Java Mailing List Archive

http://www.java2.5341.com/

Home » axis-user.ws »

Receive WSSecurityException (The signature verification failed)

Hans-Bernhard Friedrich

2010-02-15

Replies: Find Java Web Hosting

Author LoginPost Reply
Hi,

I work on a webservice client and I always receive the same error when I try to make a request to our clients webservice.

"org.apache.ws.security.WSSecurityException (The signature verification failed)"

- Our client's webservice is axis-based, more I don't know

- I use rampart 1.3 and Axis2 1.4.1, EclipseEE
- I generated the customers WSDLs with axis2 1.4.1 in EclipseEE
- I received certificates of our customer and imported them to a keystore
- I set up the the security using outflow configuration. I know it's deprecated but it seemed easier to me than using a policy.xml.
- I also set up a client using a policy.xml signing the body but reveice the same error. I will change to policy in the next step.

- I read all I could find on the web and in mailinglists but nothing helped:
- XML is UTF-B
- JVM argument "language=EN" didn't help
- Mixing different Axis2 and rampart versions didn't help
- Changing xmlsec1.4.0. jar to  1.4.1 or 1.4.2 didn't help
- The certs are have not expired
- Eclipse' Workspace encoding is UTF-8

Question:
- Does the exception really mean the SOAP-Envelope has been changed after is was singed? Are there any other reasons this exception could be thrown?

- What is about the "Pretty Printing" of the XML issue I've found on the mailing list. This this really solved in axis2 1.4.1?
- Is there a way to set up namespace optimation and pretty printing manually in axis2 like in axis 1?
- Could somethig else be wrong with the certificates?

The thing is when I use the a modified sample using a policy.xml I get the same Exception

- Is there anything I could tell our client to changed what could help me?

What did I do special:
- Wrote a little handler to avoid "mustunderstand"-Problem in the response: I Set all headers in the response to processed. The error also occurs if I don't engage my handler

Here is my Security setup using outflowConfiguration:

...options.setProperty(WSSHandlerConstants.OUTFLOW_SECURITY, getOutflowConfiguration());
...
private  Parameter getOutflowConfiguration() {
        OutflowConfiguration ofc = new OutflowConfiguration();
        ofc.setActionItems("Timestamp Signature");
        ofc.setSignatureParts("{Element}{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd}Timestamp");
        ofc.setUser("fcms-aci");
        ofc.setPasswordCallbackClass("de.aci.handler.PWCBHandler");
        ofc.setSignaturePropRefId("cyrpto_props");              
        ofc.setSignatureKeyIdentifier(WSSHandlerConstants.X509_KEY_IDENTIFIER);
        return ofc.getProperty();
    }



The PWCBHandler is the same as in all Samples. I just changed the alias and the password

I set the properties programmatically, because they should change dynamically later:
           
Properties prop1 = getProps();
serviceclient.getOptions.options.setProperty("cyrpto_props", prop1);
...
    private Properties getProps() {
                Properties prop1 =  new Properties();
                prop1.setProperty("org.apache.ws.security.crypto.provider", "org.apache.ws.security.components.crypto.Merlin");
                prop1.setProperty("org.apache.ws.security.crypto.merlin.keystore.type", "jks");
                prop1.setProperty("org.apache.ws.security.crypto.merlin.keystore.password", "L7uZJX1JUZ9l@+W2");
                prop1.setProperty("org.apache.ws.security.crypto.merlin.file", "fcms.keystore");
                return prop1;
          }
       


Does anybody has an idea what I do wrong?

Thank you so very much in advance for any ideas!!!!

Greetings
Hans
©2008 java2.5341.com - Jax Systems, LLC, U.S.A.