<?xml version="1.0" encoding="UTF-8"?>
<mail id="%3c5E0CFF197F04F04882BF85F72B0A667C8EF85E@POSTA01.itmaster.local%3e">
 <from><![CDATA[&quot;Montebove Luciano&quot; &lt;L.Monteb...@finsiel.it&gt;]]></from>
 <subject><![CDATA[Why Axis XML signature verification problem is not completely solved by &quot;enableNamespacePrefixOptimization&quot; parameter]]></subject>
 <date><![CDATA[Tue, 25 Jul 2006 10:16:27 GMT]]></date>
 <contents><![CDATA[Hi all,&#010;&#010;i first encountered the XML signature verification problem generated by&#010;the serialization mechanism of Axis 1.x when starting to use wss4j SAML&#010;support based on OpenSAML 1.0.1.&#010;To create an SAML assertion uses  org.opensaml.SAMLAssertion that&#010;creates assertions this way:&#010;&#010;&lt;Assertion AssertionID="_c7ecbec589fb83a6aff2176535125169"&#010;      IssueInstant="2006-07-24T16:26:22.000Z" Issuer="myissuer"&#010;      MajorVersion="1" MinorVersion="1"&#010;      xmlns="urn:oasis:names:tc:SAML:1.0:assertion"&#010;      xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"&#010;      xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol"&gt;&#010;....&#010;&lt;/Assertion&gt;&#010;&#010;When this assertion is signed it shouldn't be modified before sign&#010;verification, but this not the way Axis serialization works when you set&#010;the "enableNamespacePrefixOptimization" parameter to "false".&#010;In such a case, regardless of the format of the SOAP message received on&#010;the net (with or withoute the prefix) the assertion will be modified in:&#010;&#010;&lt;saml:Assertion AssertionID="_c7ecbec589fb83a6aff2176535125169"&#010;      IssueInstant="2006-07-24T16:26:22.000Z" Issuer="myissuer"&#010;      MajorVersion="1" MinorVersion="1"&#010;      xmlns="urn:oasis:names:tc:SAML:1.0:assertion"&#010;      xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"&#010;      xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol"&gt;&#010;....&#010;&lt;/Assertion&gt;&#010;&#010;breaking signature verification.&#010;Naturally setting the "enableNamespacePrefixOptimization" parameter to&#010;true solves this problem, but then this workaround can create a&#010;situation that seems an unsolvable problem to me.&#010;As you know the "enableNamespacePrefixOptimization" parameter was&#010;introduced to solve a specular problem to that of my SAML assertion,&#010;when  we have a SOAP body like this:&#010; &lt;soapenv:Body wsu:id="id-23412344"&#010;    xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-2004"&gt;&#010;  &lt;somepfx:SomeTag id="e0sdoaeckrpd" xmlns="ns:uri:one"&#010;    xmlns:somepfx="ns:uri:one"&gt;hello&lt;/somepfx:SomeTag&gt;&#010;  &lt;/soapenv:Body&gt; &#010;&#010;this can work when received in Axis only if you set&#010;"enableNamespacePrefixOptimization" parameter to "false" otherwise the&#010;signature validation will fail as the message would be changed in:&#010;&lt;soapenv:Body wsu:id="id-23412344"&#010;    xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-2004"&gt;&#010;  &lt;SomeTag id="e0sdoaeckrpd" xmlns="ns:uri:one"&#010;    xmlns:somepfx="ns:uri:one"&gt;hello&lt;/SomeTag&gt;&#010;  &lt;/soapenv:Body&gt; &#010;see: https://issues.apache.org/jira/browse/AXIS-1624 for a discussion of&#010;the problem an the solution proposed.&#010;&#010;And now the unsolvable problem:&#010;if i have a SOAP message with a SAML assertion and a SOAP body like in&#010;my example and i sign both, a receiving Axis service will not be able to&#010;validate both signatures:&#010;-if i set "enableNamespacePrefixOptimization" parameter to "false" the&#010;SAML assertion signature validation will fail&#010;-if i set "enableNamespacePrefixOptimization" parameter to "true" the&#010;SOAP body signature validation will fail.&#010;&#010;Changing the SOAP clients can't be a solution, as they are not always&#010;under our control :)&#010;&#010;Any idea on how to deal with this "deadlock"?&#010;I tested only Axis 1.3 and 1.4. is there anyone using Axis2/Axiom that&#010;can report if the same problem still exist in this release?&#010;&#010;Regards,&#010;&#010;Luciano&#010;&#010;&#010;&#010;&#010;&#010;&#010;---------------------------------------------------------------------&#010;To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org&#010;For additional commands, e-mail: wss4j-dev-help@ws.apache.org&#010;&#010;&#010;]]></contents>
 <mime>
<part ct="text/plain" cd="inline" cte="Quoted Printable" length="3452" link="/" />
 </mime>
</mail>

