I am working on getting Glassfish SOAP message security with a digital
signature running and have not had any luck. I am running Glassfish Server
Open Source Edition 3.1 build 43 and testing with soapUI 3.6.1.
The glassfish server is currently running SSL on port 443 successfully so I
know that the keystore and x509 certificate is correctly configured. For the
SOAP Message Security Configuration I am running XWS_ServerProvider as the
Default Provider and XWS_ClientProvider as the default Client Provider. Both
providers are setup to use content as the authenticate source and have the
signature.key.alias set to the same certificate as SSL.
An example request from soapUI with the digital signature is:
<soapenv:Envelope xmlns:ser="
http://testservice.com/"
xmlns:soapenv="
http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header><wsse:Security
xmlns:wsse="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"><wsse:BinarySecurityToken
EncodingType="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"
ValueType="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"
wsu:Id="CertId-32B7D1C168510A7A641310586176514805"
xmlns:wsu="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">MIIEUDCCAzigAwIBAgIQYDGIzkmVQi/NXbkd0M6QQTANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMVGhhd3RlLCBJbmMuMR0wGwYDVQQLExREb21haW4gVmFsaWRhdGVkIFNTTDEZMBcGA1UEAxMQVGhhd3RlIERWIFNTTCBDQTAeFw0xMTA3MTIwMDAwMDBaFw0xNDA3MTEyMzU5NTlaMIHGMSMwIQYDVQQKExpxYW5hdjIuc291cmNlb25lZGlyZWN0LmNvbTE7MDkGA1UECxMyR28gdG8gaHR0cHM6Ly93d3cudGhhd3RlLmNvbS9yZXBvc2l0b3J5L2luZGV4Lmh0bWwxIjAgBgNVBAsTGVRoYXd0ZSBTU0wxMjMgY2VydGlmaWNhdGUxGTAXBgNVBAsTEERvbWFpbiBWYWxpZGF0ZWQxIzAhBgNVBAMTGnFhbmF2Mi5zb3VyY2VvbmVkaXJlY3QuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqZhFXbyE7bY9j/ftdYOcngbvivN8qv+FGtXQs5VQNOyLz5tm2ReiY8jEgKUlz2D5ncu3zS1olUHtBiIeFHbcAnI5T19RA5KAsWPVT65LeMBp4NIicmOaHi3ZypVPm+T6F2encOTUR+xc3lz6L2a4hCGVOQt2K4jH6xENJEaUQtUAFFaYC0qGcTege+B20HNksGJzOWkOfqNbaYzdyTFRnMSushBUEEOV+K1h67RO1IzIUA5aEUop6/yrOfpkiXMx+266Sc0YnB8QyVZmpWSMdzpx4yytQkR/YKslNSRg+7UYp9q/9kMI9jgJvEFbC2uFoskZKkMzGPiPvhMVJXtjuQIDAQABo4G
gMIGdMAwGA1UdEwEB/wQCMAAwOgYDVR0fBDMwMTAvoC2gK4YpaHR0cDovL3N2ci1kdi1jcmwudGhhd3RlLmNvbS9UaGF3dGVEVi5jcmwwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcwAYYWaHR0cDovL29jc3AudGhhd3RlLmNvbTANBgkqhkiG9w0BAQUFAAOCAQEAvmdh98NYRZCP/hvHdc1DUfb3V6Or5ynpjblskOv+2JSYxrZl0eYy4OWXCa8n0GULEBAhqsoP5ILvmlV9v/1toRVDTdCxBaPQbnqI6mx0Dx7RMmqJlEkbPzUCvxQSwwtweGiX92nD+lWUb7b1/uTwE1yK+DEerxYy0ECmRq0EaMjRVihOU6PLBSsORrOojraMSMJF/94k3ICmcoW862G81Lp6O9LFxaPU1nDvPJJaefzdPEvcy5EiHPpHFW39zmW72kI2/JR0Pza4jQbOUlsI57j4bt3o7iPpTONiZmcTVMqJoAnff6iQZWP7TEml/nEaiytotl2o8IB1zwY/3/LeYQ==</wsse:BinarySecurityToken><ds:Signature
Id="Signature-739" xmlns:ds="
http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod
Algorithm="
http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="
http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#id-740">
<ds:Transforms>
<ds:Transform Algorithm="
http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="
http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>F5pH4/5vd05XxJspgeV6z10gPXk=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
FTufMYb2quoBHe4mgwUTz6C58mzhcNf6DEbaVlQQAVSDsSr5s02AXFei3JrtWX0+BVQJDzQQp12/
Cjpd35Z9788m2SP6eZqFQdZunrE4oq9ADDts9lzQTmrL0pdNO1lkG2LWtquGsOGw/FjVBNtat2ZE
51ajcqf9rblHlMdVsJ9MXKdMXruEhVsQYOY75vDo3yaunSgk8Q62ILsf7VgU9CHu4fuLlFsQ5XjA
xvNaZpf0PaNDaYi1yJq1/r+QoqDYAPzDhdPdGZb9YLgbSJyNObKoF6fC3cucQUfNSt3x3HZDhq1X
MId9ozSSvReNQ8byjLQkCJop7WUQJGOKd7varA==
</ds:SignatureValue>
<ds:KeyInfo Id="KeyId-32B7D1C168510A7A641310586176514806">
<wsse:SecurityTokenReference
wsu:Id="STRId-32B7D1C168510A7A641310586176514807"
xmlns:wsu="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"><wsse:Reference
URI="#CertId-32B7D1C168510A7A641310586176514805"
ValueType="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/></wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature><wsu:Timestamp wsu:Id="Timestamp-738"
xmlns:wsu="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"><wsu:Created>2011-07-13T19:42:56.505Z</wsu:Created><wsu:Expires>2011-07-13T19:59:36.505Z</wsu:Expires></wsu:Timestamp></wsse:Security></soapenv:Header>
<soapenv:Body wsu:Id="id-740"
xmlns:wsu="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<ser:getImage>
<arg0>
<data>test data</data>
</arg0>
</ser:getImage>
</soapenv:Body>
</soapenv:Envelope>
On the server logs I get the following errors. I have attached the complete
error message from glassfish.
* Signature Verification Failed
* Error occured in verifying the signature
* com.sun.xml.wss.XWSSecurityException:
com.sun.xml.wss.impl.WssSoapFaultException: Signature verifica...
* Container-auth: wss: Error validating request
com.sun.enterprise.security.jauth.AuthException: com....
I have no idea where to go from here with debugging. Any help or suggestions
would be greatly appreciated.
Thanks,
David
--
[Message sent by forum member 'brelloch']
View Post: http://forums.java.net/node/821965