Return-Path: X-Original-To: apmail-ws-dev-archive@www.apache.org Delivered-To: apmail-ws-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 186B711EBB for ; Wed, 27 Aug 2014 21:07:00 +0000 (UTC) Received: (qmail 49151 invoked by uid 500); 27 Aug 2014 21:06:58 -0000 Delivered-To: apmail-ws-dev-archive@ws.apache.org Received: (qmail 48879 invoked by uid 500); 27 Aug 2014 21:06:58 -0000 Mailing-List: contact dev-help@ws.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@ws.apache.org Delivered-To: mailing list dev@ws.apache.org Received: (qmail 48862 invoked by uid 99); 27 Aug 2014 21:06:58 -0000 Received: from arcas.apache.org (HELO arcas.apache.org) (140.211.11.28) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 27 Aug 2014 21:06:58 +0000 Date: Wed, 27 Aug 2014 21:06:58 +0000 (UTC) From: "Gene B. (JIRA)" To: dev@ws.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Commented] (WSS-508) When using "add inclusive prefixes" and EXC C14N - signature cannot be validated MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/WSS-508?page=3Dcom.atlassian.ji= ra.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=3D1411284= 5#comment-14112845 ]=20 Gene B. commented on WSS-508: ----------------------------- Marc, that last change you checked in actually did the trick - the issue do= es not appear anymore; and I can visually confirm that the namespaces are c= orrectly added to the canonocalized SignedInfo on the consumer side.=20 Thank you for looking into this even though it appeared as though the probl= em was with the DOM provider at some point. I'll do a few more tests tomorr= ow, and I will close this issue after everything checks out Ok. > When using "add inclusive prefixes" and EXC C14N - signature cannot be va= lidated > -------------------------------------------------------------------------= ------- > > Key: WSS-508 > URL: https://issues.apache.org/jira/browse/WSS-508 > Project: WSS4J > Issue Type: Bug > Components: WSS4J Core > Affects Versions: 2.0.0, 2.0.1 > Environment: WAS 7.x, IBM JDK 1.6, WebSphere JAX-WS stack, MS Win= dows. > Reporter: Gene B. > Assignee: Colm O hEigeartaigh > Attachments: log 01 - signature verification failed with Inclusiv= eNamespaces PrefixList.txt, log 02 - signature verification ok - signed by = SOAP UI.txt, log_03a - consumer - sign message use InclusiveNamespaces pref= ix list.txt, log_03b - provider - signature verification failed.txt, reques= t1-printedby-provider-signedby-soapui.xml, request1-printedby-provider-sign= edby-wss4j.xml > > > Security implemented using WSS4J securement/validation action approach. W= e are trying to sign the body. > The provider is a JAX-WS service running on WebSphere JAX-WS stack. Custo= m handler uses WSS4j to validate security.=20 > The consumer is a WebSphere JAX-WS dispatch client =E2=80=93 also attachi= ng custom security handler. > Signature can be validated on the provider side when EXC C14N canonicaliz= ation is specified with BST compliance flag relaxed. That is because when w= e chose to add =E2=80=9CInclusiveNamespaces=E2=80=9D =E2=80=9CPrefixList=E2= =80=9D on the consumer side, verification fails. When the same test is done= with the SOAP UI =E2=80=93 signature verifies Ok =E2=80=93 so I am blaming= the consumer =E2=80=93 the signing process - not verification process. > I am attaching a log file which shows verification failure when the Inclu= siveNamespaces option is used. If not for this option =E2=80=93 this verifi= cation would=E2=80=99ve been a success. -- This message was sent by Atlassian JIRA (v6.2#6252) --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org For additional commands, e-mail: dev-help@ws.apache.org