Results 1 to 2 of 2

Thread: Spring WS-Security: Signature verification failed

  1. May 28th, 2012, 02:14 AM #1
    kelvinlaw
    kelvinlaw is offline Junior Member
    Join Date
    Jun 2007
    Posts
    6

    Default Spring WS-Security: Signature verification failed

    I am new to Spring WS and I make some changes to the airline-server & airline-client-spring-ws sample to try the WS signature. However, server can verify the client request but client fails to verify the server response with following error: Would any experts here give me a helping hand? thanks
    Code:
    May 29, 2012 4:29:15 PM com.sun.xml.wss.impl.dsig.KeySelectorImpl resolveToken
SEVERE: WSS1364: Unable to validate certificate
May 29, 2012 4:29:15 PM com.sun.xml.wss.impl.dsig.KeySelectorImpl resolve
SEVERE: WSS1353: Error occurred while resolving key information
Throwable occurred: com.sun.xml.wss.impl.WssSoapFaultException: Certificate validation failed
	at com.sun.xml.wss.impl.SecurableSoapMessage.newSOAPFaultException(SecurableSoapMessage.java:336)
	at com.sun.xml.wss.impl.dsig.KeySelectorImpl.resolveToken(KeySelectorImpl.java:1332)
	at com.sun.xml.wss.impl.dsig.KeySelectorImpl.resolve(KeySelectorImpl.java:640)
	at com.sun.xml.wss.impl.dsig.KeySelectorImpl.select(KeySelectorImpl.java:246)
	at org.jcp.xml.dsig.internal.dom.DOMXMLSignature$DOMSignatureValue.validate(Unknown Source)
	at org.jcp.xml.dsig.internal.dom.DOMXMLSignature.validate(Unknown Source)
	at com.sun.xml.wss.impl.dsig.SignatureProcessor.verify(SignatureProcessor.java:786)
	at com.sun.xml.wss.impl.filter.SignatureFilter.process(SignatureFilter.java:537)
	at com.sun.xml.wss.impl.HarnessUtil.processWSSPolicy(HarnessUtil.java:93)
	at com.sun.xml.wss.impl.HarnessUtil.processDeep(HarnessUtil.java:268)
	at com.sun.xml.wss.impl.SecurityRecipient.processMessagePolicy(SecurityRecipient.java:863)
	at com.sun.xml.wss.impl.SecurityRecipient.processMessagePolicy(SecurityRecipient.java:815)
	at com.sun.xml.wss.impl.SecurityRecipient.validateMessage(SecurityRecipient.java:256)
	at com.sun.xml.wss.impl.misc.XWSSProcessor2_0Impl.verifyInboundMessage(XWSSProcessor2_0Impl.java:148)
	at org.springframework.ws.soap.security.xwss.XwsSecurityInterceptor.validateMessage(XwsSecurityInterceptor.java:162)
	at org.springframework.ws.soap.security.AbstractWsSecurityInterceptor.handleResponse(AbstractWsSecurityInterceptor.java:235)
	at org.springframework.ws.client.core.WebServiceTemplate.triggerHandleResponse(WebServiceTemplate.java:732)
	at org.springframework.ws.client.core.WebServiceTemplate.doSendAndReceive(WebServiceTemplate.java:595)
	at org.springframework.ws.client.core.WebServiceTemplate.sendAndReceive(WebServiceTemplate.java:537)
	at org.springframework.ws.client.core.WebServiceTemplate.doSendAndReceive(WebServiceTemplate.java:492)
	at org.springframework.ws.client.core.WebServiceTemplate.sendSourceAndReceiveToResult(WebServiceTemplate.java:436)
	at org.springframework.ws.client.core.WebServiceTemplate.sendSourceAndReceiveToResult(WebServiceTemplate.java:427)
	at org.springframework.ws.client.core.WebServiceTemplate.sendSourceAndReceiveToResult(WebServiceTemplate.java:417)
    Client securityPolicy.xml
    Code:
    <?xml version="1.0" encoding="UTF-8"?>
<xwss:SecurityConfiguration dumpMessages="true"
	xmlns:xwss="http://java.sun.com/xml/ns/xwss/config">
	<xwss:Sign includeTimestamp="true">
	</xwss:Sign>
	<xwss:RequireSignature requireTimestamp="true" />
</xwss:SecurityConfiguration>
    client spring config
    Code:
    <?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
	xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd">

	<bean id="messageFactory" class="org.springframework.ws.soap.saaj.SaajSoapMessageFactory" />

	<bean id="abstractClient" abstract="true">
		<constructor-arg ref="messageFactory" />
		<property name="defaultUri"
			value="http://localhost:18080/SpringWS-airline-server/services" />
	</bean>

