Dear David,
thank you for the reply. But since I'm working on a Java w3c-Document
objects, I think white spaces are not the problem here. But I'll do
some further investigation.
Regards, Alex
Am 22.01.2008 um 17:42 schrieb <[EMAIL PROTECTED]> <[EMAIL PROTECTED]
>:
Hi,
Wouldn't this be due to the extra space that can be found around
elements (space used for pretty formatting). That would account for
the
fact the PrettyDocumentToString method works.
Remember the way signature works: a hash of the XML document is taken
then signed. Obviously, if there's additional (or fewer) whitespace,
the
hash changes which results in the signature being invalid...
Hope this helps...
David.
David Brossard
_______________________
Linkedin Profile: http://www.linkedin.com/in/davidbrossard
_______________________
-----Original Message-----
From: Alexander Willner [mailto:[EMAIL PROTECTED]
Sent: 22 January 2008 15:31
To: [email protected]
Subject: Problem with XmlUtils.toString and WSS4J
Hello everyone,
there seems to be a serious problem with XmlUtils.toString(Doc) and
WSS4J. When you convert a document to its XML representation and then
back to a document again, it can't be validated by WSS4J anymore. This
happens e.g. when receiving a SOAP message via the MiniServlet.
I've written a JUnit test to show the problem:
------------------------------------------------------------------------
-------------------
public final void testSignatureToString() throws IOException,
SAXException,
SignatureNotFoundException {
/* Create valid signed example
-------------------------------------- */
Document request =
createExampleRequestWithoutSignature
(this.exampleRequestWithoutSignature);
Document response = this.secureHandler.addSignature(request);
String responseString = XmlUtils.toString(response);
/*
------------------------------------------------------------------ */
/* Check example
---------------------------------------------------- */
boolean check = this.signer.checkSignature(response);
Assert.assertTrue("Signature is valid!", check);
/*
------------------------------------------------------------------ */
/* Create a copy (e.g. receive example via Webservice
--------------- */
Document newResponse = XmlUtils.createDocument(responseString);
String newResponseString = XmlUtils.toString(newResponse);
Assert.assertTrue("Strings are equal", newResponseString
.equals(responseString));
/*
------------------------------------------------------------------ */
/*
------------------------------------------------------------------ */
check = this.signer.checkSignature(newResponse);
Assert.assertTrue("Signature is valid", check); // this fails!!!
/*
------------------------------------------------------------------
*/ }
------------------------------------------------------------------------
-------------------
The solution here is to use XMLUtils.PrettyDocumentToString(Doc) [1]
instead of XmlUtils.toString(Doc):
------------------------------------------------------------------------
-------------------
public final void testSignatureToString() throws IOException,
SAXException,
SignatureNotFoundException {
/* Create valid signed example
-------------------------------------- */
Document request =
createNspExampleRequestWithoutSignature
(this.nspExampleRequestWithoutSignature);
this.secureHandler.setAddSignatureFlag(true);
Document response = this.secureHandler.addSignature(request);
String responseString =
XMLUtils.PrettyDocumentToString(response);
/*
------------------------------------------------------------------ */
/* Check example
---------------------------------------------------- */
boolean check = this.signer.checkSignature(response);
Assert.assertTrue("Signature is valid!", check);
/*
------------------------------------------------------------------ */
/* Create a copy (e.g. receive example via Webservice
--------------- */
Document newResponse = XmlUtils.createDocument(responseString);
String newResponseString =
XMLUtils.PrettyDocumentToString(newResponse);
String newResponseString2 = XmlUtils.toString(newResponse);
System.out.println("Test1: ---------");
System.out.println(newResponseString);
System.out.println("Test2: ---------");
System.out.println(newResponseString2);
Assert.assertTrue("Strings are equal", newResponseString
.equals(responseString));
/*
------------------------------------------------------------------ */
/*
------------------------------------------------------------------ */
check = this.signer.checkSignature(newResponse);
Assert.assertTrue("Signature is valid", check);
/*
------------------------------------------------------------------
*/ }
------------------------------------------------------------------------
-------------------
Regards, Alex
[1]
http://ws.apache.org/wss4j/apidocs/org/apache/ws/security/util/XMLUtils
.
html#PrettyDocumentToString(org.w3c.dom.Document)
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
