Hi all, I've got the following Signature of a SOAP-Header built with Rampart: <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="Signature-30721078"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1"/> <ds:Reference URI="#Id-6935595"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <ds:DigestValue>zo9esKQnicy3e5eQidwJBZs1c4E=</ds:DigestValue> </ds:Reference> <ds:Reference URI="#Timestamp-13983828"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <ds:DigestValue>jGS8NoS39F6SNr9YWjSmXmeOYAA=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>tRIOHs2UgyJLwTj2hRh4QOeoc1I=</ds:SignatureValue> <ds:KeyInfo Id="KeyId-27120092"> <wsse:SecurityTokenReference xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="STRId-3996874"> <wsse:Reference URI="#EncKeyId-urn:uuid:EC1EA7F6B5126BB58312292966622658" ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#EncryptedKey"/> </wsse:SecurityTokenReference> </ds:KeyInfo> </ds:Signature>
But when when the SignatureProcessor tries to verify it, I get the following stack trace: org.apache.axis2.AxisFault: The signature or decryption was invalid at org.apache.rampart.handler.RampartReceiver.setFaultCodeAndThrowAxisFault(RampartReceiver.java:166) at org.apache.rampart.handler.RampartReceiver.invoke(RampartReceiver.java:95) at org.apache.axis2.engine.Phase.invoke(Phase.java:317) at org.apache.axis2.engine.AxisEngine.invoke(AxisEngine.java:264) at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:163) at org.apache.axis2.transport.http.HTTPTransportUtils.processHTTPPostRequest(HTTPTransportUtils.java:275) at org.apache.axis2.transport.http.AxisServlet.doPost(AxisServlet.java:133) at javax.servlet.http.HttpServlet.service(HttpServlet.java:710) at javax.servlet.http.HttpServlet.service(HttpServlet.java:803) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:269) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:174) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:117) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:108) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:174) at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:874) at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:665) at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:528) at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:81) at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:689) at java.lang.Thread.run(Unknown Source) Caused by: org.apache.ws.security.WSSecurityException: The signature or decryption was invalid at org.apache.ws.security.processor.SignatureProcessor.verifyXMLSignature(SignatureProcessor.java:419) at org.apache.ws.security.processor.SignatureProcessor.handleToken(SignatureProcessor.java:85) at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:311) at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:228) at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:181) at org.apache.rampart.RampartEngine.process(RampartEngine.java:138) at org.apache.rampart.handler.RampartReceiver.invoke(RampartReceiver.java:92) ... 21 more Does anyone have an idea? If not: How can i disable the verification of the signature with Rampart? Thank, Thorsten -- Thorsten Deelmann