Hi. I am relatively new to CXF. I have an issue that I've struggled with for days. I'm hoping someone has insight into how I might resolve the issue. Thanks!
Setup: * WSDL (given below) with WS-Security policy having the following characteristics: * Timestamp in security portion of message header * Digitally signed (1) message body and (2) timestamp in security portion of message header * Web Service Provider: CXF 3.0.11-based application deployed to WebSphere 8.5.5.8. (Application is configured using WS-SecurityPolicy method, not the CXF interceptor method.) * Web Service Clients: * CXF 3.0.11-based application deployed to WebSphere 8.5.5.8 (separate EAR and server than the provider). (Application is configured using WS-SecurityPolicy method, not the CXF interceptor method.) * SoapUI with manually configured outgoing security policy Problem: * When the Web Service is invoked by SoapUI, everything seemingly works fine. The provider application successfully validates the digitally signed message body and the digitally signed timestamp in the security portion of the message header. * When the Web Service is invoked by the CXF-based application running on WebSphere, the provider application successfully validates the digitally signed message body, but it **does not successfully validate the digitally signed timestamp** in the security portion of the message header. According to the provider application’s trace log, the actual digest of the timestamp does not match the expected digest in the request. I have noticed some differences between requests sent from SoapUI versus requests sent from the WebSphere/CXF-based application. I am not an expert in either CXF or WS-Security, but one difference jumps out at me: * In the request from SoapUI, the ds:Reference for the timestamp has a ds:Transforms/ds:Transform with an ec:InclusiveNamespaces sub-element. * In the request from the WebSphere/CXF-based client, the timestamp has a ds:Transforms/ds:Transform that ***does not have*** an ec:InclusiveNamespaces sub-element. Might this be the problem? If so, then how might I configure CXF to add the ec:InclusiveNamespaces sub-element? Might the other differences in the requests (given below) be contributors to this problem? WSDL <?xml version='1.0' encoding='UTF-8'?> <definitions xmlns="http://schemas.xmlsoap.org/wsdl/"; xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/"; xmlns:tns="http://www.example.com/contract/WebServiceA"; xmlns:common="http://common.webservicea.webservice.com"; xmlns:x1="http://webservicea.webservice.com"; xmlns:xsd="http://www.w3.org/2001/XMLSchema"; xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"; xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"; name="WebServiceA" targetNamespace="http://www.example.com/contract/WebServiceA";> <types> <xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema"; targetNamespace="http://common.webservicea.webservice.com"; elementFormDefault="qualified" version="1.0"> <xs:include schemaLocation="WebServiceACommonTypes.xsd"/> </xs:schema> <xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema"; targetNamespace="http://webservicea.webservice.com"; elementFormDefault="qualified" version="1.0"> <xs:element name="sendDataA"> <xs:complexType> <xs:sequence> <xs:element name="theDataA" type="xs:string" minOccurs="0"/> </xs:sequence> </xs:complexType> </xs:element> <xs:element name="sendDataAResponse"> <xs:complexType> <xs:sequence> <xs:element name="theResponseA" type="xs:string" minOccurs="0"/> </xs:sequence> </xs:complexType> </xs:element> </xs:schema> </types> <message name="msgSendDataARequest"> <part name="inA" element="x1:sendDataA"/> </message> <message name="msgSendDataAResponse"> <part name="outA" element="x1:sendDataAResponse"/> </message> <message name="WebServiceAEndpointException"> <part name="fault" element="common:WebServiceAEndpointFault"/> </message> <portType name="WebServiceAEndpoint"> <operation name="sendDataA"> <input name="msgSendDataARequest" message="tns:msgSendDataARequest"/> <output name="msgSendDataAResponse" message="tns:msgSendDataAResponse"/> <fault name="WebServiceAEndpointException" message="tns:WebServiceAEndpointException"/> </operation> </portType> <binding name="WebServiceAPortBinding" type="tns:WebServiceAEndpoint"> <wsp:PolicyReference URI="#WebServiceABCommonPortBindingPolicy"/> <soap:binding transport="http://schemas.xmlsoap.org/soap/http"; style="document"/> <operation name="sendDataA"> <soap:operation soapAction="" style="document"/> <input name="msgSendDataARequest"> <soap:body use="literal"/> <wsp:PolicyReference URI="#WebServiceABCommonPartsPolicy"/> </input> <output name="msgSendDataAResponse"> <soap:body use="literal"/> <wsp:PolicyReference URI="#WebServiceABCommonPartsPolicy"/> </output> <fault