Search code examples
javaweb-servicesxml-parsingwebspherejax-ws

JAX-WS, Websphere AS 8.5 and XML Digital SIgnature

I'm developing a JAX-WS webservice that must validate incoming SOAP messages according to the XML Digital Signature specification. I'm noticing a strange behaviour, I can validate the very first incoming message but then validation fails on subsequent messages (on both signature and reference). If i restart the Application Server (Websphere 8.5) i can validate the first message. It seems that the Application Server modifies incoming SOAP Messages before i can parse them. The modified SOAP messages are logically equivalent XML documents but differ in their physical representation and canonicalization doesn't solve the problem.

Below is the code that retrieves the SOAPMessage from the SOAPMessageContext and prints the Envelope.

@Override
public boolean handleMessage(SOAPMessageContext messageContext) {

    // get the message from the context 
    SOAPMessage message = messageContext.getMessage(); 

    // is an outgoing message?
    Boolean isOutgoing = (Boolean) messageContext.get(MessageContext.MESSAGE_OUTBOUND_PROPERTY);

    if(!isOutgoing){
        // incoming message...

        // Retrieve the SOAP part of the incoming message
        SOAPPart soapPart = message.getSOAPPart();

        try {
            System.out.println(soapPart.getEnvelope().toString());
        } catch (SOAPException e1) {
            // TODO Auto-generated catch block
            e1.printStackTrace();
        }

        //...omissis...
     }
}

Below is the output for the first Message:

<?xml version="1.0" encoding="UTF-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<soap:Body>
    <CommandMessage xmlns="http://www.cryptomathic.com/ckms">
        <Commands Count="1">
            <PushServerPublicKeyCommand>
                <SerialNumber>10</SerialNumber>
                <Target>COPS</Target>
                <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
                    <KeyValue>
                        <RSAKeyValue>
                            <Modulus>nnVA6qE9XnEtZPDLrtmWYfyh7nSC6R0543mwWoPFR+JtnRb6kQUXzf8fYaqyUFb3WD+57d1a9OxCzXLW4ilhe+QjrSy7zfqEQWTxkf+ajUuH3q3V/EpWqJvz4zwcxdTOkseap7skMh+zTacmViKAOm2oZAca3HQ2RwSiaYpiOTLAijnvPXieGGxBau8tlfyXZ8c+3TSRBevuiVT9Q5xBph+iT+Kk0Ay1762M3NoPJYAF3zUoaRZ95HqzmE0uuX/fJ4OAju87uvSD7V5uRW5L1LQ6vESIExZ3XmmCc6zOPSIiwBc3z+E6OZiIxoHw068qyNCdNk184X0rtw2ccl3nyQ==</Modulus>
                            <Exponent>AQAB</Exponent>
                        </RSAKeyValue>
                    </KeyValue>
                </KeyInfo>
            </PushServerPublicKeyCommand>
        </Commands>
        <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
            <SignedInfo>
                <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
                <Reference URI="">
                    <Transforms>
                        <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                        <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                    </Transforms>
                    <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                    <DigestValue>XKl5mK5WVr1RU95Zui14kVz4Bpo=</DigestValue>
                </Reference>
            </SignedInfo>
            <SignatureValue>NFakMv6OTJIDJowl2SabGmxSii55OuxLUoJcEIURVZKf4aqoeC03aKSY42agOnUep/Ov7ijF5rLOfrxdDsqT5TCYGaSNEaviR4LnCxFjZ5DJKHCNFuCvRQGTEKgzQFqxh9T7RpvyzuN0dh3WJvhCLMYGGZTmFqSpCpcpEU0pCcKO0U+VlwVGVK8eFrKxKYj+uo/y2p1KLpOl+BfdM/caUZ93CIS7AHgwABhQg0uW5Bg/3nuYnmtpHpoGgco0Ds+LTlUFmvInaCn8TK4tVe3TZB8s4bMnBLY1ztut4xdLL4OPRUyryV+r67H2oFnsfGrQ/GMstdcnYaM8GHm9EycjCg==</SignatureValue>
            <KeyInfo>
                <KeyValue>
                    <RSAKeyValue>
                        <Modulus>nnVA6qE9XnEtZPDLrtmWYfyh7nSC6R0543mwWoPFR+JtnRb6kQUXzf8fYaqyUFb3WD+57d1a9OxCzXLW4ilhe+QjrSy7zfqEQWTxkf+ajUuH3q3V/EpWqJvz4zwcxdTOkseap7skMh+zTacmViKAOm2oZAca3HQ2RwSiaYpiOTLAijnvPXieGGxBau8tlfyXZ8c+3TSRBevuiVT9Q5xBph+iT+Kk0Ay1762M3NoPJYAF3zUoaRZ95HqzmE0uuX/fJ4OAju87uvSD7V5uRW5L1LQ6vESIExZ3XmmCc6zOPSIiwBc3z+E6OZiIxoHw068qyNCdNk184X0rtw2ccl3nyQ==</Modulus>
                        <Exponent>AQAB</Exponent>
                    </RSAKeyValue>
                </KeyValue>
            </KeyInfo>
        </Signature>
    </CommandMessage>
</soap:Body>

