I am using Apache CXF 3.0.11, integrated with WebSphere 8.5.5.8, and I have implemented a WebSphere-installed application that provides a Web Service that was developed top-down/WSDL-first. This Web Service uses WS-Security configured through policies in the WSDL.
The Web Service, WebServiceA, runs on an application called AppAlpha. The client, a standalone Java application, is called AppBravo.
The policies are:
- Include timestamps in the security header.
- Digitally sign the body as well as the header (which is basically just the timestamps in the security header) with an X.509 digital certificate.
In examining the logs, I can see that...
- AppBravo is signing the body and timestamps.
- AppAlpha recognizes the timestamps in the security header.
- AppAlpha fails to validate the digital signature on the timestamps -- that is, the actual digest as computed by AppAlpha does not match the expected digest, contained in the request XML.
- AppAlpha seemingly successfully validates the digital signature on the body -- that is, the actual digest as computed by AppAlpha does match the expected digest, contained in the request XML.
Does anyone know why the Web Service provider would successfully validate the request message body, but not the timestamps in the message security header?
WSDL of WebServiceA:
<?xml version='1.0' encoding='UTF-8'?>
<definitions xmlns="http://schemas.xmlsoap.org/wsdl/" xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" xmlns:tns="http://www.example.com/contract/WebServiceA" xmlns:common="http://common.webservicea.webservice.com" xmlns:x1="http://webservicea.webservice.com" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702" name="WebServiceA" targetNamespace="http://www.example.com/contract/WebServiceA">
<types>
<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" targetNamespace="http://common.webservicea.webservice.com" elementFormDefault="qualified" version="1.0">
<xs:include schemaLocation="WebServiceACommonTypes.xsd"/>
</xs:schema>
<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" targetNamespace="http://webservicea.webservice.com" elementFormDefault="qualified" version="1.0">
<xs:element name="sendDataA">
<xs:complexType>
<xs:sequence>
<xs:element name="theDataA" type="xs:string" minOccurs="0"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="sendDataAResponse">
<xs:complexType>
<xs:sequence>
<xs:element name="theResponseA" type="xs:string" minOccurs="0"/>
</xs:sequence>
</xs:complexType>
</xs:element>
</xs:schema>
</types>
<message name="msgSendDataARequest">
<part name="inA" element="x1:sendDataA"/>
</message>
<message name="msgSendDataAResponse">
<part name="outA" element="x1:sendDataAResponse"/>
</message>
<message name="WebServiceAEndpointException">
<part name="fault" element="common:WebServiceAEndpointFault"/>
</message>
<portType name="WebServiceAEndpoint">
<operation name="sendDataA">
<input name="msgSendDataARequest" message="tns:msgSendDataARequest"/>
<output name="msgSendDataAResponse" message="tns:msgSendDataAResponse"/>
<fault name="WebServiceAEndpointException" message="tns:WebServiceAEndpointException"/>
</operation>
</portType>
<binding name="WebServiceAPortBinding" type="tns:WebServiceAEndpoint">
<wsp:PolicyReference URI="#WebServiceABCommonPortBindingPolicy"/>
<soap:binding transport="http://schemas.xmlsoap.org/soap/http" style="document"/>
<operation name="sendDataA">
<soap:operation soapAction="" style="document"/>
<input name="msgSendDataARequest">
<soap:body use="literal"/>
<wsp:PolicyReference URI="#WebServiceABCommonPartsPolicy"/>
</input>
<output name="msgSendDataAResponse">
<soap:body use="literal"/>
<wsp:PolicyReference URI="#WebServiceABCommonPartsPolicy"/>
</output>
<fault name="WebServiceAEndpointException">
<soap:fault name="WebServiceAEndpointException" use="literal"/>
<wsp:PolicyReference URI="#WebServiceABCommonPartsPolicy"/>
</fault>
</operation>
</binding>
<service name="WebServiceA">
<port name="WebServiceAPort" binding="tns:WebServiceAPortBinding">
<soap:address location="http://my.testenvironment.com:9083/AppAlpha/services/WebServiceA"/>
</port>
</service>
<wsp:Policy wsu:Id="WebServiceABCommonPortBindingPolicy">
<wsp:ExactlyOne>
<wsp:All>
<sp:AsymmetricBinding>
<wsp:Policy>
<sp:InitiatorToken>
<wsp:Policy>
<sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:WssX509V3Token11/>
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:InitiatorToken>
<sp:RecipientToken>
<wsp:Policy>
<sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never">
<wsp:Policy>
<sp:WssX509V3Token11/>
<sp:RequireIssuerSerialReference/>
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:RecipientToken>
<sp:Layout>
<wsp:Policy>
<sp:Strict/>
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp/>
<sp:OnlySignEntireHeadersAndBody/>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic128/>
</wsp:Policy>
</sp:AlgorithmSuite>
</wsp:Policy>
</sp:AsymmetricBinding>
<sp:Wss11>
<wsp:Policy>
<sp:MustSupportRefIssuerSerial/>
</wsp:Policy>
</sp:Wss11>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
<wsp:Policy wsu:Id="WebServiceABCommonPartsPolicy">
<wsp:ExactlyOne>
<wsp:All>
<sp:SignedParts>
<sp:Body/>
</sp:SignedParts>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
</definitions>
Console output from AppBravo, the client of WebServiceA:
SLF4J: Class path contains multiple SLF4J bindings.
