axis-java-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From axis-...@ws.apache.org
Subject [jira] Commented: (AXIS-1458) Signature verification with WSS4J fails due to (guess) serialization bug in Axis
Date Mon, 30 Aug 2004 08:39:26 GMT
The following comment has been added to this issue:

     Author: Gregor Karlinger
    Created: Mon, 30 Aug 2004 1:38 AM
       Body:
I am facing the following problem with using Axis 1.2beta3 (nightly Build from 2004-08-15)
as a webservice client, which seems to be related to this problem:

The SOAP message, which comes from the webservice over the wire, is the following:

<?xml version="1.0" encoding="UTF-8"?>
<soapenv:Envelope 
  xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" 
  <soapenv:Body>
    <CreateXMLSignatureResponse 
      xmlns="http://reference.e-government.gv.at/namespace/moa/20020822#"
      xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
      <SignatureEnvironment>
        <dsig:Signature 
          Id="signature-1-1"
          xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
          ...
        </dsig:Signature>
      </SignatureEnvironment>
    </CreateXMLSignatureResponse>
  </soapenv:Body>
</soapenv:Envelope>

However, if I take the soap body from the soap response with axis as follows:

  Vector responses = (Vector) call.invoke(params);
  SOAPBodyElement response = (SOAPBodyElement) responses.get(0);
  Document root_response = response.getAsDocument();

then the namespace declaration from element dsig:Signature disappears, i.e. serializing root_response
leads to

<?xml version="1.0" encoding="UTF-8"?> <CreateXMLSignatureResponse 
  xmlns="http://reference.e-government.gv.at/namespace/moa/20020822#" 
  xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
  <SignatureEnvironment>
    <dsig:Signature Id="signature-1-1">
      ...
    </dsig:Signature>
  </SignatureEnvironment>
</CreateXMLSignatureResponse>

Although the resulting XML document is still perfectly well-formed, this behaviour of Axis
is really bad in my context, since the CreateXMLSignatureResponse acts only as a container
and is thrown away later in the processing. Then the subtree starting at the SignatureEnvironment
element is not well-formed XML any more.

I suggest to change the behaviour since it is poison in lots of contexts, especially when
dealing with XML signatures.

Best Regards,
Gregor

---------------------------------------------------------------------
View this comment:
  http://issues.apache.org/jira/browse/AXIS-1458?page=comments#action_37907

---------------------------------------------------------------------
View the issue:
  http://issues.apache.org/jira/browse/AXIS-1458

Here is an overview of the issue:
---------------------------------------------------------------------
        Key: AXIS-1458
    Summary: Signature verification with WSS4J fails due to (guess) serialization bug in Axis
       Type: Bug

     Status: Unassigned
   Priority: Major

    Project: Axis
 Components: 
             Serialization/Deserialization
   Versions:
             beta-1
             beta-2

   Assignee: 
   Reporter: Yves Langisch

    Created: Fri, 16 Jul 2004 12:51 AM
    Updated: Mon, 30 Aug 2004 1:38 AM
Environment: SuSE 9.1, JDK 1.4.2-b28

Description:
Here the problem description from my mail to the list:

*********************
All,
I have following situation:

- Client with WSDoAllSender (just signing)
- Web Service with WSDOAllReceiver

Client-side I read an XML instance document, manipulate it and send it
over the signing handler to the web service. If I manipulate the
document then the verification fails server-side. This is very strange
since the signing process is at the very end of the handler chain. In
order to manipulate the document I transform the file to a JDOM
document, manipulate it, transform it back to a W3C document
and add it to the body of the envelope. It seems to be this transformation from JDOM to W3C
which causes the verification to fail at server-side.
Example:

<snip1>
InputStream i = new BufferedInputStream(new
FileInputStream(declaration));
envelope.addBodyElement(new SOAPBodyElement(i));
response = call.invoke(envelope)
</snip1>

<snip2>
// just do a transformation without any data manipulation
org.jdom.Document aSDDoc =
XMLHelper.getJDomDocumentFromFile(declaration);
org.w3c.dom.Document d =
XMLHelper.getW3CDocumentFromJDOMDocument(aSDDoc);
envelope.addBodyElement(new SOAPBodyElement(d.getDocumentElement()));
response = call.invoke(envelope)
</snip2>

The first one works fine (with Beta1, not with Beta2 -> same issue), the second one fails
at verification. Tracing the whole stuff I just found one difference between the two calls.
The second call has a duplicate namespace entry (with beta2 both calls have these duplicate
entries) in the body element which is valid though:

<soapenv:Body wsu:Id="id-7719486" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"><SDRequest
xmlns="http://xyz" xmlns:ns1="http://xyz">

The W3C document hasn't yet this duplicate namespace but the printout of the envelope before
invoking the call already has this duplicate namespace entry. I saw that there are different
forms of representation of content in the SOAPEnvelope class thus I have the very vague guess
that the digest calculation is made on another representation (w/o the duplicate ns) than
the message which arrives at the other end.

Any ideas where problem could be? My mistake? Axis or WSS4 problem?
**************



---------------------------------------------------------------------
JIRA INFORMATION:
This message is automatically generated by JIRA.

If you think it was sent incorrectly contact one of the administrators:
   http://issues.apache.org/jira/secure/Administrators.jspa

If you want more information on JIRA, or have a bug to report see:
   http://www.atlassian.com/software/jira


Mime
View raw message