name="WebServiceAEndpointException"> <soap:fault name="WebServiceAEndpointException" use="literal"/> <wsp:PolicyReference URI="#WebServiceABCommonPartsPolicy"/> </fault> </operation> </binding> <service name="WebServiceA"> <port name="WebServiceAPort" binding="tns:WebServiceAPortBinding"> <soap:address location="http://my.testserver.com:8094/AppAlpha/services/WebServiceA"/> </port> </service> <wsp:Policy wsu:Id="WebServiceABCommonPortBindingPolicy"> <wsp:ExactlyOne> <wsp:All> <sp:AsymmetricBinding> <wsp:Policy> <sp:InitiatorToken> <wsp:Policy> <sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient";> <wsp:Policy> <sp:WssX509V3Token11/> </wsp:Policy> </sp:X509Token> </wsp:Policy> </sp:InitiatorToken> <sp:RecipientToken> <wsp:Policy> <sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never";> <wsp:Policy> <sp:WssX509V3Token11/> <sp:RequireIssuerSerialReference/> </wsp:Policy> </sp:X509Token> </wsp:Policy> </sp:RecipientToken> <sp:Layout> <wsp:Policy> <sp:Lax/> </wsp:Policy> </sp:Layout> <sp:IncludeTimestamp/> <sp:OnlySignEntireHeadersAndBody/> <sp:AlgorithmSuite> <wsp:Policy> <sp:Basic128/> </wsp:Policy> </sp:AlgorithmSuite> </wsp:Policy> </sp:AsymmetricBinding> <sp:Wss11> <wsp:Policy> <sp:MustSupportRefIssuerSerial/> </wsp:Policy> </sp:Wss11> </wsp:All> </wsp:ExactlyOne> </wsp:Policy> <wsp:Policy wsu:Id="WebServiceABCommonPartsPolicy"> <wsp:ExactlyOne> <wsp:All> <sp:SignedParts> <sp:Body/> </sp:SignedParts> </wsp:All> </wsp:ExactlyOne> </wsp:Policy> </definitions> Sample request from SoapUI client: <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"; xmlns:web="http://webservicea.webservice.com";> <soapenv:Header> <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"; xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";> <ds:Signature Id="SIG-C7673B28E08C976B171483450058365204" xmlns:ds="http://www.w3.org/2000/09/xmldsig#";> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";> <ec:InclusiveNamespaces PrefixList="soapenv web" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/> </ds:CanonicalizationMethod> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> <ds:Reference URI="#id-C7673B28E08C976B17148303280420510"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";> <ec:InclusiveNamespaces PrefixList="web" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/> </ds:Transform> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <ds:DigestValue>ZgTp1NLRNQAYHXnsvUE5I9ajbyg=</ds:DigestValue> </ds:Reference> <ds:Reference URI="#TS-C7673B28E08C976B171483450058362200"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";> <ec:InclusiveNamespaces PrefixList="wsse soapenv web" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/> </ds:Transform> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <ds:DigestValue>KzLVJnYG9SlyYRN4gtELgStoW1A=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>W6drrqGCoD55Ppa2k0rPdDns10cgvuY/bZ2b21v6vssxPIF39f1G2sLQSm8htJlvL2hoci3717UC vvWMmOwWAM1MJixRusz7mPA2jRTQJpSurun2ykaH82vqk0v5OxdXL+phAdjIao31UTcZ1h79lqQh 7c4WN6TboNmKY3qH+IFFxU5cTvgdccvf8sSsoCH0ZukUNn6PIgGc9quJIH8/d5EZM8h51sDWHxNL XM3oiRDYDClfcAOnQRfb0BloRzXbyr8CHGYFLJTtq0d2kULfk5q8I8E1coFiUlBtaJNvqBStFdIE c0ivH0f8PH/SiAE+DpV7AOSeQJrh9xdYt4stLA==</ds:SignatureValue> <ds:KeyInfo Id="KI-C7673B28E08C976B171483450058364202"> <wsse:SecurityTokenReference wsu:Id="STR-C7673B28E08C976B171483450058364203"> <wsse:KeyIdentifier EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"; ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3";>MIICojCCAYqgAwIBAgIEWErPtDANBgkqhkiG9w0BAQUFADATMREwDwYDVQQDEwhBcHBCcmF2bzAeFw0xNjEyMDkxNTM3MjRaFw0xODEyMDkxNTM3MjRaMBMxETAPBgNVBAMTCEFwcEJyYXZvMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAk/iiNtGkSXcP9X2JKD+aCA1WKmzlrr+oOHJb7de+hABnWRGPfy0pBw6nks3ugQIwpC8qkobKo7+he2XePqDxBAvAH8s4w31For9MaKdJo5ZwbCPuZ+8YqYtnJgQEmncazofnqXLWRyWPCZ7vpH3eONvz+TlNPiJri1DLMedDBgupdzg8gyckxerHheqf5xs/wvWOncCWqm/A8bUUN4bias3i7S3UxOfb+QrB1T+cycQTzSXVlauqrVERaC0Fqd0i4pxS6t3z1VIcw697uphbooWEhH1yjyHTUosG1nrWup1sv3sseFxdefaFJlGbjVfuD3QHnrQ6cBgAQS5EUR/ZYQIDAQABMA0GCSqGSIb3DQEBBQUAA4IBAQBzLAFlrcw+qhc5cZe/QkebdfXfPxaAMM/Ve9PWo3H4RS0sHYIqqom9VCQ1JKayHoTgO3XesC2qapPRo1jPsWmfmm2n4RiRPIXW8kjm4tMTGheIxOUVMg2B7H8SennKBRM1LlU4Ewe160Nhfdzs0Y/E3zTlDAINd3g8TdNJT2eUNszYaOTpkGqlKbN5mZE3O2fvlG+H0XqJ6zjHp5+MM8QVg6ESEK6zGEZUdrzxRSXRDmuWZQ+Jx3+7qL5Uh1Ylipn7qMPlC8/ePV+fRuiz4NEcE5PaKZCkFYOQiddHA+LYfIVmGxjAAY2BN2wQdgErTFoFR1kOmUH4AI/pgZa/yGx4</wsse:KeyIdentifier> </wsse:SecurityTokenReference> </ds:KeyInfo> </ds:Signature> <wsu:Timestamp wsu:Id="TS-C7673B28E08C976B171483450058362200"> <wsu:Created>2017-01-03T13:27:38Z</wsu:Created> <wsu:Expires>2017-01-03T13:32:38Z</wsu:Expires> </wsu:Timestamp> </wsse:Security> </soapenv:Header> <soapenv:Body