Hi, we're using the METRO version BS to communicate with PHP OPS with
security, but we got error said '500 Internal Server Error', the reason is
'Signature Verification failed.' To compare with that, we used .NET version
stocktrader to communicate with PHP version from both sides(.NET BS->PHP OPS
and PHP BS->.NET OPS), which both worked fine.
*Following is a brief explanation of different versions of Stocktrader used:
*
- .NET Stocktrader: built from the source code in /branches/m1
- PHP Stocktrader: built from the source code in /branches/m1
- WSO2 Stocktrader: built from the trunk version source code
- Metro Strocktrader: as the same as in the directory contrib
In our local workstation, all scenarios, including with or without
security, are verified except METRO BS->PHP OPS with security.
*Following are the scenarios tested with security:*
- .NET Stocktrader <=> Metro Stocktrader
- PHP Stocktrader <=> WSO2 Stocktrader
- .NET Stocktrader <=> WSO2 Stocktrader(need to downgrade the WSAS server
from version 3.0.1 to 3.0)
- .NET Stocktrader <=> PHP Stocktrader
- Metro BS -> WSO2 OPS
- PHP BS -> Metro OPS
- WSO2 BS -> Metro OPS(need to generate the Metro OPS from the WSO2
version OrderProcessorMsec.wsdl)
- Metro BS -> PHP OPS *failed*
*Why Metro BS->PHP OPS failed, here are our understanding:*
1. The certificates and private keys used in the whole scenario
verifications are the same one, the default OPS one. So the problem
shouldn't be due to the certificate issue.
2. As .NET BS/Metro BS->Metro OPS and .NET BS/Metro BS->WSO2 OPS, the
security configurations and policy definitions in .NET BS and Metro BS
should be functionally equal.
3. As .NET BS->PHP OPS, then there shouldn't be any problem in Metro BS
communicating with PHP OPS.
Do we understand them wrong? Could anyone give some suggestion?
I attached the error.log from glassfish, the soap message of
request/response during the process of placing an order, which can provide
you more details about the problem.
Thanks
------
Ming Jin
Consultant
Thoughtworks, Inc
POST /php_stocktrader/order_processor/order_processor_svc_msec.php HTTP/1.1
Accept: application/soap+xml, multipart/related, text/html, image/gif,
image/jpeg, *; q=.2, */*; q=.2
Content-Type: application/soap+xml;charset="utf-8";action="SubmitOrder"
User-Agent: JAX-WS RI 2.1.3.1-hudson-749-SNAPSHOT
Host: localhost:8080
Connection: keep-alive
Content-Length: 6111
<?xml version="1.0" ?>
- <S:Envelope xmlns:S="http://www.w3.org/2003/05/soap-envelope";
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
xmlns:xs="http://www.w3.org/2001/XMLSchema";
xmlns:ds="http://www.w3.org/2000/09/xmldsig#";
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";
xmlns:exc14n="http://www.w3.org/2001/10/xml-exc-c14n#";>
- <S:Header>
<To xmlns="http://www.w3.org/2005/08/addressing";
wsu:Id="_5004">http://localhost:8080/php_stocktrader/order_processor/order_processor_svc_msec.php</To>
<Action xmlns="http://www.w3.org/2005/08/addressing";
wsu:Id="_5003">SubmitOrder</Action>
- <wsse:Security S:mustUnderstand="true">
- <wsu:Timestamp xmlns:ns10="http://schemas.xmlsoap.org/soap/envelope/";
xmlns:ns11="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512";
wsu:Id="_3">
<wsu:Created>2009-06-12T05:58:14Z</wsu:Created>
<wsu:Expires>2009-06-12T06:03:14Z</wsu:Expires>
</wsu:Timestamp>
- <xenc:EncryptedKey xmlns:ns10="http://schemas.xmlsoap.org/soap/envelope/";
xmlns:ns11="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512";
Id="_5002">
<xenc:EncryptionMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"; />
- <ds:KeyInfo xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xsi:type="keyInfo">
- <wsse:SecurityTokenReference>
<wsse:KeyIdentifier
ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1";
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary";>+g9Yu2BfpDNp4nno+QiIcv3gmUM=</wsse:KeyIdentifier>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
- <xenc:CipherData>
<xenc:CipherValue>NbacrsIOX0rFwI+1vnCNz8u9JFWy/18tCqOUJ40UEud+nry2XI+0lazMKOkzFjqYYcz2KikiexX4PlK5RzQ162T2lFGGNflITH7hYJSaFcOKeyW1v3054LbQ5kATDP2wmmwnnLDwVQ2CehpJuKHjuKEgdeMtUT+rDm+p2EPx2Hg=</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedKey>
- <xenc:ReferenceList
xmlns:ns17="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512";
xmlns:ns16="http://schemas.xmlsoap.org/soap/envelope/"; xmlns="">
<xenc:DataReference URI="#_5006" />
</xenc:ReferenceList>
- <ds:Signature xmlns:ns10="http://schemas.xmlsoap.org/soap/envelope/";
xmlns:ns11="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512";
Id="_1">
- <ds:SignedInfo>
