« Return to Thread: Problem with XmlUtils.toString and WSS4J
Re: Problem with XmlUtils.toString and WSS4J
by Alexander Willner-2
::
Rate this Message:
Dear David,
thank you for the reply. But since I'm working on a Java w3c-Document
objects, I think white spaces are not the problem here. But I'll do
some further investigation.
Regards, Alex
Am 22.01.2008 um 17:42 schrieb <david.brossard@...> <david.brossard@...
>:
> Hi,
>
> Wouldn't this be due to the extra space that can be found around
> elements (space used for pretty formatting). That would account for
> the
> fact the PrettyDocumentToString method works.
>
> Remember the way signature works: a hash of the XML document is taken
> then signed. Obviously, if there's additional (or fewer) whitespace,
> the
> hash changes which results in the signature being invalid...
>
> Hope this helps...
>
> David.
>
>
> David Brossard
> _______________________
> Linkedin Profile: http://www.linkedin.com/in/davidbrossard
> _______________________
>
> -----Original Message-----
> From: Alexander Willner [mailto:willner@...]
> Sent: 22 January 2008 15:31
> To: muse-user@...
> Subject: Problem with XmlUtils.toString and WSS4J
>
> Hello everyone,
>
> there seems to be a serious problem with XmlUtils.toString(Doc) and
> WSS4J. When you convert a document to its XML representation and then
> back to a document again, it can't be validated by WSS4J anymore. This
> happens e.g. when receiving a SOAP message via the MiniServlet.
> I've written a JUnit test to show the problem:
>
> ------------------------------------------------------------------------
> -------------------
> public final void testSignatureToString() throws IOException,
> SAXException,
> SignatureNotFoundException {
>
> /* Create valid signed example
> -------------------------------------- */
> Document request =
>
> createExampleRequestWithoutSignature
> (this.exampleRequestWithoutSignature);
> Document response = this.secureHandler.addSignature(request);
> String responseString = XmlUtils.toString(response);
> /*
> ------------------------------------------------------------------ */
>
>
> /* Check example
> ---------------------------------------------------- */
> boolean check = this.signer.checkSignature(response);
> Assert.assertTrue("Signature is valid!", check);
> /*
> ------------------------------------------------------------------ */
>
>
> /* Create a copy (e.g. receive example via Webservice
> --------------- */
> Document newResponse = XmlUtils.createDocument(responseString);
> String newResponseString = XmlUtils.toString(newResponse);
> Assert.assertTrue("Strings are equal", newResponseString
> .equals(responseString));
> /*
> ------------------------------------------------------------------ */
>
>
> /*
> ------------------------------------------------------------------ */
> check = this.signer.checkSignature(newResponse);
> Assert.assertTrue("Signature is valid", check); // this fails!!!
> /*
> ------------------------------------------------------------------
> */ }
> ------------------------------------------------------------------------
> -------------------
>
> The solution here is to use XMLUtils.PrettyDocumentToString(Doc) [1]
> instead of XmlUtils.toString(Doc):
>
> ------------------------------------------------------------------------
> -------------------
> public final void testSignatureToString() throws IOException,
> SAXException,
> SignatureNotFoundException {
>
> /* Create valid signed example
> -------------------------------------- */
> Document request =
>
> createNspExampleRequestWithoutSignature
> (this.nspExampleRequestWithoutSignature);
> this.secureHandler.setAddSignatureFlag(true);
> Document response = this.secureHandler.addSignature(request);
> String responseString =
> XMLUtils.PrettyDocumentToString(response);
> /*
> ------------------------------------------------------------------ */
>
>
> /* Check example
> ---------------------------------------------------- */
> boolean check = this.signer.checkSignature(response);
> Assert.assertTrue("Signature is valid!", check);
> /*
> ------------------------------------------------------------------ */
>
>
> /* Create a copy (e.g. receive example via Webservice
> --------------- */
> Document newResponse = XmlUtils.createDocument(responseString);
> String newResponseString =
> XMLUtils.PrettyDocumentToString(newResponse);
> String newResponseString2 = XmlUtils.toString(newResponse);
> System.out.println("Test1: ---------");
> System.out.println(newResponseString);
> System.out.println("Test2: ---------");
> System.out.println(newResponseString2);
>
> Assert.assertTrue("Strings are equal", newResponseString
> .equals(responseString));
> /*
> ------------------------------------------------------------------ */
>
>
> /*
> ------------------------------------------------------------------ */
> check = this.signer.checkSignature(newResponse);
> Assert.assertTrue("Signature is valid", check);
> /*
> ------------------------------------------------------------------
> */ }
> ------------------------------------------------------------------------
> -------------------
>
>
> Regards, Alex
>
> [1]
> http://ws.apache.org/wss4j/apidocs/org/apache/ws/security/util/XMLUtils
> .
> html#PrettyDocumentToString(org.w3c.dom.Document)
---------------------------------------------------------------------
To unsubscribe, e-mail: muse-user-unsubscribe@...