wsu:Id="id-C7673B28E08C976B17148303280420510" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";> <web:sendDataA> <web:theDataA>Test Message Content</web:theDataA> </web:sendDataA> </soapenv:Body> </soapenv:Envelope> WebSphere/CXF-based provider’s response to sample request from SoapUI client: <soapenv:Envelope xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/"; xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"; xmlns:xsd="http://www.w3.org/2001/XMLSchema"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";> <soapenv:Header> <wsse:Security soapenv:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"; xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";> <wsu:Timestamp wsu:Id="TS-cda3b001-26b7-4b4d-aee6-651b9c36475c"> <wsu:Created>2017-01-03T13:27:40.764Z</wsu:Created> <wsu:Expires>2017-01-03T13:32:40.764Z</wsu:Expires> </wsu:Timestamp> <ds:Signature Id="SIG-ab21eee6-4228-4ca0-93c1-7946115eead4" xmlns:ds="http://www.w3.org/2000/09/xmldsig#";> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";> <ec:InclusiveNamespaces PrefixList="soapenc soapenv xsd xsi" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/> </ds:CanonicalizationMethod> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> <ds:Reference URI="#TS-cda3b001-26b7-4b4d-aee6-651b9c36475c"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <ds:DigestValue>fqqq1XdrmvLrMVMFiSjepHFqZd0=</ds:DigestValue> </ds:Reference> <ds:Reference URI="#_4c44ed46-f53a-4875-ba31-857e4badd475"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";> <ec:InclusiveNamespaces PrefixList="soapenc xsd xsi" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/> </ds:Transform> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <ds:DigestValue>ekSMptVTy2j+nRMwh/VhbDXqYXg=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>AOGsrVAf/xyV4oxnvIO09SYvut2al/p2+fOFcZm92dZZoPJwSHdZ8l0vvI0rGWo3JAIkOB+d1QIvzQZ+a0wSwxecikOeDkHPQsPzQGZCbw1B+N3/Y3jSaWSh7ve0r8wZmrw4Sq+QgqJZwv1KCD/XLNUIfHnZ5luyFWV95aqoobOKaoKpYoro16CpzABsSZPNNfurIcEKuwXaSCdRAe0C7DrIZAhejFev1vlI/on3AaHQT2S1VGGLHL9K1CRhOkKoqQcqYC7s1N4oNbfEGxPrR0Do7NXs2BQOQxWExQmeqJ57AUpxV9YNZWrOowzWo7nKYb0glY0BAXMvnV4r/A8rAw==</ds:SignatureValue> <ds:KeyInfo Id="KI-4de5e0b6-4529-4bef-94e8-8ad2da743786"> <wsse:SecurityTokenReference wsu:Id="STR-f9e5593e-6588-4218-80df-42df73a29c41"> <ds:X509Data> <ds:X509IssuerSerial> <ds:X509IssuerName>CN=AppAlpha</ds:X509IssuerName> <ds:X509SerialNumber>1481297825</ds:X509SerialNumber> </ds:X509IssuerSerial> </ds:X509Data> </wsse:SecurityTokenReference> </ds:KeyInfo> </ds:Signature> </wsse:Security> </soapenv:Header> <soapenv:Body wsu:Id="_4c44ed46-f53a-4875-ba31-857e4badd475" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";> <sendDataAResponse xmlns="http://webservicea.webservice.com"; xmlns:ns2="http://common.webservicea.webservice.com";> <theResponseA>WebServiceA on AppAlpha received "Test Message Content". Thank you!</theResponseA> </sendDataAResponse> </soapenv:Body> </soapenv:Envelope> Request from WebSphere/CXF client: <soapenv:Envelope xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/"; xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"; xmlns:xsd="http://www.w3.org/2001/XMLSchema"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";> <soapenv:Header> <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"; xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; soapenv:mustUnderstand="1"> <wsu:Timestamp wsu:Id="TS-c179a641-613f-412b-90d3-06ce69b0ec5c"> <wsu:Created>2017-01-03T13:30:41.386Z</wsu:Created> <wsu:Expires>2017-01-03T13:35:41.386Z</wsu:Expires> </wsu:Timestamp> <wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"; ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"; wsu:Id="X509-9ea877b9-dd0a-4ed6-8a44-38ca61f5c79d">MIICojCCAYqgAwIBAgIEWErPtDANBgkqhkiG9w0BAQUFADATMREwDwYDVQQDEwhBcHBCcmF2bzAeFw0xNjEyMDkxNTM3MjRaFw0xODEyMDkxNTM3MjRaMBMxETAPBgNVBAMTCEFwcEJyYXZvMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAk/iiNtGkSXcP9X2JKD+aCA1WKmzlrr+oOHJb7de+hABnWRGPfy0pBw6nks3ugQIwpC8qkobKo7+he2XePqDxBAvAH8s4w31For9MaKdJo5ZwbCPuZ+8YqYtnJgQEmncazofnqXLWRyWPCZ7vpH3eONvz+TlNPiJri1DLMedDBgupdzg8gyckxerHheqf5xs/wvWOncCWqm/A8bUUN4bias3i7S3UxOfb+QrB1T+cycQTzSXVlauqrVERaC0Fqd0i4pxS6t3z1VIcw697uphbooWEhH1yjyHTUosG1nrWup1sv3sseFxdefaFJlGbjVfuD3QHnrQ6cBgAQS5EUR/ZYQIDAQABMA0GCSqGSIb3DQEBBQUAA4IBAQBzLAFlrcw+qhc5cZe/QkebdfXfPxaAMM/Ve9PWo3H4RS0sHYIqqom9VCQ1JKayHoTgO3XesC2qapPRo1jPsWmfmm2n4RiRPIXW8kjm4tMTGheIxOUVMg2B7H8SennKBRM1LlU4Ewe160Nhfdzs0Y/E3zTlDAINd3g8TdNJT2eUNszYaOTpkGqlKbN5mZE3O2fvlG+H0XqJ6zjHp5+MM8QVg6ESEK6zGEZUdrzxRSXRDmuWZQ+Jx3+7qL5Uh1Ylipn7qMPlC8/ePV+fRuiz4NEcE5PaKZCkFYOQiddHA+LYfIVmGxjAAY2BN2wQdgErTFoFR1kOmUH4AI/pgZa/yGx4</wsse:BinarySecurityToken> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"; Id="SIG-ca36457b-be82-4af0-a7dc-58864a12abd5"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";> <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"; PrefixList="soapenc