OK...I have reverted my handler to use XMLUtils.outputDOM() (can we have this in the WSS4J docs, please, next time anybody works on them?), and I have written code to set the options...but I still have the error as before.
I'll have a look at the base Axis code to check that I'm setting the options the right way. Thanks for your help. Cheers, Guy On Fri, 17 Mar 2006, Dittmann, Werner wrote: > Guy, > > you are right, it's part of the XMLUtils.outputDOM() method. > > It's necessary to have these c14n step and to use the > Axis parameters to ensure that the namespace handling is > correct. > > Regards, > Werner > > > -----Ursprüngliche Nachricht----- > > Von: Guy Rixon [mailto:[EMAIL PROTECTED] > > Gesendet: Freitag, 17. März 2006 15:15 > > An: Dittmann, Werner > > Cc: [EMAIL PROTECTED]; [email protected] > > Betreff: Re: AW: AW:Problems with signatures > > > > Werner, > > > > OK, code is appended. Actually, I wrote this handler _after_ > > I started seeing > > this bug. I orginally had the problem when using > > WSDoAllSender. I can't > > see a canonicalization step in WSDoAllSender itself; is it part of > > XMLUtils.outputDOM()? Originally, I used that (I lifted the > > serialization code > > from WSDoAllSender), but still got the problem. Maybe I > > didn't try that with > > the Axis don't-fiddle options set. > > > > Cheers, > > Guy > > > > // Get the SOAP envelop as a DOM. > > Document envelope = > > > > msgContext.getCurrentMessage().getSOAPEnvelope().getAsDocument(); > > if (envelope == null) { > > throw new Exception("SOAP Envelope is null"); > > } > > > > // Sign the message using WSS4J. By default, the > > WSSignEnvelope signs > > the > > // the SOAP body as a whole, which is correct for this use case. > > Init.init(); > > WSSignEnvelope signer = new WSSignEnvelope(); > > signer.setUserInfo(alias, password); // Lets it use the Crypto. > > > > signer.setKeyIdentifierType(WSConstants.BST_DIRECT_REFERENCE); // > > Includes certificates in the message. > > Document newEnvelope = signer.build(envelope, crypto); > > > > > > // DEBUG: dump the raw document. > > org.apache.axis.utils.XMLUtils.DocumentToStream(newEnvelope, new > > java.io.FileOutputStream("client.xml")); > > > > // Replace the unsigned message with the signed one. > > String serializedEnvelope = > > > > org.apache.axis.utils.XMLUtils.DocumentToString(newEnvelope); > > SOAPPart sp = > > > > (org.apache.axis.SOAPPart)(msgContext.getCurrentMessage().getS > > OAPPart()); > > sp.setCurrentMessage(serializedEnvelope.getBytes(), > > SOAPPart.FORM_BYTES); > > > > > > > > On Fri, 17 Mar 2006, Dittmann, Werner wrote: > > > > > Guy, > > > > > > I wasn't aware that you use a custom handler. > > > > > > As I can see there could be a problem when you hand over > > > the signed message to Axis for sending it over the wire. > > > It's somewhat tricky to do this. Bevor handing it over > > > to Axis the message should be fed thru a c14n method, > > > this is was WSDoAllSender does before it sets the signed > > > message as "new" message to Axis. > > > > > > Maybe you can show the code snippet where your handler > > > do this. > > > > > > Regards, > > > Werner > > > > > > > -----Ursprüngliche Nachricht----- > > > > Von: Guy Rixon [mailto:[EMAIL PROTECTED] > > > > Gesendet: Freitag, 17. März 2006 11:06 > > > > An: Dittmann, Werner > > > > Cc: [EMAIL PROTECTED]; [email protected] > > > > Betreff: Re: AW: AW: AW: Problems with signatures > > > > > > > > Test configuration: > > > > > > > > Custom handler in the client, calling WSSignEnvelope; based > > > > on WSDoAllSender, > > > > but stripped down so that it only has the code relevant > > to signature. > > > > > > > > WSDoAllReceiver in the service (tweaked with extra logging, > > > > but basically the > > > > one from WSS4J 1.0.0). > > > > > > > > Certificates generated from local CA. The trust anchor was > > > > made with OpenSSL > > > > and the user certificate with KeyStore Explorer. The trust > > > > anchor is an > > > > X.509v3 and the user one an X.509v1. The keys do work for the > > > > signature: I > > > > know that because I put a check in WSSignEnvelope to check > > > > the signature just > > > > after signing. > > > > > > > > This is the log output from the JUnit tests, starting from > > > > the entry to > > > > WSDoAllReceiver. > > > > > > > > 1051 DEBUG org.astrogrid.security.ServiceHandler - > > > > WSDoAllReceiver: enter > > > > invoke() with msg type: null > > > > 1071 DEBUG org.astrogrid.security.ServiceHandler - Received > > > > SOAP request: > > > > 1071 DEBUG org.astrogrid.security.ServiceHandler - > > > > <soapenv:Envelope xmlns="" > > > > xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"; > > > > xmlns:xsd="http://www.w3.org/2001/XMLSchema"; > > > > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";> > > > > <soapenv:Header> > > > > <wsse:Security soapenv:mustUnderstand="1" xmlns="" > > > > xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-20040 > > > > 1-wss-wssecurity-secext-1.0.xsd"> > > > > <wsse:BinarySecurityToken > > > > EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200 > > > > 401-wss-soap-message-security-1.0#Base64Binary" > > > > ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401 > > > > -wss-x509-token-profile-1.0#X509v3" > > > > wsu:Id="CertId--273267" xmlns="" > > > > xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401 > > > > -wss-wssecurity-utility-1.0.xsd"> > > > > MIIDETCCAfmgAwIBAAIBBDANBgkqhkiG9w0BAQIFADBCMQswCQYDVQQDEwJDQT > > > > ESMBAGA1UECxMJ > > > > dW5pdC10ZXN0MRIwEAYDVQQKEwlBc3Ryb0dyaWQxCzAJBgNVBAYTAlVLMB4XDT > > > > A2MDMwNzE4MjAz > > > > OVoXDTE2MDMwNzE4MjAzOVowVjELMAkGA1UEBhMCVUsxEjAQBgNVBAoTCUFzdH > > > > JvR3JpZDESMBAG > > > > A1UECxMJdW5pdC10ZXN0MR8wHQYDVQQDExZTZWN1cml0eS1mYWNhZGUgdGVzdG > > > > VyMIIBIjANBgkq > > > > hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtA1mJfcoLg22xFvQiB9NY6tH7aY4Ub > > > > FHGIl5AjampcD8 > > > > zW/OcbaEndMaK495ODS8BbwXz8B0YPzIjczpO56k7H63sJWxrgMsDGU4oeIlh3 > > > > DiAOYywD3h9PAu > > > > c8tnoD7q5SyY0Vw9jkuRP6iOKmf+nTfi910zNB86PYjCk0zarie3Ehg7/LBYNC > > > > 0us+JV9M/q76mw > > > > OOMzypgLjM1skBjO6tMbDosnCQe58+ei2ZfRT4gnCRhHRojLfcR3ND0pi7BS5T > > > > OX8qTrQ8x++erN > > > > BlA2X+uX3yAx4Y1cvW9YkKAjx5UxpUu8uJFYfLNKoTCq86E6+OFk5+SRQLp1Kp > > > > S9EvfZ5wIDAQAB > > > > MA0GCSqGSIb3DQEBAgUAA4IBAQARtZRiqKj1IXqD7wVlwqZPvE4CuFy9fjpu0n > > > > xVN+UnKs3cNm7g > > > > QfLPpDbh7maiGmmxWA2mFobptzbnfAyRfKYJWJ/hI8neouL+05L78cz7nTDDxp > > > > jEhWpV8qtXdKp4 > > > > r5S4GhG84HzPMrEqxxc0CRXbK3KLLLudbCPMNgSFxzRwimCpBTkwe81jwYH0FZ > > > > ECyCBAsgfUMCz4 > > > > jeYwBjqKxHlGeZERD9oRfsRF28nLgNRrP5D9IMj2Y2rhbILMmb0GTK/YWFpfD3 > > > > H/DEP0hUVtRni7 > > > > ykGvaLOYA7rI1eiKwxmFWTs6H+CPgkyZ+SW3l//uY/6HnzD1XacTIRASz1UK7Bzw > > > > </wsse:BinarySecurityToken> > > > > <ds:Signature xmlns="" > > > > xmlns:ds="http://www.w3.org/2000/09/xmldsig#";> > > > > > > > > <ds:SignedInfo xmlns=""> > > > > > > > > <ds:CanonicalizationMethod > > > > Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"; xmlns=""/> > > > > > > > > <ds:SignatureMethod > > > > Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"; xmlns=""/> > > > > > > > > <ds:Reference URI="#id-367156" xmlns=""> > > > > > > > > <ds:Transforms xmlns=""> > > > > > > > > <ds:Transform > > > > Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"; > > > > xmlns=""/> > > > > > > > > </ds:Transforms> > > > > > > > > <ds:DigestMethod > > > > Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"; > > > > xmlns=""/> > > > > > > > > <ds:DigestValue xmlns=""> > > > > S4XaDnlI8lOC8p5vVKlx9sLrKl8= </ds:DigestValue> > > > > > > > > </ds:Reference> > > > > > > > > </ds:SignedInfo> > > > > > > > > <ds:SignatureValue xmlns=""> > > > > > > > > fTcyC/oqssWUL1G96ma5ED/gNIaecHKgJBR7kCeXg2mzSwfSfe3gWRFEkiViGS > > > > zXE0OFvsDMjm7p > > > > JdytgsjH3iuMg9WaZOV9TU7ZaYhabZMtK0toq3zGFNJayIhfpuZq5WDAbdqvZ1 > > > > 2BnJppWvYWADvy > > > > +zX7w0UGl3ApikKbcGMp7SSnB4JRb7TS0Ln0rk0dYcpm9cAEj76dT5UFW7e+af > > > > QQeUwj03E5sQfS > > > > H9KjN1gg+YD1B3gNPFYErwI+QeX+UDY9fb+qAqFxN734NhvR+/rC3JTNgieSmu > > > > iCjXE/8MKdOfFJ > > > > QpEE1YEqTC1SH6cUU0YR3rt84Eqg91JeyrCOpQ== > > > > </ds:SignatureValue> > > > > > > > > <ds:KeyInfo Id="KeyId-12014770" xmlns=""> > > > > > > > > <wsse:SecurityTokenReference wsu:Id="STRId-28360136" xmlns="" > > > > xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401 > > > > -wss-wssecurity-utility-1.0.xsd"> > > > > <wsse:Reference URI="#CertId--273267" > > > > ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401 > > > > -wss-x509-token-profile-1.0#X509v3" > > > > xmlns=""/> > > > > </wsse:SecurityTokenReference> > > > > > > > > </ds:KeyInfo> > > > > > > > > </ds:Signature> > > > > </wsse:Security> > > > > </soapenv:Header> > > > > <soapenv:Body wsu:Id="id-367156" > > > > xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401 > > > > -wss-wssecurity-utility-1.0.xsd"> > > > > <whoAmI xmlns=""/> > > > > </soapenv:Body> > > > > </soapenv:Envelope> > > > > > > > > 1071 INFO > > > > org.apache.ws.security.components.crypto.CryptoFactory - Using > > > > Crypto Engine [org.apache.ws.security.components.crypto.Merlin] > > > > 1071 DEBUG org.apache.ws.security.WSSecurityEngine - enter > > > > processSecurityHeader() > > > > 1081 DEBUG org.apache.ws.security.WSSecurityEngine - > > > > Processing WS-Security > > > > header for '' actor. > > > > 1081 DEBUG org.apache.ws.security.WSSecurityEngine - > > Unknown Element: > > > > BinarySecurityToken > > > > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecu > > > > rity-secext-1.0.xsd > > > > 1081 DEBUG org.apache.ws.security.WSSecurityEngine - Found > > > > signature element > > > > 1081 DEBUG org.apache.ws.security.WSSecurityEngine - Verify > > > > XML Signature > > > > 1081 DEBUG org.apache.xml.security.utils.ElementProxy - > > > > setElement("ds:Signature", "null") > > > > 1081 DEBUG org.apache.xml.security.utils.ElementProxy - > > > > setElement("ds:SignedInfo", "null") > > > > 1081 DEBUG org.apache.xml.security.utils.ElementProxy - > > > > setElement("ds:SignatureMethod", "null") > > > > 1081 DEBUG > > > > org.apache.xml.security.algorithms.SignatureAlgorithm - > > Create URI > > > > "http://www.w3.org/2000/09/xmldsig#rsa-sha1"; class > > > > "org.apache.xml.security.algorithms.implementations.SignatureB > > > > aseRSA$SignatureRSASHA1" > > > > 1081 DEBUG org.apache.xml.security.algorithms.JCEMapper - > > > > Request for URI > > > > http://www.w3.org/2000/09/xmldsig#rsa-sha1 > > > > 1081 DEBUG > > > > > > org.apache.xml.security.algorithms.implementations.SignatureBaseRSA > > > > - Created SignatureDSA using SHA1withRSA > > > > 1081 DEBUG org.apache.xml.security.utils.ElementProxy - > > > > setElement("ds:KeyInfo", "null") > > > > 1081 DEBUG org.apache.ws.security.WSSecurityEngine - > > > > Checking signature value > > > > with a certificate in the name of CN=Security-facade tester, > > > > OU=unit-test, > > > > O=AstroGrid, C=UK issued by C=UK, O=AstroGrid, OU=unit-test, CN=CA > > > > 1081 DEBUG org.apache.xml.security.signature.Manifest - > > > > verify 1 References > > > > 1081 DEBUG org.apache.xml.security.signature.Manifest - I am > > > > not requested to > > > > follow nested Manifests > > > > 1081 DEBUG org.apache.xml.security.utils.ElementProxy - > > > > setElement("ds:Reference", "null") > > > > 1081 DEBUG org.apache.xml.security.algorithms.JCEMapper - > > > > Request for URI > > > > http://www.w3.org/2000/09/xmldsig#sha1 > > > > 1081 DEBUG > > > > org.apache.xml.security.utils.resolver.ResourceResolver - I was > > > > asked to create a ResourceResolver and got 1 > > > > 1081 DEBUG > > > > org.apache.xml.security.utils.resolver.ResourceResolver - extra > > > > resolvers to my existing 4 system-wide resolvers > > > > 1081 DEBUG > > > > org.apache.xml.security.utils.resolver.ResourceResolver - check > > > > resolvability by class > > > > org.apache.ws.security.message.EnvelopeIdResolver > > > > 1091 DEBUG org.apache.xml.security.utils.ElementProxy - > > > > setElement("ds:Transforms", "null") > > > > 1091 DEBUG org.apache.xml.security.utils.ElementProxy - > > > > setElement("ds:Transform", "null") > > > > 1091 DEBUG org.apache.xml.security.transforms.Transforms - > > > > Preform the (0)th > > > > http://www.w3.org/2001/10/xml-exc-c14n# transform > > > > 1091 WARN org.apache.xml.security.signature.Reference - > > > > Verification failed > > > > for URI "#id-367156" > > > > 1091 DEBUG org.apache.xml.security.signature.Manifest - The > > > > Reference has > > > > Type > > > > ------------- ---------------- --------------- > > > > ------------- Standard Error ----------------- > > > > org.apache.ws.security.WSSecurityException: The signature > > > > verification failed > > > > at > > > > org.apache.ws.security.WSSecurityEngine.verifyXMLSignature(WSS > > > > ecurityEngine.java:649) > > > > at > > > > org.apache.ws.security.WSSecurityEngine.processSecurityHeader( > > > > WSSecurityEngine.java:334) > > > > at > > > > org.apache.ws.security.WSSecurityEngine.processSecurityHeader( > > > > WSSecurityEngine.java:259) > > > > at > > > > > > org.astrogrid.security.ServiceHandler.invoke(ServiceHandler.java:160) > > > > at > > > > org.apache.axis.strategies.InvocationStrategy.visit(Invocation > > > > Strategy.java:32) > > > > at org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118) > > > > at org.apache.axis.SimpleChain.invoke(SimpleChain.java:83) > > > > at > > > > org.apache.axis.strategies.InvocationStrategy.visit(Invocation > > > > Strategy.java:32) > > > > at org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118) > > > > at org.apache.axis.SimpleChain.invoke(SimpleChain.java:83) > > > > at > > > > > > org.apache.axis.handlers.soap.SOAPService.invoke(SOAPService.java:453) > > > > at org.apache.axis.server.AxisServer.invoke(AxisServer.java:281) > > > > at > > > > org.apache.axis.transport.local.LocalSender.invoke(LocalSender > > > > .java:141) > > > > at > > > > org.apache.axis.strategies.InvocationStrategy.visit(Invocation > > > > Strategy.java:32) > > > > at org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118) > > > > at org.apache.axis.SimpleChain.invoke(SimpleChain.java:83) > > > > at org.apache.axis.client.AxisClient.invoke(AxisClient.java:165) > > > > at org.apache.axis.client.Call.invokeEngine(Call.java:2784) > > > > at org.apache.axis.client.Call.invoke(Call.java:2767) > > > > at org.apache.axis.client.Call.invoke(Call.java:2443) > > > > at org.apache.axis.client.Call.invoke(Call.java:2366) > > > > at org.apache.axis.client.Call.invoke(Call.java:1812) > > > > at > > > > org.astrogrid.security.sample.SamplePortSoapBindingStub.whoAmI > > > > (SamplePortSoapBindingStub.java:108) > > > > at > > > > org.astrogrid.security.sample.SampleDelegate.whoAmI(SampleDele > > > > gate.java:42) > > > > at > > > > org.astrogrid.security.EndToEndTest.testGoodCredentials(EndToE > > > > ndTest.java:58) > > > > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > > > > at > > > > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccess > > > > orImpl.java:39) > > > > at > > > > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMeth > > > > odAccessorImpl.java:25) > > > > at java.lang.reflect.Method.invoke(Method.java:324) > > > > at junit.framework.TestCase.runTest(TestCase.java:154) > > > > at junit.framework.TestCase.runBare(TestCase.java:127) > > > > at junit.framework.TestResult$1.protect(TestResult.java:106) > > > > at junit.framework.TestResult.runProtected(TestResult.java:124) > > > > at junit.framework.TestResult.run(TestResult.java:109) > > > > at junit.framework.TestCase.run(TestCase.java:118) > > > > at junit.framework.TestSuite.runTest(TestSuite.java:208) > > > > at junit.framework.TestSuite.run(TestSuite.java:203) > > > > at > > > > org.apache.tools.ant.taskdefs.optional.junit.JUnitTestRunner.r > > > > un(JUnitTestRunner.java:325) > > > > at > > > > org.apache.tools.ant.taskdefs.optional.junit.JUnitTestRunner.m > > > > ain(JUnitTestRunner.java:536) > > > > > > > > > > > > I made it log the actual exception thrown by XMLSec: > > > > > > > > 1091 WARN org.apache.xml.security.signature.Reference - > > > > Verification failed > > > > for URI "#id-367156" > > > > > > > > Cheers, > > > > Guy > > > > > > > > > > > > > > > > On Fri, 17 Mar 2006, Dittmann, Werner wrote: > > > > > > > > > Guy, > > > > > > > > > > whatis your test configuration? Which certificates do you use? > > > > > > > > > > What is the exception that xml-sec throws? > > > > > > > > > > Thanks, > > > > > Werner > > > > > > > > > > > -----Ursprüngliche Nachricht----- > > > > > > Von: Guy Rixon [mailto:[EMAIL PROTECTED] > > > > > > Gesendet: Donnerstag, 16. März 2006 17:11 > > > > > > An: Dittmann, Werner > > > > > > Cc: [EMAIL PROTECTED]; [email protected] > > > > > > Betreff: Re: AW: AW: Problems with signatures > > > > > > > > > > > > I've set the options on both client and service and the > > > > > > verification still > > > > > > fails. I've dumped the raw XML messages with and without the > > > > > > options and there > > > > > > doesn't seem to be any difference. > > > > > > > > > > > > On Thu, 16 Mar 2006, Dittmann, Werner wrote: > > > > > > > > > > > > > Probably on both if the service responds with > > signed messages. > > > > > > > > > > > > > > Regards, > > > > > > > Werner > > > > > > > > > > > > > > > -----Ursprüngliche Nachricht----- > > > > > > > > Von: Guy Rixon [mailto:[EMAIL PROTECTED] > > > > > > > > Gesendet: Donnerstag, 16. März 2006 16:29 > > > > > > > > An: [EMAIL PROTECTED] > > > > > > > > Cc: Dittmann, Werner; [email protected] > > > > > > > > Betreff: Re: AW: Problems with signatures > > > > > > > > > > > > > > > > Thanks. > > > > > > > > > > > > > > > > Do these parameters have to be set on the client, the > > > > > > service or both? > > > > > > > > Setting them just on the service doesn't fix the > > problem, and > > > > > > > > to set them on > > > > > > > > the client I have to find out how to do it > > programmatically. > > > > > > > > > > > > > > > > On Thu, 16 Mar 2006 [EMAIL PROTECTED] wrote: > > > > > > > > > > > > > > > > > Hi Guy > > > > > > > > > setting these 2 props works for me. > > > > > > > > > <parameter name="enableNamespacePrefixOptimization" > > > > > > > > value="false" /> > > > > > > > > > <parameter name="disablePrettyXML" value="true"/> > > > > > > > > > > > > > > > > > > thanks > > > > > > > > > Anamitra > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > "Dittmann, > > > > > > > > > Werner" > > > > > > > > > <werner.dittmann@ > > > > > > > > To > > > > > > > > > siemens.com> "Guy Rixon" > > > > > > > > <[EMAIL PROTECTED]>, > > > > > > > > > > > > > <[email protected]> > > > > > > > > > 03/16/2006 09:10 > > > > > > > > cc > > > > > > > > > AM > > > > > > > > > > > > > > > > > Subject > > > > > > > > > AW: Problems > > > > > > with signatures > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > AFAIK there is a switch / parameter in the Axis > > WSDD files > > > > > > > > > to disable XML pretty printing. Maybe this > > > > "feature" is enabled > > > > > > > > > by default - pretty printing always destroys > > the signature > > > > > > > > > hashes. > > > > > > > > > > > > > > > > > > Also there is a parameter for Axis to disable some sort > > > > > > > > > of namespace optimization - sorry but I haven't the > > > > parameter > > > > > > > > > names at hand. > > > > > > > > > > > > > > > > > > Regards, > > > > > > > > > Werner > > > > > > > > > > > > > > > > > > > -----Ursprüngliche Nachricht----- > > > > > > > > > > Von: Guy Rixon [mailto:[EMAIL PROTECTED] > > > > > > > > > > Gesendet: Donnerstag, 16. März 2006 14:01 > > > > > > > > > > An: [email protected] > > > > > > > > > > Betreff: Problems with signatures > > > > > > > > > > > > > > > > > > > > Hi, > > > > > > > > > > > > > > > > > > > > can you help me with a signature problem? I > > have a client > > > > > > > > > > and service, both > > > > > > > > > > using WSS4J 1.0.0. The client signs the SOAP > > body of the > > > > > > > > > > request, but the > > > > > > > > > > signature checking in the service always fails at > > > > the XMLSec > > > > > > > > > > level. The > > > > > > > > > > signature uses a direct reference to a > > > > BinarySecurityToken, > > > > > > > > > > and the service > > > > > > > > > > seems to be reading the token properly; at least, > > > > it gets the > > > > > > > > > > subject DN > > > > > > > > > > right. > > > > > > > > > > > > > > > > > > > > I've checked the signature in the client > > immediately after > > > > > > > > > > signing and it > > > > > > > > > > verifies correctly there. Something bad seems to > > > > be happening > > > > > > > > > > to the XML on > > > > > > > > > > the way to the service, but I can't think > > what. No other > > > > > > > > > > special handlers are > > > > > > > > > > involved. > > > > > > > > > > > > > > > > > > > > This is all with Axis 1.3 and "local" transport, BTW. > > > > > > > > > > > > > > > > > > > > Thanks, > > > > > > > > > > Guy > > > > > > > > > > > > > > > > > > > > Guy Rixon > > > > > > > > > [EMAIL PROTECTED] > > > > > > > > > > Institute of Astronomy > > Tel: > > > > > > > > +44-1223-337542 > > > > > > > > > > Madingley Road, Cambridge, UK, CB3 0HA > > > > > > Fax: > > > > > > > > > > +44-1223-337523 > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > --------------------------------------------------------------------- > > > > > > > > > > To unsubscribe, e-mail: > > > > [EMAIL PROTECTED] > > > > > > > > > > For additional commands, e-mail: > > > > [EMAIL PROTECTED] > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > --------------------------------------------------------------------- > > > > > > > > > To unsubscribe, e-mail: > > [EMAIL PROTECTED] > > > > > > > > > For additional commands, e-mail: > > > > [EMAIL PROTECTED] > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Guy Rixon > > > > > > [EMAIL PROTECTED] > > > > > > > > Institute of Astronomy Tel: > > > > +44-1223-337542 > > > > > > > > Madingley Road, Cambridge, UK, CB3 0HA Fax: > > > > > > > > +44-1223-337523 > > > > > > > > > > > > > > > > > > > > > > > > > > > > --------------------------------------------------------------------- > > > > > > > > To unsubscribe, e-mail: > > [EMAIL PROTECTED] > > > > > > > > For additional commands, e-mail: > > [EMAIL PROTECTED] > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Guy Rixon > > > > [EMAIL PROTECTED] > > > > > > Institute of Astronomy Tel: > > +44-1223-337542 > > > > > > Madingley Road, Cambridge, UK, CB3 0HA Fax: > > > > > > +44-1223-337523 > > > > > > > > > > > > > > > > > > --------------------------------------------------------------------- > > > > > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > > > > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > > > > > > > > > > > > > > > > > > > > > > --------------------------------------------------------------------- > > > > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > > > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > > > > > > > > > > > > Guy Rixon > > [EMAIL PROTECTED] > > > > Institute of Astronomy Tel: +44-1223-337542 > > > > Madingley Road, Cambridge, UK, CB3 0HA Fax: > > > > +44-1223-337523 > > > > > > > > > > --------------------------------------------------------------------- > > > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > > > > > > > > > > --------------------------------------------------------------------- > > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > > > > Guy Rixon [EMAIL PROTECTED] > > Institute of Astronomy Tel: +44-1223-337542 > > Madingley Road, Cambridge, UK, CB3 0HA Fax: > > +44-1223-337523 > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > Guy Rixon [EMAIL PROTECTED] Institute of Astronomy Tel: +44-1223-337542 Madingley Road, Cambridge, UK, CB3 0HA Fax: +44-1223-337523 --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
