cxf-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Colm O hEigeartaigh (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (CXF-5679) WS-S after upgrade fails with org.apache.ws.security.WSSecurityException: The signature or decryption was invalid
Date Wed, 09 Apr 2014 17:34:15 GMT

    [ https://issues.apache.org/jira/browse/CXF-5679?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13964428#comment-13964428
] 

Colm O hEigeartaigh commented on CXF-5679:
------------------------------------------


How are you configuring your client + service, is it via a WS-SecurityPolicy or by specifying
"actions"? Could you attach whatever configuration you are using here? Also, if you could
attach the debug server log, as this will tell me where signature validation is failing.

Colm.

> WS-S after upgrade fails with org.apache.ws.security.WSSecurityException: The signature
or decryption was invalid
> -----------------------------------------------------------------------------------------------------------------
>
>                 Key: CXF-5679
>                 URL: https://issues.apache.org/jira/browse/CXF-5679
>             Project: CXF
>          Issue Type: Bug
>          Components: WS-* Components
>    Affects Versions: 2.7.9, 2.7.10
>            Reporter: Ján Ondrušek
>              Labels: security
>
> After upgrading CXF from version 2.7.5 to 2.7.9 or higher, we experienced this issue.
Worked well with 2.7.5 and earlier.
> Request (our business data stripped and replaced with dummy ns1):
> {code:xml}
> <soapenv:Envelope xmlns:ns1="http://example/soap"
> 	xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
> 	<soapenv:Header>
> 		<wsse:Security soapenv:mustUnderstand="1"
> 			xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
> 			xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
> 			<ds:Signature Id="SIG-33" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
> 				<ds:SignedInfo>
> 					<ds:CanonicalizationMethod
> 						Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
> 						<ec:InclusiveNamespaces PrefixList="ns1 soapenv"
> 							xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" />
> 					</ds:CanonicalizationMethod>
> 					<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
> 					<ds:Reference URI="#id-22">
> 						<ds:Transforms>
> 							<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
> 								<ec:InclusiveNamespaces PrefixList="ns1"
> 									xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" />
> 							</ds:Transform>
> 						</ds:Transforms>
> 						<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
> 						<ds:DigestValue>VF0g31FSsHWpdMN7lGVgQA1li4c=</ds:DigestValue>
> 					</ds:Reference>
> 					<ds:Reference URI="#TS-32">
> 						<ds:Transforms>
> 							<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
> 								<ec:InclusiveNamespaces PrefixList="wsse ns1 soapenv"
> 									xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" />
> 							</ds:Transform>
> 						</ds:Transforms>
> 						<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
> 						<ds:DigestValue>4yW2ssYnI+QB40HBdWexy80+GNo=</ds:DigestValue>
> 					</ds:Reference>
> 				</ds:SignedInfo>
> 				<ds:SignatureValue>QGIDsbR//zUyjUD36LtkiMJsIiT1vYionG8Y0blqif2QKrMB2AHnr9KXiYy7MbcdMaTVxn6gmKGN
> 					7bRjE6MX1VVf9ZPem5SfasHYQ6wS7l/I1NGUyGw227cv1AceDPje05Wjk5vmN9G1dKvbfECJhBLA
> 					7/OBAxJI+TYmYe94cu8=</ds:SignatureValue>
> 				<ds:KeyInfo Id="KI-6788C4A756C88F8773139703929455550">
> 					<wsse:SecurityTokenReference
> 						wsu:Id="STR-6788C4A756C88F8773139703929455551">
> 						<ds:X509Data>
> 							<ds:X509IssuerSerial>
> 								<ds:X509IssuerName>CN=clientuser</ds:X509IssuerName>
> 								<ds:X509SerialNumber>1288174342</ds:X509SerialNumber>
> 							</ds:X509IssuerSerial>
> 						</ds:X509Data>
> 					</wsse:SecurityTokenReference>
> 				</ds:KeyInfo>
> 			</ds:Signature>
> 			<wsu:Timestamp wsu:Id="TS-32">
> 				<wsu:Created>2014-04-09T10:28:14.554Z</wsu:Created>
> 				<wsu:Expires>2014-04-09T10:33:14.554Z</wsu:Expires>
> 			</wsu:Timestamp>
> 		</wsse:Security>
> 	</soapenv:Header>
> 	<soapenv:Body wsu:Id="id-22"
> 		xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
> 		<ns1:hello></ns1:hello>
> 	</soapenv:Body>
> </soapenv:Envelope>
> {code}
> Response:
> {code:xml}
> <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
> 	<soap:Body>
> 		<soap:Fault>
> 			<faultcode
> 				xmlns:ns1="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">ns1:FailedCheck</faultcode>
> 			<faultstring>The signature or decryption was invalid</faultstring>
> 		</soap:Fault>
> 	</soap:Body>
> </soap:Envelope>
> {code}
> Log:
> {noformat}
> o.a.c.w.s.wss4j.WSS4JInInterceptor - org.apache.ws.security.WSSecurityException: The
signature or decryption was invalid
> o.a.c.w.s.wss4j.WSS4JInInterceptor - #011at org.apache.ws.security.processor.SignatureProcessor.handleToken(SignatureProcessor.java:19
> o.a.c.w.s.wss4j.WSS4JInInterceptor - #011at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:396)
> o.a.c.w.s.wss4j.WSS4JInInterceptor - #011at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:
> o.a.c.w.s.wss4j.WSS4JInInterceptor - #011at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:
> o.a.c.w.s.wss4j.WSS4JInInterceptor - #011at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:272)
> o.a.c.w.s.wss4j.WSS4JInInterceptor - #011at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:12
> o.a.c.w.s.wss4j.WSS4JInInterceptor - #011at org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:
> o.a.c.w.s.wss4j.WSS4JInInterceptor - #011at org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.jav
> o.a.c.w.s.wss4j.WSS4JInInterceptor - #011at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:222)
> o.a.c.w.s.wss4j.WSS4JInInterceptor - #011at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:153)
> o.a.c.w.s.wss4j.WSS4JInInterceptor - #011at org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:167)
> o.a.c.w.s.wss4j.WSS4JInInterceptor - #011at org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.jav
> o.a.c.w.s.wss4j.WSS4JInInterceptor - #011at org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:206)
> o.a.c.w.s.wss4j.WSS4JInInterceptor - #011at javax.servlet.http.HttpServlet.service(HttpServlet.java:641)
> o.a.c.w.s.wss4j.WSS4JInInterceptor - #011at org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:262)
> o.a.c.w.s.wss4j.WSS4JInInterceptor - #011at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.ja
> o.a.c.w.s.wss4j.WSS4JInInterceptor - #011at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
> {noformat}



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Mime
View raw message