	<bean id="marshaller" class="org.springframework.oxm.xmlbeans.XmlBeansMarshaller" />

	<bean id="getFlights" parent="abstractClient"
		class="org.springframework.ws.samples.airline.client.sws.GetFlights">
		<property name="marshaller" ref="marshaller" />
		<property name="unmarshaller" ref="marshaller" />
	</bean>

	<bean id="getFrequentFlyerMileage" parent="abstractClient"
		class="org.springframework.ws.samples.airline.client.sws.GetFrequentFlyerMileage">
		<property name="interceptors" ref="securityInterceptor2" />
	</bean>

	<bean id="securityInterceptor"
		class="org.springframework.ws.soap.security.wss4j.Wss4jSecurityInterceptor">
		<property name="securementActions" value="UsernameToken" />
		<property name="securementUsername" value="john" />
		<property name="securementPassword" value="changeme" />
	</bean>

	<bean id="securityInterceptor2"
		class="org.springframework.ws.soap.security.xwss.XwsSecurityInterceptor">
		<property name="secureRequest" value="true" />
		<property name="secureResponse" value="true" />
		<property name="policyConfiguration"
			value="classpath:org/springframework/ws/samples/airline/client/sws/securityPolicy.xml" />
		<property name="callbackHandlers">
			<list>				
				<bean id="keyStoreHandler"
					class="org.springframework.ws.soap.security.xwss.callback.KeyStoreCallbackHandler">
					<property name="keyStore" ref="keyStore" />
					<property name="trustStore" ref="trustStore" />
					<property name="defaultAlias" value="WASClientCertificate" />
					<property name="privateKeyPassword" value="sslwebsv" />
				</bean>
			</list>
		</property>
	</bean>


	<bean id="keyStore"
		class="org.springframework.ws.soap.security.support.KeyStoreFactoryBean">
		<property name="location"
			value="file:///G:/COMMON/Kelvin/SSLCert/ClientKeyStore/ClientKeyStore.jks" />
		<property name="password" value="sslwebsv" />
	</bean>

	<bean id="trustStore"
		class="org.springframework.ws.soap.security.support.KeyStoreFactoryBean">
		<property name="location"
			value="file:///G:/COMMON/Kelvin/SSLCert/ClientTrustStore/ClientTrustStore.jks" />
		<property name="password" value="sslwebsv" />
	</bean>

</beans>
    Server securityPolicy.xml
    Code:
    <?xml version="1.0" encoding="UTF-8"?>
<xwss:SecurityConfiguration dumpMessages="true"
	xmlns:xwss="http://java.sun.com/xml/ns/xwss/config">
	<xwss:Sign includeTimestamp="true">
	</xwss:Sign>
	<xwss:RequireSignature requireTimestamp="true" />
</xwss:SecurityConfiguration>
    Server Spring config:
    Code:
    <?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:context="http://www.springframework.org/schema/context"
	xmlns:sws="http://www.springframework.org/schema/web-services"
	xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
       http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.0.xsd
       http://www.springframework.org/schema/web-services http://www.springframework.org/schema/web-services/web-services-2.0.xsd">

	<sws:annotation-driven />

	<sws:interceptors>
		<bean
			class="org.springframework.ws.server.endpoint.interceptor.PayloadLoggingInterceptor" />
		<bean
			class="org.springframework.ws.soap.server.endpoint.interceptor.PayloadValidatingInterceptor">
			<property name="xsdSchemaCollection" ref="schemaCollection" />
			<property name="validateRequest" value="true" />
			<property name="validateResponse" value="true" />
		</bean>
		<sws:payloadRoot localPart="GetFrequentFlyerMileageRequest"
			namespaceUri="http://www.springframework.org/spring-ws/samples/airline/schemas/messages">
			<bean
				class="org.springframework.ws.soap.security.xwss.XwsSecurityInterceptor">
				<property name="secureRequest" value="true" />
				<property name="secureResponse" value="true" />
				<property name="policyConfiguration"
					value="classpath:org/springframework/ws/samples/airline/security/securityPolicy.xml" />
				<property name="callbackHandlers">
					<list>
						<!-- <bean class="org.springframework.ws.soap.security.xwss.callback.SpringDigestPasswordValidationCallbackHandler"> -->
						<!-- <property name="userDetailsService" ref="securityService"/> -->
						<!-- </bean> -->
						<bean id="keyStoreHandler"
							class="org.springframework.ws.soap.security.xwss.callback.KeyStoreCallbackHandler">
							<property name="keyStore" ref="keyStore" />
							<property name="trustStore" ref="trustStore" />
							<property name="defaultAlias" value="WASServerCertificate" />
							<property name="privateKeyPassword" value="sslwebsv" />
						</bean>
					</list>
				</property>
			</bean>
		</sws:payloadRoot>
	</sws:interceptors>

