All, I'm (still) working on calling a WSE 3.0 .NET web service from Java/Metro 2.0. We've got the security requirements set so that we're encrypting the body & header of the messages & signing the headers. I'm able to send a request to their service & get a response, but Metro is unable to validate the signature & throws an error from the WSIT code. I got the latest WSIT code from CVS & here's a code snippet of the method that's blowing up:
from com.sun.xml.ws.security.opt.impl.incoming.GenericSecuredHeader:
private XMLStreamBuffer completeHeader;
public void writeTo(XMLStreamWriter w) throws XMLStreamException {
try {
// TODO what about in-scope namespaces
completeHeader.writeToXMLStreamWriter(w);
} catch (Exception e) {
throw new XMLStreamException(e);
}
}
As you can see, there's a TODO in there, that I think indicates that the method can't handle the situation I have, but I'm not sure I know what they mean by 'in-scope' namespaces.
Here's the snippet of XML from the web service response that it's breaking on:
<wsa:Action wsu:Id="Id-46282a5d-c7fa-403c-8ac9-f7df0dfdb0cf">
http://someAction</wsa:Action>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" />
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<Reference URI="#Id-46282a5d-c7fa-403c-8ac9-f7df0dfdb0cf">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>
/2ivNKDpYSLqPWHzrSxN/RuZ/e8=</DigestValue>
</Reference>
In the stack trace (included below), it complains about not being able to validate the reference URI="#Id-46282a5d-c7fa-403c-8ac9-f7df0dfdb0cf". What I'm unclear on is - is it failing because the Reference element doesn't have a namespace attribute or prefix? Should they be allowed to inherit the namespace from the parent Signature element, or can the StreamBuffer classes not handle that?
To contrast, here's a similar XML snippet from my request (generated by WSIT), where the ds prefix is
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
<ds:Signature xmlns:ns10="http://www.w3.org/2003/05/soap-envelope"
xmlns:ns11="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512"
xmlns:ns12="http://schemas.xmlsoap.org/ws/2006/02/addressingidentity" Id="_1">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<exc14n:InclusiveNamespaces PrefixList="wsse S"/>
</ds:CanonicalizationMethod>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#_5002">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<exc14n:InclusiveNamespaces PrefixList="S"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>
vtf9n+OcI1nT0exavD4/ZQy6jm8=</ds:DigestValue>
</ds:Reference>
When Metro generates these blocks, everything has a namespace prefix.
If you're still reading this far - thank you! Here's some snippets from the stack trace:
Error occurred while trying to cache START_ELEMENTcom.sun.xml.stream.buffer.stax
.StreamReaderBufferProcessor$InternalNamespaceContext
[16:12:54.026] WSS1759: Following error null occured while performing canonicali
zation null
[16:12:54.026] javax.xml.stream.XMLStreamException
[16:12:54.026] at com.sun.xml.ws.security.opt.impl.incoming.GenericSecuredHeade
r.writeTo(GenericSecuredHeader.java:303)
[16:12:54.026] at com.sun.xml.ws.security.opt.impl.incoming.StreamWriterData.wr
ite(StreamWriterData.java:101)
[16:12:54.026] at com.sun.xml.ws.security.opt.crypto.dsig.Exc14nCanonicalizer.t
ransform(Exc14nCanonicalizer.java:153)
[16:12:54.026] at com.sun.xml.ws.security.opt.crypto.dsig.Transform.transform(T
ransform.java:182)
[16:12:54.026] at com.sun.xml.ws.security.opt.crypto.dsig.Reference.transform(R
eference.java:183)
[16:12:54.026] at com.sun.xml.ws.security.opt.crypto.dsig.Reference.validate(Re
ference.java:102)
[16:12:54.026] at com.sun.xml.ws.security.opt.impl.incoming.processor.SignedInf
oProcessor.processReference(SignedInfoProcessor.java:422)
[16:12:54.026] at com.sun.xml.ws.security.opt.impl.incoming.processor.SignedInf
oProcessor.processReferences(SignedInfoProcessor.java:385)
[16:12:54.026] at com.sun.xml.ws.security.opt.impl.incoming.processor.SignedInf
oProcessor.process(SignedInfoProcessor.java:189)
[16:12:54.026] at com.sun.xml.ws.security.opt.impl.incoming.Signature.process(S
ignature.java:206)
[16:12:54.026] at com.sun.xml.ws.security.opt.impl.incoming.SecurityRecipient.h
andleSecurityHeader(SecurityRecipient.java:466)
[16:12:54.026] at com.sun.xml.ws.security.opt.impl.incoming.SecurityRecipient.c
acheHeaders(SecurityRecipient.java:281)
[16:12:54.026] at com.sun.xml.ws.security.opt.impl.incoming.SecurityRecipient.v
alidateMessage(SecurityRecipient.java:223)
[16:12:54.026] at com.sun.xml.wss.jaxws.impl.SecurityTubeBase.verifyInboundMess
age(SecurityTubeBase.java:462)
[16:12:54.026] at com.sun.xml.wss.jaxws.impl.SecurityClientTube.processClientRe
sponsePacket(SecurityClientTube.java:412)
[16:12:54.026] at com.sun.xml.wss.jaxws.impl.SecurityClientTube.processResponse
javax.xml.ws.WebServiceException: com.sun.xml.wss.impl.WssSoapFaultException: WSS1722: Error occurred while validating Reference with URI: #Id-46282a5d-c7fa-403c-8ac9-f7df0dfdb0c
f