SLF4J: Found binding in [jar:file:/C:/Program%20Files%20(x86)/IBM/WebSphere/AppServer_1/plugins/com.ibm.ws.prereq.jaxrs.jar!/org/slf4j/impl/StaticLoggerBinder.class]
SLF4J: Found binding in [jar:file:/C:/Users/me/IBM/rationalsdp/workspace_WSDL_20161108/AppBravo/WebContent/WEB-INF/lib/slf4j-jdk14-1.7.14.jar!/org/slf4j/impl/StaticLoggerBinder.class]
SLF4J: See http://www.slf4j.org/codes.html#multiple_bindings for an explanation.
Dec 16, 2016 4:12:59 PM org.springframework.context.support.AbstractApplicationContext prepareRefresh
INFO: Refreshing org.apache.cxf.bus.spring.BusApplicationContext@db64d237: startup date [Fri Dec 16 16:12:59 EST 2016]; root of context hierarchy
Dec 16, 2016 4:12:59 PM org.apache.cxf.bus.spring.BusApplicationContext getConfigResources
INFO: Loaded configuration file cxf.xml.
Dec 16, 2016 4:12:59 PM org.springframework.beans.factory.xml.XmlBeanDefinitionReader loadBeanDefinitions
INFO: Loading XML bean definitions from class path resource [cxf.xml]
Dec 16, 2016 4:12:59 PM org.springframework.beans.factory.support.DefaultListableBeanFactory preInstantiateSingletons
INFO: Pre-instantiating singletons in org.springframework.beans.factory.support.DefaultListableBeanFactory@be48d7d7: defining beans [cxf,org.apache.cxf.bus.spring.BusWiringBeanFactoryPostProcessor,org.apache.cxf.bus.spring.Jsr250BeanPostProcessor,org.apache.cxf.bus.spring.BusExtensionPostProcessor,{http://www.example.com/contract/WebServiceA}WebServiceAPort.jaxws-client.proxyFactory,{http://www.example.com/contract/WebServiceA}WebServiceAPort.jaxws-client]; root of factory hierarchy
Dec 16, 2016 4:13:00 PM org.apache.cxf.wsdl.service.factory.ReflectionServiceFactoryBean buildServiceFromWSDL
INFO: Creating Service {http://www.example.com/contract/WebServiceA}WebServiceA from WSDL: file:/C:/Users/me/IBM/rationalsdp/workspace_WSDL_20161108/TempCXFCodeGenProject/wsdl/WebServiceA.wsdl
Dec 16, 2016 4:13:00 PM org.apache.cxf.services.WebServiceA.WebServiceAPort.WebServiceAEndpoint null
INFO: Outbound Message
---------------------------
ID: 1
Address: http://my.testenvironment.com:9083/AppAlpha/services/WebServiceA
Encoding: UTF-8
Http-Method: POST
Content-Type: text/xml
Headers: {Accept=[*/*], SOAPAction=[""]}
Payload: <soapenv:Envelope xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"><soapenv:Header><wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" soapenv:mustUnderstand="1"><wsu:Timestamp wsu:Id="TS-4b24dbaf-201c-41c1-8dc7-53f234b3a849"><wsu:Created>2016-12-16T21:13:00.846Z</wsu:Created><wsu:Expires>2016-12-16T21:18:00.846Z</wsu:Expires></wsu:Timestamp><wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="X509-fd064e65-9b93-48cd-a56f-041e4d27bb8b">MIICojCCAYqgAwIBAgIEWErPtDANBgkqhkiG9w0BAQUFADATMREwDwYDVQQDEwhBcHBCcmF2bzAeFw0xNjEyMDkxNTM3MjRaFw0xODEyMDkxNTM3MjRaMBMxETAPBgNVBAMTCEFwcEJyYXZvMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAk/iiNtGkSXcP9X2JKD+aCA1WKmzlrr+oOHJb7de+hABnWRGPfy0pBw6nks3ugQIwpC8qkobKo7+he2XePqDxBAvAH8s4w31For9MaKdJo5ZwbCPuZ+8YqYtnJgQEmncazofnqXLWRyWPCZ7vpH3eONvz+TlNPiJri1DLMedDBgupdzg8gyckxerHheqf5xs/wvWOncCWqm/A8bUUN4bias3i7S3UxOfb+QrB1T+cycQTzSXVlauqrVERaC0Fqd0i4pxS6t3z1VIcw697uphbooWEhH1yjyHTUosG1nrWup1sv3sseFxdefaFJlGbjVfuD3QHnrQ6cBgAQS5EUR/ZYQIDAQABMA0GCSqGSIb3DQEBBQUAA4IBAQBzLAFlrcw+qhc5cZe/QkebdfXfPxaAMM/Ve9PWo3H4RS0sHYIqqom9VCQ1JKayHoTgO3XesC2qapPRo1jPsWmfmm2n4RiRPIXW8kjm4tMTGheIxOUVMg2B7H8SennKBRM1LlU4Ewe160Nhfdzs0Y/E3zTlDAINd3g8TdNJT2eUNszYaOTpkGqlKbN5mZE3O2fvlG+H0XqJ6zjHp5+MM8QVg6ESEK6zGEZUdrzxRSXRDmuWZQ+Jx3+7qL5Uh1Ylipn7qMPlC8/ePV+fRuiz4NEcE5PaKZCkFYOQiddHA+LYfIVmGxjAAY2BN2wQdgErTFoFR1kOmUH4AI/pgZa/yGx4</wsse:BinarySecurityToken><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="SIG-3914e870-57e7-4fe1-8b75-52bed65c05f6"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="soapenc soapenv xsd xsi"></ec:InclusiveNamespaces></ds:CanonicalizationMethod><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></ds:SignatureMethod><ds:Reference URI="#TS-4b24dbaf-201c-41c1-8dc7-53f234b3a849"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:Transform></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod><ds:DigestValue>uLm/Y2FEfFcXfp8W6kfQO86bJ9Y=</ds:DigestValue></ds:Reference><ds:Reference URI="#_03eba575-563f-438d-9701-b5a50b8dabe0"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="soapenc xsd xsi"></ec:InclusiveNamespaces></ds:Transform></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod><ds:DigestValue>kQjZ5433MyDvXEcmze8the0EMd8=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>akjjBgGVeeNKAzwmofjOXQo59p3wiHxBfFQPXUdZ2Zo/WbZdnKGzpW1Vg9L+JCpofUAPn0g97OPnE0EII8aMSgOuFEU9VdtjU0Dwn1GPLUSVCWub74qe1r7ojr841VXP5YtSb2+WKBiFLgG74yqnnpneKBA8j+KAnYxo+NvYdhtgrCwoNTZBFie1GqEBsyUpCqsJIVZfydTNRGyApSNbTOv0PnwV5ZGFIoVy+7ZPHBsi6kvqkErCZvZ3uztd4jpPPyE0GousCgvEilkMQSm/BaVzXZDyyTtWHesGMR9l6172B4nJ4KTUwhfLy8rU6hjFLletum+Ys9egdD3LWbWguw==</ds:SignatureValue><ds:KeyInfo Id="KI-8d80ebc9-a6de-4498-b8e3-326eb506fee3"><wsse:SecurityTokenReference xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="STR-2219d15b-208c-42b0-9721-ab3efbd641b7"><wsse:Reference URI="#X509-fd064e65-9b93-48cd-a56f-041e4d27bb8b" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"></wsse:Reference></wsse:SecurityTokenReference></ds:KeyInfo></ds:Signature></wsse:Security></soapenv:Header><soapenv:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="_03eba575-563f-438d-9701-b5a50b8dabe0"><sendDataA xmlns="http://webservicea.webservice.com" xmlns:ns2="http://common.webservicea.webservice.com"><theDataA>Test invocation of Web Service A</theDataA></sendDataA></soapenv:Body></soapenv:Envelope>
--------------------------------------
Dec 16, 2016 4:13:02 PM org.apache.cxf.services.WebServiceA.WebServiceAPort.WebServiceAEndpoint null
INFO: Inbound Message
----------------------------
ID: 1
Response-Code: 500
Encoding: UTF-8
Content-Type: text/xml; charset=UTF-8