- <ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";>
<exc14n:InclusiveNamespaces PrefixList="wsse S" />
</ds:CanonicalizationMethod>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1";
/>
- <ds:Reference URI="#_5003">
- <ds:Transforms>
- <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";>
<exc14n:InclusiveNamespaces PrefixList="S" />
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"; />
<ds:DigestValue>CKEg7BB9jD54Yqj1iDoLTTDsrJk=</ds:DigestValue>
</ds:Reference>
- <ds:Reference URI="#_5004">
- <ds:Transforms>
- <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";>
<exc14n:InclusiveNamespaces PrefixList="S" />
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"; />
<ds:DigestValue>679n8XgS8F44lnUABJp0QJowalw=</ds:DigestValue>
</ds:Reference>
- <ds:Reference URI="#_5005">
- <ds:Transforms>
- <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";>
<exc14n:InclusiveNamespaces PrefixList="S" />
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"; />
<ds:DigestValue>McvnxHMFRB++CQ7dkpTQ9H4fRi8=</ds:DigestValue>
</ds:Reference>
- <ds:Reference URI="#_3">
- <ds:Transforms>
- <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";>
<exc14n:InclusiveNamespaces PrefixList="wsu wsse S" />
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"; />
<ds:DigestValue>EVub1hx9uoRoWjlBP3k5XG348hE=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>vju3myZhPELvLriWdHLEJ8i+5II=</ds:SignatureValue>
- <ds:KeyInfo>
- <wsse:SecurityTokenReference
wsu:Id="uuid_8ca5ba52-e13a-43bb-8856-cf98a2bd09ad">
<wsse:Reference
ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey";
URI="#_5002" />
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
</wsse:Security>
</S:Header>
- <S:Body wsu:Id="_5005">
- <xenc:EncryptedData xmlns:ns10="http://schemas.xmlsoap.org/soap/envelope/";
xmlns:ns11="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512";
Type="http://www.w3.org/2001/04/xmlenc#Content"; Id="_5006">
<xenc:EncryptionMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"; />
- <ds:KeyInfo xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xsi:type="keyInfo">
- <wsse:SecurityTokenReference>
<wsse:Reference
ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey";
URI="#_5002" />
</wsse:SecurityTokenReference>
</ds:KeyInfo>
- <xenc:CipherData>
<xenc:CipherValue>YLBtUHTuqybQGIlf5a8LfzN082gUABeBCRy8e8hJFXDGI/ca0XMlkyKY0sI0DxcPlKO0Ggh4ckfggbT2NJ8wT6342K3HHUNk+L6uNvWGkgjJYqXUUgcqfZcwaBT3ZHHQISczU/V+cSKjque3wiKuT5esIBLbAOBy802wwi7lJ3VKxdOzqVsUMQpqz6GtKYVUnKxD04d/V6X21AcyNyrt7OcdJx2HdFIkEo6ux8bLfDgUm8JVpfxucTheevIXTsTAFdZMMI/FcvK9SCEf2frCLEKL1VgQ5e3FK6uor6z9DraD3F3PpCNCdaqa+3p6N1fdrAivgh5s4T6hsUPSojARl7dndXvIiHNkU2YnfzcGkEhXm/pMzBhEmrexi/KOYC3MrubcisRMExJF2Spf3VitmOIM2r4jbtaNNzAK6fGz5P1ncBb/bzmp646bxO4QafkYef/wmIsxliqL3L7zO4KAsEc8lbTJxHhCQKilDNlNEcthpvVscKJaRVQ+YwDi9w1u4u5uxroUEy5cIEACAZcOapqiuWtX3HZzzFSSs47xlJCeWBst5URZwRFOgNVaxESJzNDgfuKP9/u9FWttLgqnGa/fZYoT25cSNojmeGbYvLw9k/xxuxlQ4vO2VB8/oyAPwOnKqPVfoEb6IXXWWwND9VGUto6+aP6InNC2s6Vdca+Df92jiwtaPcI0XwUyO8IJEcDQAO87DekY8J5GuFYKMhrqANMFxRr2qVtM3tatXQb5M4JRyVQ6nmIFSVokfyrO5XvO+CBaPC/bFAIaE3k9SAwk2VmsGd/cEniopx1OPrWtcpiIoCh1N+cT5DEOk4Y295TPpXJ45cA3T4Cy0WoZYVMFk40OAyDLKWf/LWNHEwT06BcBNojzYAx7oiG4WpVZV0ixoWnCR82L1r+TWxSvgBNQR1LJVECyg+KXjidog30H4jyL9vf8UKhVi3695cmXkGOL5j+Yb9fWIV17fVhHR0px91eiaXhu0QEg5RjetLhXBvi8HYPDRCZY5Bln0OC4izFaM8068TtfUX1a56j56F/Ue8+RRudCNjcTJ5XxkWYbHvMlV5VLJX3oxnCzjcLn+M1ZWmYFAc57ByRGwkSYoQ==</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedData>
</S:Body>
</S:Envelope>
HTTP/1.1 500 Internal Server Error
Date: Fri, 12 Jun 2009 05:58:14 GMT
Server: Apache/2.2.11 (Win32) PHP/5.2.9-2
X-Powered-By: PHP/5.2.9-2
Content-Length: 961
Connection: close
Content-Type: application/soap+xml;charset=UTF-8
<soapenv:Envelope
xmlns:soapenv="http://www.w3.org/2003/05/soap-envelope";><soapenv:Header
xmlns:wsa="http://www.w3.org/2005/08/addressing";
xmlns:soapenv="http://www.w3.org/2003/05/soap-envelope";><wsa:Action>SubmitOrder</wsa:Action><wsa:MessageID>urn:uuid:88c028f6-b2ab-42f4-9e61-da95a1f18005</wsa:MessageID></soapenv:Header><soapenv:Body><soapenv:Fault><soapenv:Code><soapenv:Value>soapenv:Sender</soapenv:Value><soapenv:Subcode
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";><soapenv:Value>wsse:InvalidSecurity</soapenv:Value></soapenv:Subcode></soapenv:Code><soapenv:Reason><soapenv:Text
xml:lang="en">Signature Verification
failed.</soapenv:Text></soapenv:Reason><soapenv:Detail><wsse:ProblemSecurityHeader
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";>ds:Signature</wsse:ProblemSecurityHeader></soapenv:Detail></soapenv:Fault></soapenv:Body></soapenv:Envelope>
