Are both sides of the connection Axis/WSS4J enabled? Is there any chance that the messageis somewhat modified during transfer between client and server? Even the insertion of newlines, blanks, tabs etc into the signed part will destroy verification. This very often happens because some part of XML/SOAP software do "pretty printing" of XML streams. Such a pretty printing will cause the verification to fail.
Regards, Werner > -----Ursprüngliche Nachricht----- > Von: Montebove Luciano [mailto:[EMAIL PROTECTED] > Gesendet: Dienstag, 11. Juli 2006 17:10 > An: Dittmann, Werner; [email protected] > Betreff: R: Problem with SAML token with "sender vouches" option > > Dittmar, > > i know that the problem is related to a mismatch after > recalculating the digest, > and before writing i checked any modification i could have > done in my code (it's an italian open source project > www.openspcoop.org) and to have a countercheck i tried using > directly the sample described here > http://ws.apache.org/wss4j/axis.html changing only the wsdds > as you can see below, but then i have the same error. > So it doesn't work even without any custom code. I'm using > WSS4J 1.5.0 and Axis 1.4. > > Any idea? > > Regards, > Luciano > > ________________________________ > > Da: Dittmann, Werner [mailto:[EMAIL PROTECTED] > Inviato: martedì 11 luglio 2006 16.53 > A: Montebove Luciano; [email protected] > Oggetto: AW: Problem with SAML token with "sender vouches" option > > > That Warning shows that the content of the message was modified > somehow, that mfailure is independent of the keystore. > > "Verfication failed" is a message from xml-sec library that recomputes > the digest of the message part that the id identifies, in > this case the > part with the id "#STRSAMLId-136". Somehow this part of the message > was modified, thus the message digests do not match. > > > Regards, > Werner > > > > > > ________________________________ > > Von: Montebove Luciano [mailto:[EMAIL PROTECTED] > Gesendet: Dienstag, 11. Juli 2006 16:35 > An: [email protected] > Betreff: Problem with SAML token with "sender vouches" option > > > I'm trying to use a SAML token with WSS4J with the > "sender vouches" option. > I followed the configuration tips in the interop files > but while the client generate the assertion and sign both the > assertion and the body of the message, server side I can > verify only the body sign while I get always an error for the > assertion sign: > > 16:08:51,515 WARN [Reference] Verification failed for > URI "#STRSAMLId-136" > 16:08:51,515 INFO [Reference] Verification successful > for URI "#id-137" > 16:08:51,531 INFO [STDOUT] > org.apache.ws.security.WSSecurityException: The sign > ature verification failed > 16:08:51,531 INFO [STDOUT] at > org.apache.ws.security.processor.SignaturePro > cessor.verifyXMLSignature(SignatureProcessor.java:327) > > My Axis configuration client side is: > <requestFlow > > <handler > type="java:org.apache.ws.axis.security.WSDoAllSender" > > <parameter name="action" > value="Timestamp SAMLTokenSigned"/> > <parameter name="samlPropFile" > value="saml3.properties"/> > <parameter name="signatureKeyIdentifier" > value="DirectReference"/> > </handler> > </requestFlow > > > and server side is: > <requestFlow> > <handler > type="java:org.apache.ws.axis.security.WSDoAllReceiver"> > <parameter name="action" value="Timestamp Signature > SAMLTokenUnsigned"/> > <parameter name="signaturePropFile" > value="pa-crypto.properties" /> > </handler> > </requestFlow> > > Quite strange if I use the "keyHolder" option (with > little changes to the Axis configuration as described in > interop files) all works fine with the same keystore. > > Thanks > > Luciano Montebove > > > > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
