Mar 2018 02:08:52 GMT
Thank you Colm – another engineer actually found the culprit today.  It was a bug with xmlsec
(https://issues.apache.org/jira/browse/SANTUARIO-412), and after we upgraded the version of
the library, it now works!

-Al



From: Colm O hEigeartaigh <coheigea@apache.org>
Reply-To: "users@ws.apache.org" <users@ws.apache.org>, "coheigea@apache.org" <coheigea@apache.org>
Date: Monday, March 5, 2018 at 4:53 AM
To: "users@ws.apache.org" <users@ws.apache.org>
Subject: Re: Validation failing due to empty namespace in tag

I'm not sure why you are seeing empty namespaces. Could you create a unit test or some way
of reproducing the problem that I can look at?
Colm.

On Sun, Mar 4, 2018 at 9:46 AM, Al Ramsey <aramsey@vecna.com<mailto:aramsey@vecna.com>>
wrote:
We’re currently trying to migrate WSS4J from version 1.6 to 2.0.1 but our integration tests
to the service provider is now failing.  A highlighted overview is given below:

• In the SignedInfo node, two references were hashed - (1) Timestamp, and (2) Body.  Validation
of (1) the Timestamp SHA1 digest against the expected value passes, but it fails for (2) the
Body.  WSS4J decrypts the Body successfully, but fails in the validation.
• We made some changes with our WSS4J configuration based on the recommendations from the
WSS4J Migration Guide (link: https://ws.apache.org/wss4j/migration/wss4j20.html).
• When I manually removed an empty namespace in one of the tags, a manual check of the SHA1
digest appears to finally succeed.
• WSS4J first decrypts the Body, then performs a canonical transformation prior to validation.
 An empty namespace in one of the tags seem to show up in our application when we use WSS4J
2.0.1 but it does not show up when using WSS4J 1.6.

An illustrative example: the decoded Body is:

<results xmlns="" xmlns:a="http://ebs.health.ontario.ca/" xmlns:b="http://msa.ebs.health.ontario.ca/"
xmlns:c="http://hcv.health.ontario.ca/" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"><auditUID>676345d6-3fc4-434c-96b3-012c73672b6a</auditUID><results><healthNumber>1286844022</healthNumber><responseAction>Ask
the cardholder to either visit the local ServiceOntario office or call 1 800-268-1154<tel:1%20800-268-1154>.</responseAction><responseCode>10</responseCode><responseDescription>The
Health Number submitted does not exist on the ministry's system</responseDescription><responseID>FAILED_MOD10</responseID><versionCode>YX</versionCode></results></results>

… and the Body after canonical transformation is:

<soapenv:Body xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
wsu:Id="Body-42a8192d-3065-451d-bfeb-1156ae118da4"><c:validateResponse xmlns:c="http://hcv.health.ontario.ca/"><results
xmlns=""><auditUID>676345d6-3fc4-434c-96b3-012c73672b6a</auditUID><results><healthNumber>1286844022</healthNumber><responseAction>Ask
the cardholder to either visit the local ServiceOntario office or call 1 800-268-1154<tel:1%20800-268-1154>.</responseAction><responseCode>10</responseCode><responseDescription>The
Health Number submitted does not exist on the ministry's system</responseDescription><responseID>FAILED_MOD10</responseID><versionCode>YX</versionCode></results></results></c:validateResponse></soapenv:Body>

I had to manually change

<results xmlns="">

to the following:

<results>

A manual check of the SHA1 digest tells me it would now pass validation.  I am not sure why
the empty namespace appears when using WSS4J 2.0.1 and not 1.6.  Did I miss a configuration
when updated  them?



--
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com
Mime
View raw message