soapenv xsd xsi"/> </ds:CanonicalizationMethod> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> <ds:Reference URI="#TS-c179a641-613f-412b-90d3-06ce69b0ec5c"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <ds:DigestValue>icbPgkJCtEXvzNjemMW9Sgzr+i4=</ds:DigestValue> </ds:Reference> <ds:Reference URI="#_27dfaa8f-d2f8-40c4-9b9c-37d4f46ac4af"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";> <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"; PrefixList="soapenc xsd xsi"/> </ds:Transform> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <ds:DigestValue>v1iof3bq+7Ja6xsditMG5oFW+5U=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>OaFbeU3vDbiVQKKCI2s+lcQtQMfL0IqQaGhRQJ5/X3QhCeesBZZaf4BUC0zLD3dc10u+YlIWJghqJbfv+kuD7/Av0FH0vdnGy8f5iIcDZYgO3R37xhwbzF24QVbRGJnputTQtFxyEn9uciK+SuPE5eOMVq1gFliLgGix/ntS9QRDQSlvJ/qZuL4l2n9u5f7m2z91vv6w1OtoaTE5/47OXh32IqOMlmwHRBK5oFKOV1uEfqdfLwRTWGHvlfIqNbu0WLp5OfEQy69EksQTw/FRJifR3bOedjVKFjV/J8mGN157ch4E6TJBPsXl9uHRZx92HtGMu4rW6fKdcLa+Od8PMQ==</ds:SignatureValue> <ds:KeyInfo Id="KI-0f88f25d-386d-4cc7-a597-b618f5503a1d"> <wsse:SecurityTokenReference xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"; xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; wsu:Id="STR-da66137d-a8f5-40e3-8ae6-b3d2c97ca992"> <wsse:Reference URI="#X509-9ea877b9-dd0a-4ed6-8a44-38ca61f5c79d" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/> </wsse:SecurityTokenReference> </ds:KeyInfo> </ds:Signature> </wsse:Security> </soapenv:Header> <soapenv:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; wsu:Id="_27dfaa8f-d2f8-40c4-9b9c-37d4f46ac4af"> <sendDataA xmlns="http://webservicea.webservice.com"; xmlns:ns2="http://common.webservicea.webservice.com";> <theDataA>Test invocation of Web Service A</theDataA> </sendDataA> </soapenv:Body> </soapenv:Envelope> Response to WebSphere/CXF client: <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/";> <soap:Body> <soap:Fault> <faultcode xmlns:ns1="http://ws.apache.org/wss4j";>ns1:SecurityError</faultcode> <faultstring>A security error was encountered when verifying the message</faultstring> </soap:Fault> </soap:Body> </soap:Envelope> Extract from WebSphere/CXF provider’s trace log for WebSphere/CXF client invocation: [1/3/17 8:30:41:608 EST] 00000068 TimestampProc 1 org.apache.wss4j.dom.processor.TimestampProcessor handleToken Found Timestamp list element [1/3/17 8:30:41:608 EST] 00000068 DateUtil 1 org.apache.wss4j.common.util.DateUtil verifyCreated Validation of Created: Everything is ok [1/3/17 8:30:41:609 EST] 00000068 SignatureProc 1 org.apache.wss4j.dom.processor.SignatureProcessor handleToken Found signature element [1/3/17 8:30:41:609 EST] 00000068 Merlin 1 org.apache.wss4j.common.crypto.Merlin verifyTrust Direct trust for certificate with CN=AppBravo [1/3/17 8:30:41:609 EST] 00000068 SignatureTrus 1 org.apache.wss4j.dom.validate.SignatureTrustValidator verifyTrustInCerts Certificate path has been verified for certificate with subject CN=AppBravo [1/3/17 8:30:41:609 EST] 00000068 SignatureProc 1 org.apache.wss4j.dom.processor.SignatureProcessor verifyXMLSignature Verify XML Signature [1/3/17 8:30:41:610 EST] 00000068 DOMSignatureM 1 org.apache.jcp.xml.dsig.internal.dom.DOMSignatureMethod verify Signature provider:IBMJCE version 1.2 [1/3/17 8:30:41:610 EST] 00000068 DOMSignatureM 1 org.apache.jcp.xml.dsig.internal.dom.DOMSignatureMethod verify Verifying with key: IBMJCE RSA Public Key: modulus: 18679636651899398763921331927509366311924645954685796537611827090931434141884157044621330986597266156618328307736443100560383701171981214971623763112844521921073857374744512477534446214976233030070889151149479550790552966320161223726031252535240517254991850704831434598563882818299405805217042309817401563489269784154581296450689670433863832593532183731423752923396534199857160002316777919627783059876770136474878428820519408401231993851050757262521890231333654936900799672127298508976156788364667950932172237034118038123341150939028369526626140300016813242753900087716210929258524106905600544166723333074911741598049 public exponent: 65537 [1/3/17 8:30:41:610 EST] 00000068 DOMSignatureM 1 org.apache.jcp.xml.dsig.internal.dom.DOMSignatureMethod verify JCA Algorithm: SHA1withRSA [1/3/17 8:30:41:610 EST] 00000068 DOMSignatureM 1 org.apache.jcp.xml.dsig.internal.dom.DOMSignatureMethod verify Signature Bytes length: 256 [1/3/17 8:30:41:611 EST] 00000068 Transform 1 org.apache.xml.security.transforms.Transform initializeTransform Create URI "http://www.w3.org/2001/10/xml-exc-c14n#"; class "class org.apache.xml.security.transforms.implementations.TransformC14NExclusive" [1/3/17 8:30:41:611 EST] 00000068 Serialization 1 