	<context:component-scan base-package="org.springframework.ws.samples.airline.ws" />

	<bean id="messageFactory" class="org.springframework.ws.soap.saaj.SaajSoapMessageFactory" />

	<bean id="messageReceiver"
		class="org.springframework.ws.soap.server.SoapMessageDispatcher" />

	<bean id="schemaCollection"
		class="org.springframework.xml.xsd.commons.CommonsXsdSchemaCollection">
		<description>
			This bean wrap the messages.xsd (which imports
			types.xsd), and inlines
			them as a one.
        </description>
		<property name="xsds" value="/messages.xsd" />
		<property name="inline" value="true" />
	</bean>

	<bean id="keyStore"
		class="org.springframework.ws.soap.security.support.KeyStoreFactoryBean">
		<property name="location"
			value="file:///G:/COMMON/Kelvin/SSLCert/ServerKeyStore/ServerKeyStore.jks" />
		<property name="password" value="sslwebsv" />
	</bean>

	<bean id="trustStore"
		class="org.springframework.ws.soap.security.support.KeyStoreFactoryBean">
		<property name="location"
			value="file:///G:/COMMON/Kelvin/SSLCert/ServerTrustStore/ServerTrustStore.jks" />
		<property name="password" value="sslwebsv" />
	</bean>

</beans>
    Attached Files Attached Files
    Last edited by kelvinlaw; May 29th, 2012 at 04:03 AM.
    Reply With Quote Reply With Quote
  2. May 28th, 2012, 02:14 AM #2
    kelvinlaw
    kelvinlaw is offline Junior Member
    Join Date
    Jun 2007
    Posts
    6

