ws-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Gene B. (JIRA)" <>
Subject [jira] [Commented] (WSS-508) When using "add inclusive prefixes" and EXC C14N - signature cannot be validated
Date Thu, 21 Aug 2014 15:49:12 GMT


Gene B. commented on WSS-508:

Colm, I also want to respond to your comment that using InclusiveNamespaces PrefixList is
a default and you would've noticed... I've listed our software stack in the ticket - but our
setup still might not be obvious. We are running JAX-WS WebSphere stack - the default WebSphere
JAX-WS implementation. We're using custom code in custom handlers to configure and call wss4j
libs. So we do not have CXF or Spring SOAP stack - those have their own issues running under
WebSphere. That is why I believe there is a CXF OSGi distribution - for WebSphere compatibility.
That is probably why you never ran it in this particular setup.

So when I ran it under the default settings, with the prefix list included - signature validation
failed. Then by experimenting, I set to "false" BSP compliance on the provider, and set to
"false" "add inclusive namespaces" option on the consumer, and only then the signature could
be validated.

> When using "add inclusive prefixes" and EXC C14N - signature cannot be validated
> --------------------------------------------------------------------------------
>                 Key: WSS-508
>                 URL:
>             Project: WSS4J
>          Issue Type: Bug
>          Components: WSS4J Core
>    Affects Versions: 2.0.0, 2.0.1
>         Environment: WAS 7.x, IBM JDK 1.6, WebSphere JAX-WS stack, MS Windows.
>            Reporter: Gene B.
>            Assignee: Colm O hEigeartaigh
>         Attachments: log 01 - signature verification failed with InclusiveNamespaces
PrefixList.txt, log 02 - signature verification ok - signed by SOAP UI.txt, request1-printedby-provider-signedby-soapui.xml,
> Security implemented using WSS4J securement/validation action approach. We are trying
to sign the body.
> The provider is a JAX-WS service running on WebSphere JAX-WS stack. Custom handler uses
WSS4j to validate security. 
> The consumer is a WebSphere JAX-WS dispatch client – also attaching custom security
> Signature can be validated on the provider side when EXC C14N canonicalization is specified
with BST compliance flag relaxed. That is because when we chose to add “InclusiveNamespaces”
“PrefixList” on the consumer side, verification fails. When the same test is done with
the SOAP UI – signature verifies Ok – so I am blaming the consumer – the signing process
- not verification process.
> I am attaching a log file which shows verification failure when the InclusiveNamespaces
option is used. If not for this option – this verification would’ve been a success.

This message was sent by Atlassian JIRA

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message