com.ibm.ws.webservices.engine.encoding.SerializationWriter _startElement Start element [http://www.w3.org/2000/09/xmldsig#]:CanonicalizationMethod [1/3/17 8:30:41:611 EST] 00000068 Serialization 1 com.ibm.ws.webservices.engine.encoding.SerializationWriter writePrefixMappings setting xsiDepth to 1 [1/3/17 8:30:41:611 EST] 00000068 Serialization 1 com.ibm.ws.webservices.engine.encoding.SerializationWriter _startElement Start element [http://www.w3.org/2001/10/xml-exc-c14n#]:InclusiveNamespaces [1/3/17 8:30:41:611 EST] 00000068 Serialization 1 com.ibm.ws.webservices.engine.encoding.SerializationWriter endElement End element ec:InclusiveNamespaces [1/3/17 8:30:41:612 EST] 00000068 Serialization 1 com.ibm.ws.webservices.engine.encoding.SerializationWriter endElement reset xsiDepth [1/3/17 8:30:41:612 EST] 00000068 Serialization 1 com.ibm.ws.webservices.engine.encoding.SerializationWriter endElement End element ds:CanonicalizationMethod [1/3/17 8:30:41:612 EST] 00000068 BufferedWrite 1 com.ibm.ws.webservices.utils.BufferedWriter flushBuffer flushBuffer:(<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"; xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"; xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/"; xmlns:xsd="http://www.w3.org/2001/XMLSchema"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"; xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; xmlns:ds="http://www.w3.org/2000/09/xmldsig#";><ec:InclusiveNamespaces PrefixList="soapenc soapenv xsd xsi" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:CanonicalizationMethod>) [1/3/17 8:30:41:612 EST] 00000068 Transform 1 org.apache.xml.security.transforms.Transform initializeTransform The NodeList is <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"; xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"; xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/"; xmlns:xsd="http://www.w3.org/2001/XMLSchema"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"; xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; xmlns:ds="http://www.w3.org/2000/09/xmldsig#";><ec:InclusiveNamespaces PrefixList="soapenc soapenv xsd xsi" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:CanonicalizationMethod> [1/3/17 8:30:41:612 EST] 00000068 ElementProxy 1 org.apache.xml.security.utils.ElementProxy setElement setElement(ds:CanonicalizationMethod, "null" [1/3/17 8:30:41:612 EST] 00000068 ApacheCanonic 1 org.apache.jcp.xml.dsig.internal.dom.ApacheCanonicalizer transform Created transform for algorithm: http://www.w3.org/2001/10/xml-exc-c14n# [1/3/17 8:30:41:612 EST] 00000068 ApacheCanonic 1 org.apache.jcp.xml.dsig.internal.dom.ApacheCanonicalizer transform isNodeSet() = true [1/3/17 8:30:41:612 EST] 00000068 ElementProxy 1 org.apache.xml.security.utils.ElementProxy <init> setElement("ec:InclusiveNamespaces", "null") [1/3/17 8:30:41:613 EST] 00000068 DOMSignedInfo 1 org.apache.jcp.xml.dsig.internal.dom.DOMSignedInfo canonicalize Canonicalized SignedInfo: [1/3/17 8:30:41:613 EST] 00000068 DOMSignedInfo 1 org.apache.jcp.xml.dsig.internal.dom.DOMSignedInfo canonicalize <ds:SignedInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"; xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/"; xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"; xmlns:xsd="http://www.w3.org/2001/XMLSchema"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";><ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"; PrefixList="soapenc soapenv xsd xsi"></ec:InclusiveNamespaces></ds:CanonicalizationMethod><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1";></ds:SignatureMethod><ds:Reference URI="#TS-c179a641-613f-412b-90d3-06ce69b0ec5c"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";></ds:Transform></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1";></ds:DigestMethod><ds:DigestValue>icbPgkJCtEXvzNjemMW9Sgzr+i4=</ds:DigestValue></ds:Reference><ds:Reference URI="#_27dfaa8f-d2f8-40c4-9b9c-37d4f46ac4af"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";><ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"; PrefixList="soapenc xsd xsi"></ec:InclusiveNamespaces></ds:Transform></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1";></ds:DigestMethod><ds:DigestValue>v1iof3bq+7Ja6xsditMG5oFW+5U=</ds:DigestValue></ds:Reference></ds:SignedInfo> [1/3/17 8:30:41:614 EST] 00000068 DOMSignedInfo 1 org.apache.jcp.xml.dsig.internal.dom.DOMSignedInfo canonicalize Data to be