[
https://issues.apache.org/jira/browse/CXF-3414?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13010166#comment-13010166
]
Colm O hEigeartaigh commented on CXF-3414:
------------------------------------------
Hi,
Two points...
1) The custom SOAP header is not sent in the message, the SOAP handler is only
installed on the inbound side.
2) The test-case works if you remove the SAAJInInterceptor. It isn't needed, as
the WSS4JInInterceptor will call it automatically.
Beyond that, I'm not sure without digging into it deeper what's causing the
SOAP body child to be duplicated, and cause the signature verification to fail
as a result.
Colm.
> Signature verification fails with custom SOAP header
> ----------------------------------------------------
>
> Key: CXF-3414
> URL: https://issues.apache.org/jira/browse/CXF-3414
> Project: CXF
> Issue Type: Bug
> Components: WS-* Components
> Affects Versions: 2.3.2
> Reporter: Jens Granseuer
> Attachments: signature-handler.zip
>
>
> When a client sends a signed message body, and also includes a custom SOAP
> header in the message, signature verification fails at the receiving end.
> {quote}
> 2011-03-23 14:33:41,159 DEBUG | verify 1 References | signature.Manifest
> 2011-03-23 14:33:41,159 DEBUG | I am not requested to follow nested Manifests
> | signature.Manifest
> 2011-03-23 14:33:41,159 DEBUG | setElement("ds:Reference", "null") |
> utils.ElementProxy
> 2011-03-23 14:33:41,159 DEBUG | setElement("ds:Transforms", "null") |
> utils.ElementProxy
> 2011-03-23 14:33:41,159 DEBUG | Request for URI
> http://www.w3.org/2000/09/xmldsig#sha1 | algorithms.JCEMapper
> 2011-03-23 14:33:41,159 DEBUG | I was asked to create a ResourceResolver and
> got 1 | resolver.ResourceResolver
> 2011-03-23 14:33:41,159 DEBUG | extra resolvers to my existing 4 system-wide
> resolvers | resolver.ResourceResolver
> 2011-03-23 14:33:41,159 DEBUG | check resolvability by class
> org.apache.ws.security.message.EnvelopeIdResolver | resolver.ResourceResolver
> 2011-03-23 14:33:41,159 DEBUG | enter engineResolve, look for: #id-2 |
> message.EnvelopeIdResolver
> 2011-03-23 14:33:41,159 DEBUG | exit engineResolve, result:
> XMLSignatureInput/Element/[soap:Body: null] exclude null comments:false/null
> | message.EnvelopeIdResolver
> 2011-03-23 14:33:41,159 DEBUG | setElement("ds:Transform", "null") |
> utils.ElementProxy
> 2011-03-23 14:33:41,159 DEBUG | Pre-digested input: |
> utils.DigesterOutputStream
> 2011-03-23 14:33:41,159 DEBUG | <soap:Body
> xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/";
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
> wsu:Id="id-2"><greetMe
> xmlns="http://apache.org/hello_world_soap_http/types";><requestType>Master</requestType></greetMe><greetMe
>
> xmlns="http://apache.org/hello_world_soap_http/types";><requestType>Master</requestType></greetMe></soap:Body>
> | utils.DigesterOutputStream
> 2011-03-23 14:33:41,159 WARN | Verification failed for URI "#id-2" |
> signature.Reference
> 2011-03-23 14:33:41,159 WARN | Expected Digest: yFxDQhgODwm09BOOEJwzrMzvfO4=
> | signature.Reference
> 2011-03-23 14:33:41,159 WARN | Actual Digest: l9AeEEtC5yLW+5gbX/vJunbkhrU= |
> signature.Reference
> {quote}
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