For additional commands, e-mail: muse-user-help@...
thank you for the reply. But since I'm working on a Java w3c-Document
objects, I think white spaces are not the problem here. But I'll do
some further investigation.
Regards, Alex
Am 22.01.2008 um 17:42 schrieb <david.brossard@...> <david.brossard@...
>:
> Hi,
>
> Wouldn't this be due to the extra space that can be found around
> elements (space used for pretty formatting). That would account for
> the
> fact the PrettyDocumentToString method works.
>
> Remember the way signature works: a hash of the XML document is taken
> then signed. Obviously, if there's additional (or fewer) whitespace,
> the
> hash changes which results in the signature being invalid...
>
> Hope this helps...
>
> David.
>
>
> David Brossard
> _______________________
> Linkedin Profile: http://www.linkedin.com/in/davidbrossard
> _______________________
>
> -----Original Message-----
> From: Alexander Willner [mailto:willner@...]
> Sent: 22 January 2008 15:31
> To: muse-user@...
> Subject: Problem with XmlUtils.toString and WSS4J
>
> Hello everyone,
>
> there seems to be a serious problem with XmlUtils.toString(Doc) and
> WSS4J. When you convert a document to its XML representation and then
> back to a document again, it can't be validated by WSS4J anymore. This
> happens e.g. when receiving a SOAP message via the MiniServlet.
> I've written a JUnit test to show the problem:
>
> ------------------------------------------------------------------------
> -------------------
> public final void testSignatureToString() throws IOException,
> SAXException,
> SignatureNotFoundException {
>
> /* Create valid signed example
> -------------------------------------- */
> Document request =
>
> createExampleRequestWithoutSignature
> (this.exampleRequestWithoutSignature);
> Document response = this.secureHandler.addSignature(request);
> String responseString = XmlUtils.toString(response);
> /*
> ------------------------------------------------------------------ */
>
>
> /* Check example
> ---------------------------------------------------- */
> boolean check = this.signer.checkSignature(response);
> Assert.assertTrue("Signature is valid!", check);
> /*
> ------------------------------------------------------------------ */
>
>
> /* Create a copy (e.g. receive example via Webservice
> --------------- */
> Document newResponse = XmlUtils.createDocument(responseString);
> String newResponseString = XmlUtils.toString(newResponse);
> Assert.assertTrue("Strings are equal", newResponseString
> .equals(responseString));
> /*
> ------------------------------------------------------------------ */
>
>
> /*
> ------------------------------------------------------------------ */
> check = this.signer.checkSignature(newResponse);
> Assert.assertTrue("Signature is valid", check); // this fails!!!
> /*
> ------------------------------------------------------------------
> */ }
> ------------------------------------------------------------------------
> -------------------
>
> The solution here is to use XMLUtils.PrettyDocumentToString(Doc) [1]
> instead of XmlUtils.toString(Doc):
>
> ------------------------------------------------------------------------
> -------------------
> public final void testSignatureToString() throws IOException,
> SAXException,
> SignatureNotFoundException {
>
> /* Create valid signed example
> -------------------------------------- */
> Document request =
>
> createNspExampleRequestWithoutSignature
> (this.nspExampleRequestWithoutSignature);
> this.secureHandler.setAddSignatureFlag(true);
> Document response = this.secureHandler.addSignature(request);
> String responseString =
> XMLUtils.PrettyDocumentToString(response);
> /*
> ------------------------------------------------------------------ */
>
>
> /* Check example
> ---------------------------------------------------- */
> boolean check = this.signer.checkSignature(response);
> Assert.assertTrue("Signature is valid!", check);
> /*
> ------------------------------------------------------------------ */
>
>
> /* Create a copy (e.g. receive example via Webservice
> --------------- */
> Document newResponse = XmlUtils.createDocument(responseString);
> String newResponseString =
> XMLUtils.PrettyDocumentToString(newResponse);
> String newResponseString2 = XmlUtils.toString(newResponse);
> System.out.println("Test1: ---------");
> System.out.println(newResponseString);
> System.out.println("Test2: ---------");
> System.out.println(newResponseString2);
>
> Assert.assertTrue("Strings are equal", newResponseString
> .equals(responseString));
> /*
> ------------------------------------------------------------------ */
>
>
> /*
> ------------------------------------------------------------------ */
> check = this.signer.checkSignature(newResponse);
> Assert.assertTrue("Signature is valid", check);
> /*
> ------------------------------------------------------------------
> */ }
> ------------------------------------------------------------------------
> -------------------
>
>
> Regards, Alex
>
> [1]
> http://ws.apache.org/wss4j/apidocs/org/apache/ws/security/util/XMLUtils
> .
> html#PrettyDocumentToString(org.w3c.dom.Document)
---------------------------------------------------------------------
To unsubscribe, e-mail: muse-user-unsubscribe@...
For additional commands, e-mail: muse-user-help@...
« Return to Thread: Problem with XmlUtils.toString and WSS4J
| Free embeddable forum powered by Nabble | Forum Help |