signed/verified:PGRzOlNpZ25lZEluZm8geG1sbnM6ZHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyMiIHhtbG5zOnNvYXBlbmM9Imh0dHA6Ly9zY2hlbWFzLnhtbHNvYXAub3JnL3NvYXAvZW5jb2RpbmcvIiB4bWxuczpzb2FwZW52PSJodHRwOi8vc2NoZW1hcy54bWxzb2FwLm9yZy9zb2FwL2VudmVsb3BlLyIgeG1sbnM6eHNkPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYSIgeG1sbnM6eHNpPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYS1pbnN0YW5jZSI+PGRzOkNhbm9uaWNhbGl6YXRpb25NZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiPjxlYzpJbmNsdXNpdmVOYW1lc3BhY2VzIHhtbG5zOmVjPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiIFByZWZpeExpc3Q9InNvYXBlbmMgc29hcGVudiB4c2QgeHNpIj48L2VjOkluY2x1c2l2ZU5hbWVzcGFjZXM+PC9kczpDYW5vbmljYWxpemF0aW9uTWV0aG9kPjxkczpTaWduYXR1cmVNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjcnNhLXNoYTEiPjwvZHM6U2lnbmF0dXJlTWV0aG9kPjxkczpSZWZlcmVuY2UgVVJJPSIjVFMtYzE3OWE2NDEtNjEzZi00MTJiLTkwZDMtMDZjZTY5YjBlYzVjIj48ZHM6VHJhbnNmb3Jtcz48ZHM6VHJhbnNmb3JtIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIj48L2RzOlRyYW5zZm9ybT48L2RzOlRyYW5zZm9ybXM+PGRzOkRpZ2VzdE1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNzaGExIj48L2RzOkRpZ2VzdE1ldGhvZD48ZHM6RGlnZXN0VmFsdWU+aWNiUGdrSkN0RVh2ek5qZW1NVzlTZ3pyK2k0PTwvZHM6RGlnZXN0VmFsdWU+PC9kczpSZWZlcmVuY2U+PGRzOlJlZmVyZW5jZSBVUkk9IiNfMjdkZmFhOGYtZDJmOC00MGM0LTliOWMtMzdkNGY0NmFjNGFmIj48ZHM6VHJhbnNmb3Jtcz48ZHM6VHJhbnNmb3JtIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIj48ZWM6SW5jbHVzaXZlTmFtZXNwYWNlcyB4bWxuczplYz0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIiBQcmVmaXhMaXN0PSJzb2FwZW5jIHhzZCB4c2kiPjwvZWM6SW5jbHVzaXZlTmFtZXNwYWNlcz48L2RzOlRyYW5zZm9ybT48L2RzOlRyYW5zZm9ybXM+PGRzOkRpZ2VzdE1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNzaGExIj48L2RzOkRpZ2VzdE1ldGhvZD48ZHM6RGlnZXN0VmFsdWU+djFpb2YzYnErN0phNnhzZGl0TUc1b0ZXKzVVPTwvZHM6RGlnZXN0VmFsdWU+PC9kczpSZWZlcmVuY2U+PC9kczpTaWduZWRJbmZvPg== [1/3/17 8:30:41:614 EST] 00000068 DOMReference 1 org.apache.jcp.xml.dsig.internal.dom.DOMReference dereference URIDereferencer class name: org.apache.jcp.xml.dsig.internal.dom.DOMURIDereferencer [1/3/17 8:30:41:614 EST] 00000068 DOMReference 1 org.apache.jcp.xml.dsig.internal.dom.DOMReference dereference Data class name: org.apache.jcp.xml.dsig.internal.dom.ApacheNodeSetData [1/3/17 8:30:41:614 EST] 00000068 Transform 1 org.apache.xml.security.transforms.Transform initializeTransform Create URI "http://www.w3.org/2001/10/xml-exc-c14n#"; class "class org.apache.xml.security.transforms.implementations.TransformC14NExclusive" [1/3/17 8:30:41:615 EST] 00000068 Serialization 1 com.ibm.ws.webservices.engine.encoding.SerializationWriter _startElement Start element [http://www.w3.org/2000/09/xmldsig#]:Transform [1/3/17 8:30:41:615 EST] 00000068 Serialization 1 com.ibm.ws.webservices.engine.encoding.SerializationWriter writePrefixMappings setting xsiDepth to 1 [1/3/17 8:30:41:615 EST] 00000068 Serialization 1 com.ibm.ws.webservices.engine.encoding.SerializationWriter endElement reset xsiDepth [1/3/17 8:30:41:615 EST] 00000068 Serialization 1 com.ibm.ws.webservices.engine.encoding.SerializationWriter endElement End element ds:Transform [1/3/17 8:30:41:615 EST] 00000068 BufferedWrite 1 com.ibm.ws.webservices.utils.BufferedWriter flushBuffer flushBuffer:(<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"; xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"; xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/"; xmlns:xsd="http://www.w3.org/2001/XMLSchema"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"; xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>) [1/3/17 8:30:41:615 EST] 00000068 Transform 1 org.apache.xml.security.transforms.Transform initializeTransform The NodeList is <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"; xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"; xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/"; xmlns:xsd="http://www.w3.org/2001/XMLSchema"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"; xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/> [1/3/17 8:30:41:615 EST] 00000068 ElementProxy 1 org.apache.xml.security.utils.ElementProxy setElement setElement(ds:Transform, "null" [1/3/17 8:30:41:616 EST] 00000068 ApacheCanonic 1 org.apache.jcp.xml.dsig.internal.dom.ApacheCanonicalizer transform Created transform for algorithm: http://www.w3.org/2001/10/xml-exc-c14n# [1/3/17 8:30:41:616 EST] 00000068 ApacheCanonic 1 org.apache.jcp.xml.dsig.internal.dom.ApacheCanonicalizer transform ApacheData = true [1/3/17 8:30:41:616 EST] 00000068 DigesterOutpu 1 org.apache.jcp.xml.dsig.internal.DigesterOutputStream write Pre-digested input: [1/3/17 8:30:41:616 EST] 00000068 DigesterOutpu 1 org.apache.jcp.xml.dsig.internal.DigesterOutputStream write <wsu:Timestamp xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; wsu:Id="TS-c179a641-613f-412b-90d3-06ce69b0ec5c"><wsu:Created>2017-01-03T13:30:41.386Z</wsu:Created><wsu:Expires>2017-01-03T13:35:41.386Z</wsu:Expires></wsu:Timestamp> [1/3/17 8:30:41:616 EST] 00000068 DOMReference 1 org.apache.jcp.xml.dsig.internal.dom.DOMReference validate Expected digest: icbPgkJCtEXvzNjemMW9Sgzr+i4= [1/3/17 8:30:41:616 EST] 00000068 DOMReference 1 org.apache.jcp.xml.dsig.internal.dom.DOMReference