Mailing-List: contact dev-help@ws.apache.org; run by ezmlm
Precedence: bulk
Reply-To: dev@ws.apache.org
Date: Thu, 21 Aug 2014 15:49:12 +0000 (UTC)
From: "Gene B. (JIRA)" <jira@apache.org>
To: dev@ws.apache.org
Message-ID: <JIRA.12735516.1408563444021.1962.1408636152156@arcas>
In-Reply-To: <JIRA.12735516.1408563444021@arcas>
References: <JIRA.12735516.1408563444021@arcas>
Subject: [jira] [Commented] (WSS-508) When using "add inclusive prefixes"
 and EXC C14N - signature cannot be validated
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable


    [ https://issues.apache.org/jira/browse/WSS-508?page=3Dcom.atlassian.ji=
ra.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=3D1410547=
9#comment-14105479 ]=20

Gene B. commented on WSS-508:
-----------------------------

Colm, I also want to respond to your comment that using InclusiveNamespaces=
 PrefixList is a default and you would've noticed... I've listed our softwa=
re stack in the ticket - but our setup still might not be obvious. We are r=
unning JAX-WS WebSphere stack - the default WebSphere JAX-WS implementation=
. We're using custom code in custom handlers to configure and call wss4j li=
bs. So we do not have CXF or Spring SOAP stack - those have their own issue=
s running under WebSphere. That is why I believe there is a CXF OSGi distri=
bution - for WebSphere compatibility. That is probably why you never ran it=
 in this particular setup.

So when I ran it under the default settings, with the prefix list included =
- signature validation failed. Then by experimenting, I set to "false" BSP =
compliance on the provider, and set to "false" "add inclusive namespaces" o=
ption on the consumer, and only then the signature could be validated.

> When using "add inclusive prefixes" and EXC C14N - signature cannot be va=
lidated
> -------------------------------------------------------------------------=
-------
>
>                 Key: WSS-508
>                 URL: https://issues.apache.org/jira/browse/WSS-508
>             Project: WSS4J
>          Issue Type: Bug
>          Components: WSS4J Core
>    Affects Versions: 2.0.0, 2.0.1
>         Environment: WAS 7.x, IBM JDK 1.6, WebSphere JAX-WS stack, MS Win=
dows.
>            Reporter: Gene B.
>            Assignee: Colm O hEigeartaigh
>         Attachments: log 01 - signature verification failed with Inclusiv=
eNamespaces PrefixList.txt, log 02 - signature verification ok - signed by =
SOAP UI.txt, request1-printedby-provider-signedby-soapui.xml, request1-prin=
tedby-provider-signedby-wss4j.xml
>
>
> Security implemented using WSS4J securement/validation action approach. W=
e are trying to sign the body.
> The provider is a JAX-WS service running on WebSphere JAX-WS stack. Custo=
m handler uses WSS4j to validate security.=20
> The consumer is a WebSphere JAX-WS dispatch client =E2=80=93 also attachi=
ng custom security handler.
> Signature can be validated on the provider side when EXC C14N canonicaliz=
ation is specified with BST compliance flag relaxed. That is because when w=
e chose to add =E2=80=9CInclusiveNamespaces=E2=80=9D =E2=80=9CPrefixList=E2=
=80=9D on the consumer side, verification fails. When the same test is done=
 with the SOAP UI =E2=80=93 signature verifies Ok =E2=80=93 so I am blaming=
 the consumer =E2=80=93 the signing process - not verification process.
> I am attaching a log file which shows verification failure when the Inclu=
siveNamespaces option is used. If not for this option =E2=80=93 this verifi=
cation would=E2=80=99ve been a success.


--
This message was sent by Atlassian JIRA
(v6.2#6252)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For additional commands, e-mail: dev-help@ws.apache.org