BSP compliance is enabled by default. I debugged a lot and identified BSP specific attributes/namespaces being added to KeyInfo element. So the signature was actually invalid. Disabling BSP compliance did the trick for me, for now. I may have to find another alternative in future. Hope this helps your case.
Thanks, Giriraj. On Tue, Mar 4, 2014 at 1:12 PM, cxf newbie <calisto.s...@gmail.com> wrote: > Hi, > > I also have similar problem: > > > http://cxf.547215.n5.nabble.com/WebSphere-8-wss4j-and-cxf-signature-validation-td5739363.html > > Did you make any progress ? > > I tried some options: > > 1. Verifying certificate chain. > 2. Adding Bouncy Castle as provider to WSSConfig instead of IBMJCE. > 3. Avoiding xmlsec at all (unsuccsessfully). > 4. Logging and wiresharking request and response. > > But no use. > > I tried to sign Body and Timestamp tag. > Also noticed that Body attribute "wsu:Id" is placed before "xmlns:wsu" > attribute when response message leaves web service. When the same response > comes to client side their order is swapped. > I am signing body and timestamp. > > As you already noticed "PARENT_LAST" and osgi may be problem: > http://veithen.blogspot.com/2013/10/broken-by-design-websphere-stax.html > > Also look at this: > > http://blog.lodeblomme.be/2011/09/27/apache-cxf-ws-security-the-signature-or-decryption-was-invalid > They say it may be problem with Linux or even Java 6. > > I can not debugg "verify" method because I haven't source for IBMJCE and > debugger behaves very strangely evevn when Bouncy Castle is used. > > Cheers > > > > -- > View this message in context: > http://cxf.547215.n5.nabble.com/Unable-to-verify-signature-with-Apache-CXF-and-WSS4J-on-Websphere-Application-Server-8-5-tp5740358p5740804.html > Sent from the cxf-user mailing list archive at Nabble.com. >