Headers: {connection=[Close], Content-Language=[en-US], content-type=[text/xml; charset=UTF-8], Date=[Fri, 16 Dec 2016 21:13:02 GMT], transfer-encoding=[chunked], X-Powered-By=[Servlet/3.0]}
Payload: <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><soap:Fault><faultcode xmlns:ns1="http://ws.apache.org/wss4j">ns1:SecurityError</faultcode><faultstring>A security error was encountered when verifying the message</faultstring></soap:Fault></soap:Body></soap:Envelope>
--------------------------------------
Dec 16, 2016 4:13:02 PM org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor handleMessageInternal
WARNING: The request is a SOAP Fault, but it is not secured
Exception in thread "main" javax.xml.ws.soap.SOAPFaultException: A security error was encountered when verifying the message
at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:160)
at com.sun.proxy.$Proxy36.sendDataA(Unknown Source)
at com.ws.impl.WebServiceAClientStandalone.sendDataA(WebServiceAClientStandalone.java:35)
at com.ws.impl.WebServiceAClientStandalone.main(WebServiceAClientStandalone.java:29)
Caused by: org.apache.cxf.binding.soap.SoapFault: A security error was encountered when verifying the message
at org.apache.cxf.binding.soap.interceptor.Soap11FaultInInterceptor.unmarshalFault(Soap11FaultInInterceptor.java:86)
at org.apache.cxf.binding.soap.interceptor.Soap11FaultInInterceptor.handleMessage(Soap11FaultInInterceptor.java:52)
at org.apache.cxf.binding.soap.interceptor.Soap11FaultInInterceptor.handleMessage(Soap11FaultInInterceptor.java:41)
at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:307)
at org.apache.cxf.interceptor.AbstractFaultChainInitiatorObserver.onMessage(AbstractFaultChainInitiatorObserver.java:113)
Here are excerpts of AppAlpha's log file:
org.apache.jcp.xml.dsig.internal.dom.DOMSignatureMethod verify JCA Algorithm: SHA1withRSA
org.apache.jcp.xml.dsig.internal.dom.DOMSignatureMethod verify Signature Bytes length: 256
...
org.apache.jcp.xml.dsig.internal.DigesterOutputStream write <wsu:Timestamp...
org.apache.jcp.xml.dsig.internal.dom.DOMReference validate Expected digest: uLm/Y2FEfFcXfp8W6kfQO86bJ9Y=
org.apache.jcp.xml.dsig.internal.dom.DOMReference validate Actual digest: ONplUDjf+u6NMCXv7QuuR38YBrQ=
org.apache.jcp.xml.dsig.internal.dom.DOMXMLSignature validate Reference[#TS-4b24dbaf-201c-41c1-8dc7-53f234b3a849] is valid: false
...
DigesterOutpu 1 org.apache.jcp.xml.dsig.internal.DigesterOutputStream write Pre-digested input:
DigesterOutpu 1 org.apache.jcp.xml.dsig.internal.DigesterOutputStream write <soapenv:Body...
DOMReference 1 org.apache.jcp.xml.dsig.internal.dom.DOMReference validate Expected digest: kQjZ5433MyDvXEcmze8the0EMd8=
DOMReference 1 org.apache.jcp.xml.dsig.internal.dom.DOMReference validate Actual digest: kQjZ5433MyDvXEcmze8the0EMd8=
SignatureProc 1 org.apache.wss4j.dom.processor.SignatureProcessor verifyXMLSignature Reference #_03eba575-563f-438d-9701-b5a50b8dabe0 check: true