    Default

    Client SOAP Request:
    Code:
    <SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
  <SOAP-ENV:Header>
<wsse:Security SOAP-ENV:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
      <wsu:Timestamp Id="XWSSGID-1338187957034-1800618422" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
        <wsu:Created>2012-05-28T06:52:36Z</wsu:Created>
        <wsu:Expires>2012-05-28T06:57:36Z</wsu:Expires>
      </wsu:Timestamp>
      <wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" Id="XWSSGID-1338187954588187747087" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">MIIBxzCCATCgAwIBAgIET5UQtjANBgkqhkiG9w0BAQUFADAoMRIwEAYDVQQLEwlJQk1DbGllbnQxEjAQBgNVBAMTCWxvY2FsaG9zdDAeFw0xMjA0MjMwODIwMDZaFw0yMjA0MjEwODIwMDZaMCgxEjAQBgNVBAsTCUlCTUNsaWVudDESMBAGA1UEAxMJbG9jYWxob3N0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCZhJkjmk2VLexXeaz1VcrycekZEFQeA5JDCslVx08F9+zoERl6CrXdDd8tJtrFyi8uz4cwgEtW8VRVhgTESg5oeUWHCNbzU7ASzVkws4PWMa+Lw4hyt2u00L1cGyrh6o67Z/LWUOD5mGg15zV1s/mElGtsG8/A+M22nRmSKBcMQwIDAQABMA0GCSqGSIb3DQEBBQUAA4GBADMPZNvBcx+qZdd4ugEMNn5+t2zrLhRPyq3jAmFwQanLyR8r2Xs4xy7piZ2qBg0MKLQUBEQ3ercv/blLla7rB2yfX+a1PzV/FXcHCWQEZ70hM0Twb04csUL67cCOxVNghOhH3wWsvzCmL9pFoM3xmuPm9b+L3nuNPYtjps4y7baC</wsse:BinarySecurityToken>
      <ds:Signature Id="XWSSGID-13381879545861320996289" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:SignedInfo>
          <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
            <InclusiveNamespaces PrefixList="wsse SOAP-ENV" xmlns="http://www.w3.org/2001/10/xml-exc-c14n#"/>
          </ds:CanonicalizationMethod>
          <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
          <ds:Reference URI="#XWSSGID-1338187957033-2080574596">
            <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
            <ds:DigestValue>Kj1csKoQw6xoK+tmGe2GpIuiWic=</ds:DigestValue>
          </ds:Reference>
          <ds:Reference URI="#XWSSGID-1338187957034-1800618422">
            <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
            <ds:DigestValue>G/1Zkl8jf+P6vdUZlSzRkT5/NjM=</ds:DigestValue>
          </ds:Reference>
        </ds:SignedInfo>
        <ds:SignatureValue>GdwgkpI4R84B42ejdjRMliDqwjyjfYx0PrRktUtUSpY7EOMn6duJWfzWxATTJdgpfVYy/iRL3C/r
Ev9w/NnintIh3S/4y4TpRNMePoY2aTno6EkAied4mKrs+h8qMwBAALyYZKcGY4/DuT3DC5tUHP6T
dKqFt/eG1e4eXLefWOw=</ds:SignatureValue>
        <ds:KeyInfo>
          <wsse:SecurityTokenReference Id="XWSSGID-13381879570201094426210" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsse:Reference URI="#XWSSGID-1338187954588187747087" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
</wsse:SecurityTokenReference>
        </ds:KeyInfo>
      </ds:Signature>
    </wsse:Security>
  </SOAP-ENV:Header>
  <SOAP-ENV:Body Id="XWSSGID-1338187957033-2080574596" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
    <GetFrequentFlyerMileageRequest xmlns="http://www.springframework.org/spring-ws/samples/airline/schemas/messages"/>
  </SOAP-ENV:Body>
</SOAP-ENV:Envelope>
    Server Soap Response:
    Code:
    <SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
  <SOAP-ENV:Header>
<wsse:Security SOAP-ENV:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
      <wsu:Timestamp Id="XWSSGID-1338187957741-277282419" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
        <wsu:Created>2012-05-28T06:52:37Z</wsu:Created>
        <wsu:Expires>2012-05-28T06:57:37Z</wsu:Expires>
      </wsu:Timestamp>
      <wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" Id="XWSSGID-13381879400691360022552" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">MIIBxzCCATCgAwIBAgIET5URATANBgkqhkiG9w0BAQUFADAoMRIwEAYDVQQLEwlJQk1TZXJ2ZXIxEjAQBgNVBAMTCWxvY2FsaG9zdDAeFw0xMjA0MjMwODIxMjFaFw0yMjA0MjEwODIxMjFaMCgxEjAQBgNVBAsTCUlCTVNlcnZlcjESMBAGA1UEAxMJbG9jYWxob3N0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCwMgqCl2ANT6nlpwk6+6NTMDcNegpx83FI4wBUlT1JCIOxek6Are9BLYsL2F+SNefLHdzihM2YTfEmlzUWL1eBWpydiLH5P52yeB5RdK3hnph1jU6sDSgetUhl6TFw7cAuTyG/a7FL6ecHGIO4qSehin1ethIzwPs2w4LuindtowIDAQABMA0GCSqGSIb3DQEBBQUAA4GBAETITar0bL9b8L2r4Rxw32zQxCCm9x7v0ox4J4BVWL6boNGQEYgQpVlNu9RZvnwyix/Ajp2nCCQLKZpbGB/GiljJxcNQq4jLQzzn5c5tDRF0DncWE/rEXUmJWp3L1m/eSOZkVSbKo137iw0BAZAbYSmvCQhUu1C9I50VmUvLkAiS</wsse:BinarySecurityToken>
      <ds:Signature Id="XWSSGID-1338187940065982883741" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:SignedInfo>
          <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
            <InclusiveNamespaces PrefixList="wsse SOAP-ENV" xmlns="http://www.w3.org/2001/10/xml-exc-c14n#"/>
          </ds:CanonicalizationMethod>
          <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
          <ds:Reference URI="#XWSSGID-13381879577411029700770">
            <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
            <ds:DigestValue>4x4mupCvHbmmKrUqOW0awB52i1o=</ds:DigestValue>
          </ds:Reference>
          <ds:Reference URI="#XWSSGID-1338187957741-277282419">
            <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
            <ds:DigestValue>Z9gSlgDHoT52Z2/pte842vvKVfs=</ds:DigestValue>
          </ds:Reference>
        </ds:SignedInfo>
        <ds:SignatureValue>CxwsRTZaWbgqP4L+uuH+Ppk9es2qLK/DekUAOyVdlSTH88Ie704Tll2jYhXEl2k59Fvs+bxpiy+q
7CvukXc9lwfLj/PblYhyO7C29Ok0fvj1pn8A0M9AVLfiDzSvu9aZFlDeq98Lg7+aMWbRPvVwUon9
65dgRSUMYMBXB//msB4=</ds:SignatureValue>
        <ds:KeyInfo>
          <wsse:SecurityTokenReference Id="XWSSGID-1338187957739-1738789238" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsse:Reference URI="#XWSSGID-13381879400691360022552" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
</wsse:SecurityTokenReference>
        </ds:KeyInfo>
      </ds:Signature>
    </wsse:Security>
  </SOAP-ENV:Header>
  <SOAP-ENV:Body Id="XWSSGID-13381879577411029700770" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
    <GetFrequentFlyerMileageResponse xmlns="http://www.springframework.org/spring-ws/samples/airline/schemas/messages">0</GetFrequentFlyerMileageResponse>
  </SOAP-ENV:Body>
</SOAP-ENV:Envelope>
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules