cxf-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From andreas_triebel <andreas.trie...@adesso.ch>
Subject Re: Signature Interop Issue: Weblogic -> Apache CXF
Date Mon, 19 Nov 2012 08:17:29 GMT
Hi Colm

Thanks for the patch! I tried the 1.6.8-SNAPSHOT and it works now for the
request from Weblogic to CXF.

The bad thing is that Weblogic now complains about the response received
from CXF. Probably this is now an issue on Weblogic and therefore not the
right place here, but at least I give the information for completeness.

I already tried to resolve this issue on Weblogic by configuring a
CertificateRegistry as proposed in this blog
http://fusionsecurity.blogspot.ch/2009/08/so-thats-what-weblogic-certificate.html
with no success.

Error Stacktrace Weblogic:
####<Nov 19, 2012 8:39:51 AM CET> <Error> <> <[ACTIVE] ExecuteThread:
'0'
for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <>
<35e64a9808ed1790:3007597b:13b179b1226:-8000-0000000000000004>
<1353310791212> <BEA-000000> <CertPathBuilder does not support building cert
path from class weblogic.security.pk.X509ThumbprintSelector
java.security.InvalidAlgorithmParameterException: [Security:090596]The
WebLogicCertPathProvider was passed an unsupported CertPathSelector.
	at
weblogic.security.providers.pk.WebLogicCertPathProviderRuntimeImpl$JDKCertPathBuilder.engineBuild(WebLogicCertPathProviderRuntimeImpl.java:689)
	at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:238)
	at
com.bea.common.security.internal.legacy.service.CertPathBuilderImpl$CertPathBuilderProviderImpl.build(CertPathBuilderImpl.java:67)
	at
com.bea.common.security.internal.service.CertPathBuilderServiceImpl.build(CertPathBuilderServiceImpl.java:86)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
	at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
	at java.lang.reflect.Method.invoke(Method.java:597)
	at
com.bea.common.security.internal.utils.Delegator$ProxyInvocationHandler.invoke(Delegator.java:57)
	at $Proxy59.build(Unknown Source)
	at
weblogic.security.service.WLSCertPathBuilderServiceWrapper.build(WLSCertPathBuilderServiceWrapper.java:62)
	at
weblogic.security.service.CertPathManager.build(CertPathManager.java:195)
	at
weblogic.security.service.CertPathManager$JDKCertPathBuilder.engineBuild(CertPathManager.java:265)
	at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:238)
	at weblogic.xml.crypto.utils.CertUtils.buildCertPath(CertUtils.java:159)
	at
weblogic.xml.crypto.utils.CertUtils.lookupCertificate(CertUtils.java:124)
	at
weblogic.xml.crypto.utils.CertUtils.lookupCertificate(CertUtils.java:108)
	at
weblogic.xml.crypto.wss11.internal.bst.BSTHandler.lookupCertificate(BSTHandler.java:79)
	at
weblogic.xml.crypto.wss11.internal.bst.BSTHandler.getTokenByKeyId(BSTHandler.java:59)
	at
weblogic.xml.crypto.wss.BinarySecurityTokenHandler.getSecurityToken(BinarySecurityTokenHandler.java:80)
	at
weblogic.xml.crypto.common.keyinfo.KeyResolver.setupKeyProviderFromContext(KeyResolver.java:344)
	at
weblogic.xml.crypto.common.keyinfo.KeyResolver.getKeyFromSTR(KeyResolver.java:295)
	at
weblogic.xml.crypto.common.keyinfo.KeyResolver.select(KeyResolver.java:127)
	at
weblogic.xml.crypto.dsig.SignedInfoImpl.getVerifyKey(SignedInfoImpl.java:227)
	at
weblogic.xml.crypto.dsig.SignedInfoImpl.validateSignature(SignedInfoImpl.java:113)
	at
weblogic.xml.crypto.dsig.XMLSignatureImpl.validate(XMLSignatureImpl.java:265)
	at
weblogic.xml.crypto.wss.SecurityImpl.unmarshalAndProcessSignature(SecurityImpl.java:724)
	at
weblogic.xml.crypto.wss.SecurityImpl.unmarshalAndProcessSignature(SecurityImpl.java:689)
	at
weblogic.xml.crypto.wss.SecurityImpl.unmarshalChildren(SecurityImpl.java:544)
	at
weblogic.xml.crypto.wss.SecurityImpl.unmarshalInternal(SecurityImpl.java:450)
	at weblogic.xml.crypto.wss.SecurityImpl.unmarshal(SecurityImpl.java:418)
	at
weblogic.xml.crypto.wss11.internal.WSS11Factory.unmarshalAndProcessSecurity(WSS11Factory.java:33)
	at
weblogic.wsee.security.wssp.handlers.WssClientHandler.processInbound(WssClientHandler.java:149)
	at
weblogic.wsee.security.wssp.handlers.WssClientHandler.processResponse(WssClientHandler.java:134)
	at
weblogic.wsee.security.wssp.handlers.WssHandler.handleResponse(WssHandler.java:206)

I don't see much difference between a Weblogic generated response and a CXF
generated one, besides the fact that in Weblogic the STR inside the KeyInfo
is signed, in CXF it's not. But this should not be the problem I guess?!

CXF SOAP response:
&lt;soap:Envelope
xmlns:soap=&quot;http://schemas.xmlsoap.org/soap/envelope/&quot;>
	<soap:Header>
		<wsse:Security
		
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
		
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
			soap:mustUnderstand="1">
			<wsu:Timestamp wsu:Id="TS-1">
				<wsu:Created>2012-11-16T12:50:55.054Z</wsu:Created>
				<wsu:Expires>2012-11-16T12:55:55.054Z</wsu:Expires>
			</wsu:Timestamp>
			<wsse11:SignatureConfirmation
			
xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd"
			
Value="WuJ58vqiRvVEO72+2YL421WdYt1J6C3skhl8ih7ky16sSIyfOOTPShzqSSq/Va9BQ1uwplnJfX7io8LM4gw0X5LEAzIeoy2dCeiHA4GY5KiO9K0Sh17gJhZoqR5l17oZrfnJUzXvDGUA5eupnl1BqZ1l0c0PJMslnSavwkcmVSA="
				wsu:Id="SC-2" />
			<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
				Id="SIG-3">
				<ds:SignedInfo>
					<ds:CanonicalizationMethod
						Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
						<ec:InclusiveNamespaces
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"
							PrefixList="soap" />
					</ds:CanonicalizationMethod>
					<ds:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
					<ds:Reference URI="#TS-1">
						<ds:Transforms>
							<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
								<ec:InclusiveNamespaces
									xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="wsse
soap" />
							</ds:Transform>
						</ds:Transforms>
						<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
						<ds:DigestValue>OgsxMMNFLQsz/9IsfVQs/oLuc+8=</ds:DigestValue>
					</ds:Reference>
					<ds:Reference URI="#SC-2">
						<ds:Transforms>
							<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
								<ec:InclusiveNamespaces
									xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="wsse
soap" />
							</ds:Transform>
						</ds:Transforms>
						<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
						<ds:DigestValue>oG+UlTKMXY7/IbQpRxvPYySh60Y=</ds:DigestValue>
					</ds:Reference>
					<ds:Reference URI="#Id-3417205">
						<ds:Transforms>
							<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
								<ec:InclusiveNamespaces
									xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="" />
							</ds:Transform>
						</ds:Transforms>
						<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
						<ds:DigestValue>rS4jFUikjRJY+jt6IKSIX7GXNWE=</ds:DigestValue>
					</ds:Reference>
				</ds:SignedInfo>
			
<ds:SignatureValue>nX8nGcTY7Olu0UBX1S6KbKsGlP8exYu4FdSYCDCPWNm+pUH2PG7B8JJ2yJYFlL919nJUtOnndWYX7s3/eDTTQtR0hPWc6FNs0+yGr7yH6pSWlsbCf+a7n++FG8O+NKe6d2IyvJ4epLvgVVYaoj1RWYcPx31iAvTw6d7S16jZ184=
				</ds:SignatureValue>
				<ds:KeyInfo Id="KI-A18E11179961A8826E13530702550772">
					<wsse:SecurityTokenReference
wsu:Id="STR-A18E11179961A8826E13530702550773">
						<wsse:KeyIdentifier
						
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"
						
ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1">R0VTd2CEaTTD3qJ/lAomm31HARQ=</wsse:KeyIdentifier>
					</wsse:SecurityTokenReference>
				</ds:KeyInfo>
			</ds:Signature>
		</wsse:Security>
	</soap:Header>
	<soap:Body
	
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
		wsu:Id="Id-3417205">
		<ns2:doitResponse xmlns:ns2="http://ws.ssotest/">
			<return>doit() called.</return>
		</ns2:doitResponse>
	</soap:Body>
</soap:Envelope>

Weblogic SOAP response for comparison:
<?xml version='1.0' encoding='UTF-8'?>
<S:Envelope xmlns:S="http://schemas.xmlsoap.org/soap/envelope/">
	<S:Header>
		<wsse:Security
		
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
			S:mustUnderstand="1">
			<wsse11:SignatureConfirmation
			
xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd"
			
Value="BX/qFA56YzPI4Ybtmiqqk2BBqQHDA9FZ+fNwCXC++Tfb8PAQWTwjp8WRVyeCw5f1vMT9ABi8p2bUkdi/Z2T/cQ4D2hf3Y6SbZVu2v08yh8QZFSRubGqKGFqhV0Z6MSjdrj64nu7JMDKWe4OwSUZf58khfx6Kij7j+Eo2Jqq8k4Y="
			
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
				wsu:Id="sigconf_Y1dLkZE12R3lo84g" />
			<dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
				<dsig:SignedInfo>
					<dsig:CanonicalizationMethod
						Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
					<dsig:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
					<dsig:Reference URI="#Timestamp_fyeHCdDCF1Q1mEQT">
						<dsig:Transforms>
							<dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"
/>
						</dsig:Transforms>
						<dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"
/>
						<dsig:DigestValue>U6EZCrkoZVK51ldTBm01yjGvTqo=</dsig:DigestValue>
					</dsig:Reference>
					<dsig:Reference URI="#Body_dak1e6clIuiK32Q8">
						<dsig:Transforms>
							<dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"
/>
						</dsig:Transforms>
						<dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"
/>
						<dsig:DigestValue>GpX21h7vU1Sv/5fAltIB7AC9JLk=</dsig:DigestValue>
					</dsig:Reference>
					<dsig:Reference URI="#sigconf_Y1dLkZE12R3lo84g">
						<dsig:Transforms>
							<dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"
/>
						</dsig:Transforms>
						<dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"
/>
						<dsig:DigestValue>H/1u/9+eXPty0gZry3P6kC9lVjE=</dsig:DigestValue>
					</dsig:Reference>
					<dsig:Reference URI="#str_dEoDQOLRAT5qy2ha">
						<dsig:Transforms>
							<dsig:Transform
							
Algorithm="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform">
								<wsse:TransformationParameters>
									<dsig:CanonicalizationMethod
										Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
								</wsse:TransformationParameters>
							</dsig:Transform>
						</dsig:Transforms>
						<dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"
/>
						<dsig:DigestValue>QwS0Bh2Dck6G5rCKyyGwLzCivGM=</dsig:DigestValue>
					</dsig:Reference>
				</dsig:SignedInfo>
			
<dsig:SignatureValue>KsGzFjk9DEF56FfVQt9LnTHu7IWYrMu338Y8ntQWVXkIUp/+aUq2tAHWdG0uRyGwgyptkvyU2sAiHszLcHUXUSjt1MtIzHRNooEPsEzJCeeLDlrwhZ/zRglRMcLveI5rdWZYJmTRKo8zGyuCHesHqUWslWQBrbBW8rlIt0ZSwtg=</dsig:SignatureValue>
				<dsig:KeyInfo>
					<wsse:SecurityTokenReference
					
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
					
xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd"
					
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
					
wsse11:TokenType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"
						wsu:Id="str_dEoDQOLRAT5qy2ha">
						<wsse:KeyIdentifier
						
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"
						
ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1">SSp+oSTFJ/0AMjafPrgRAJyDZRg=</wsse:KeyIdentifier>
					</wsse:SecurityTokenReference>
				</dsig:KeyInfo>
			</dsig:Signature>
			<wsu:Timestamp
			
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
				wsu:Id="Timestamp_fyeHCdDCF1Q1mEQT">
				<wsu:Created>2012-11-16T15:13:20Z</wsu:Created>
				<wsu:Expires>2012-11-16T15:14:20Z</wsu:Expires>
			</wsu:Timestamp>
		</wsse:Security>
	</S:Header>
	<S:Body
	
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
		wsu:Id="Body_dak1e6clIuiK32Q8">
		<ns0:doitResponse xmlns:ns0="http://ws.ssotest/">
			<return>triebela called web service 'SAML2TestService.doit'
				successfully.</return>
		</ns0:doitResponse>
	</S:Body>
</S:Envelope>

-Andreas




--
View this message in context: http://cxf.547215.n5.nabble.com/Signature-Interop-Issue-Weblogic-Apache-CXF-tp5718487p5718688.html
Sent from the cxf-user mailing list archive at Nabble.com.

Mime
View raw message