validate Actual digest: HRGogzEpxGtWLhuuBvzCxOuJsZ4= [1/3/17 8:30:41:616 EST] 00000068 DOMXMLSignatu 1 org.apache.jcp.xml.dsig.internal.dom.DOMXMLSignature validate Reference[#TS-c179a641-613f-412b-90d3-06ce69b0ec5c] is valid: false [1/3/17 8:30:41:616 EST] 00000068 DOMXMLSignatu 1 org.apache.jcp.xml.dsig.internal.dom.DOMXMLSignature validate Couldn't validate the References [1/3/17 8:30:41:617 EST] 00000068 SignatureProc 1 org.apache.wss4j.dom.processor.SignatureProcessor verifyXMLSignature XML Signature verification has failed [1/3/17 8:30:41:617 EST] 00000068 SignatureProc 1 org.apache.wss4j.dom.processor.SignatureProcessor verifyXMLSignature Signature Validation check: true [1/3/17 8:30:41:617 EST] 00000068 SignatureProc 1 org.apache.wss4j.dom.processor.SignatureProcessor verifyXMLSignature Reference #TS-c179a641-613f-412b-90d3-06ce69b0ec5c check: false [1/3/17 8:30:41:617 EST] 00000068 DOMReference 1 org.apache.jcp.xml.dsig.internal.dom.DOMReference dereference URIDereferencer class name: org.apache.jcp.xml.dsig.internal.dom.DOMURIDereferencer [1/3/17 8:30:41:617 EST] 00000068 DOMReference 1 org.apache.jcp.xml.dsig.internal.dom.DOMReference dereference Data class name: org.apache.jcp.xml.dsig.internal.dom.ApacheNodeSetData [1/3/17 8:30:41:617 EST] 00000068 Transform 1 org.apache.xml.security.transforms.Transform initializeTransform Create URI "http://www.w3.org/2001/10/xml-exc-c14n#"; class "class org.apache.xml.security.transforms.implementations.TransformC14NExclusive" [1/3/17 8:30:41:617 EST] 00000068 Serialization 1 com.ibm.ws.webservices.engine.encoding.SerializationWriter _startElement Start element [http://www.w3.org/2000/09/xmldsig#]:Transform [1/3/17 8:30:41:618 EST] 00000068 Serialization 1 com.ibm.ws.webservices.engine.encoding.SerializationWriter writePrefixMappings setting xsiDepth to 1 [1/3/17 8:30:41:618 EST] 00000068 Serialization 1 com.ibm.ws.webservices.engine.encoding.SerializationWriter _startElement Start element [http://www.w3.org/2001/10/xml-exc-c14n#]:InclusiveNamespaces [1/3/17 8:30:41:618 EST] 00000068 Serialization 1 com.ibm.ws.webservices.engine.encoding.SerializationWriter endElement End element ec:InclusiveNamespaces [1/3/17 8:30:41:619 EST] 00000068 Serialization 1 com.ibm.ws.webservices.engine.encoding.SerializationWriter endElement reset xsiDepth [1/3/17 8:30:41:619 EST] 00000068 Serialization 1 com.ibm.ws.webservices.engine.encoding.SerializationWriter endElement End element ds:Transform [1/3/17 8:30:41:619 EST] 00000068 BufferedWrite 1 com.ibm.ws.webservices.utils.BufferedWriter flushBuffer flushBuffer:(<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"; xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"; xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/"; xmlns:xsd="http://www.w3.org/2001/XMLSchema"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"; xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; xmlns:ds="http://www.w3.org/2000/09/xmldsig#";><ec:InclusiveNamespaces PrefixList="soapenc xsd xsi" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transform>) [1/3/17 8:30:41:619 EST] 00000068 Transform 1 org.apache.xml.security.transforms.Transform initializeTransform The NodeList is <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"; xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"; xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/"; xmlns:xsd="http://www.w3.org/2001/XMLSchema"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"; xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; xmlns:ds="http://www.w3.org/2000/09/xmldsig#";><ec:InclusiveNamespaces PrefixList="soapenc xsd xsi" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transform> [1/3/17 8:30:41:619 EST] 00000068 ElementProxy 1 org.apache.xml.security.utils.ElementProxy setElement setElement(ds:Transform, "null" [1/3/17 8:30:41:619 EST] 00000068 ApacheCanonic 1 org.apache.jcp.xml.dsig.internal.dom.ApacheCanonicalizer transform Created transform for algorithm: http://www.w3.org/2001/10/xml-exc-c14n# [1/3/17 8:30:41:620 EST] 00000068 ApacheCanonic 1 org.apache.jcp.xml.dsig.internal.dom.ApacheCanonicalizer transform ApacheData = true [1/3/17 8:30:41:620 EST] 00000068 ElementProxy 1 org.apache.xml.security.utils.ElementProxy <init> setElement("ec:InclusiveNamespaces", "null") [1/3/17 8:30:41:620 EST] 00000068 DigesterOutpu 1 org.apache.jcp.xml.dsig.internal.DigesterOutputStream write Pre-digested input: [1/3/17 8:30:41:620 EST] 00000068 DigesterOutpu 1 org.apache.jcp.xml.dsig.internal.DigesterOutputStream write <soapenv:Body xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/"; xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"; xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; xmlns:xsd="http://www.w3.org/2001/XMLSchema"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; wsu:Id="_27dfaa8f-d2f8-40c4-9b9c-37d4f46ac4af"><sendDataA xmlns="http://webservicea.webservice.com";><theDataA>Test invocation of Web Service A</theDataA></sendDataA></soapenv:Body> [1/3/17 8:30:41:620 EST] 00000068 DOMReference 1 org.apache.jcp.xml.dsig.internal.dom.DOMReference validate Expected digest: v1iof3bq+7Ja6xsditMG5oFW+5U= [1/3/17 8:30:41:620 EST] 00000068 DOMReference 1 org.apache.jcp.xml.dsig.internal.dom.DOMReference validate Actual digest: v1iof3bq+7Ja6xsditMG5oFW+5U= [1/3/17 8:30:41:620 EST] 00000068 SignatureProc 1 org.apache.wss4j.dom.processor.SignatureProcessor verifyXMLSignature Reference #_27dfaa8f-d2f8-40c4-9b9c-37d4f46ac4af check: true ... [1/3/17 8:30:41:621 EST] 00000068 PhaseIntercep W org.apache.cxf.phase.PhaseInterceptorChain doDefaultLogging Interceptor for {http://www.example.com/contract/WebServiceA}WebServiceA has thrown exception, unwinding now org.apache.cxf.binding.soap.SoapFault: A security error was encountered when verifying the message at org.apache.cxf.ws.security.wss4j.WSS4JUtils.createSoapFault(WSS4JUtils.java:275) at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessageInternal(WSS4JInInterceptor.java:333) at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:190) at org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JInInterceptor.handleMessage(PolicyBasedWSS4JInInterceptor.java:128) at org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JInInterceptor.handleMessage(PolicyBasedWSS4JInInterceptor.java:112) at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:307) at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121) at org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:252) at org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:234) at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:208) at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:160) at org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:180) at org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:298) at org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:217) at javax.servlet.http.HttpServlet.service(HttpServlet.java:595) at org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:273) at com.ibm.ws.webcontainer.servlet.ServletWrapper.service(ServletWrapper.java:1232) at com.ibm.ws.webcontainer.servlet.ServletWrapper.handleRequest(ServletWrapper.java:781) at com.ibm.ws.webcontainer.servlet.ServletWrapper.handleRequest(ServletWrapper.java:480) at com.ibm.ws.webcontainer.servlet.ServletWrapperImpl.handleRequest(ServletWrapperImpl.java:178) at com.ibm.ws.webcontainer.filter.WebAppFilterManager.invokeFilters(WebAppFilterManager.java:1114) at com.ibm.ws.webcontainer.servlet.CacheServletWrapper.handleRequest(CacheServletWrapper.java:87) at com.ibm.ws.webcontainer.WebContainer.handleRequest(WebContainer.java:940) at com.ibm.ws.webcontainer.WSWebContainer.handleRequest(WSWebContainer.java:1817) at com.ibm.ws.webcontainer.channel.WCChannelLink.ready(WCChannelLink.java:200) at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.handleDiscrimination(HttpInboundLink.java:463) at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.handleNewRequest(HttpInboundLink.java:530) at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.processRequest(HttpInboundLink.java:316) at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.ready(HttpInboundLink.java:287) at com.ibm.ws.tcp.channel.impl.NewConnectionInitialReadCallback.sendToDiscriminators(NewConnectionInitialReadCallback.java:214) at com.ibm.ws.tcp.channel.impl.NewConnectionInitialReadCallback.complete(NewConnectionInitialReadCallback.java:113) at com.ibm.ws.tcp.channel.impl.AioReadCompletionListener.futureCompleted(AioReadCompletionListener.java:175) at com.ibm.io.async.AbstractAsyncFuture.invokeCallback(AbstractAsyncFuture.java:217) at com.ibm.io.async.AsyncChannelFuture.fireCompletionActions(AsyncChannelFuture.java:161) at com.ibm.io.async.AsyncFuture.completed(AsyncFuture.java:138) at com.ibm.io.async.ResultHandler.complete(ResultHandler.java:204) at com.ibm.io.async.ResultHandler.runEventProcessingLoop(ResultHandler.java:775) at com.ibm.io.async.ResultHandler$2.run(ResultHandler.java:905) at com.ibm.ws.util.ThreadPool$Worker.run(ThreadPool.java:1881) Caused by: org.apache.wss4j.common.ext.WSSecurityException: The signature or decryption was invalid at org.apache.wss4j.dom.processor.SignatureProcessor.verifyXMLSignature(SignatureProcessor.java:451) at org.apache.wss4j.dom.processor.SignatureProcessor.handleToken(SignatureProcessor.java:225) at org.apache.wss4j.dom.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:428) at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessageInternal(WSS4JInInterceptor.java:278) ... 37 more