And here is the output for subsequent messages:

<?xml version="1.0" encoding="UTF-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<soap:Body>
    <CommandMessage xmlns="http://www.cryptomathic.com/ckms" xmlns:ns2="http://www.w3.org/2000/09/xmldsig#">
        <Commands Count="1">
            <PushServerPublicKeyCommand>
                <SerialNumber>10</SerialNumber>
                <Target>COPS</Target>
                <ns2:KeyInfo>
                    <ns2:KeyValue>
                        <ns2:RSAKeyValue>
                            <ns2:Modulus>nnVA6qE9XnEtZPDLrtmWYfyh7nSC6R0543mwWoPFR+JtnRb6kQUXzf8fYaqyUFb3WD+57d1a9OxCzXLW4ilhe+QjrSy7zfqEQWTxkf+ajUuH3q3V/EpWqJvz4zwcxdTOkseap7skMh+zTacmViKAOm2oZAca3HQ2RwSiaYpiOTLAijnvPXieGGxBau8tlfyXZ8c+3TSRBevuiVT9Q5xBph+iT+Kk0Ay1762M3NoPJYAF3zUoaRZ95HqzmE0uuX/fJ4OAju87uvSD7V5uRW5L1LQ6vESIExZ3XmmCc6zOPSIiwBc3z+E6OZiIxoHw068qyNCdNk184X0rtw2ccl3nyQ==</ns2:Modulus>
                            <ns2:Exponent>AQAB</ns2:Exponent>
                        </ns2:RSAKeyValue>
                    </ns2:KeyValue>
                </ns2:KeyInfo>
            </PushServerPublicKeyCommand>
        </Commands>
        <ns2:Signature>
            <ns2:SignedInfo>
                <ns2:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                <ns2:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
                <ns2:Reference URI="">
                    <ns2:Transforms>
                        <ns2:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                        <ns2:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                    </ns2:Transforms>
                    <ns2:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                    <ns2:DigestValue>XKl5mK5WVr1RU95Zui14kVz4Bpo=</ns2:DigestValue>
                </ns2:Reference>
            </ns2:SignedInfo>
            <ns2:SignatureValue>NFakMv6OTJIDJowl2SabGmxSii55OuxLUoJcEIURVZKf4aqoeC03aKSY42agOnUep/Ov7ijF5rLOfrxdDsqT5TCYGaSNEaviR4LnCxFjZ5DJKHCNFuCvRQGTEKgzQFqxh9T7RpvyzuN0dh3WJvhCLMYGGZTmFqSpCpcpEU0pCcKO0U+VlwVGVK8eFrKxKYj+uo/y2p1KLpOl+BfdM/caUZ93CIS7AHgwABhQg0uW5Bg/3nuYnmtpHpoGgco0Ds+LTlUFmvInaCn8TK4tVe3TZB8s4bMnBLY1ztut4xdLL4OPRUyryV+r67H2oFnsfGrQ/GMstdcnYaM8GHm9EycjCg==</ns2:SignatureValue>
            <ns2:KeyInfo>
                <ns2:KeyValue>
                    <ns2:RSAKeyValue>
                        <ns2:Modulus>nnVA6qE9XnEtZPDLrtmWYfyh7nSC6R0543mwWoPFR+JtnRb6kQUXzf8fYaqyUFb3WD+57d1a9OxCzXLW4ilhe+QjrSy7zfqEQWTxkf+ajUuH3q3V/EpWqJvz4zwcxdTOkseap7skMh+zTacmViKAOm2oZAca3HQ2RwSiaYpiOTLAijnvPXieGGxBau8tlfyXZ8c+3TSRBevuiVT9Q5xBph+iT+Kk0Ay1762M3NoPJYAF3zUoaRZ95HqzmE0uuX/fJ4OAju87uvSD7V5uRW5L1LQ6vESIExZ3XmmCc6zOPSIiwBc3z+E6OZiIxoHw068qyNCdNk184X0rtw2ccl3nyQ==</ns2:Modulus>
                        <ns2:Exponent>AQAB</ns2:Exponent>
                    </ns2:RSAKeyValue>
                </ns2:KeyValue>
            </ns2:KeyInfo>
        </ns2:Signature>
    </CommandMessage>
</soap:Body>

I'm sending always the same message with SoapUI but as you can see, messages are logically equivalent but physically different. How can I avoid this behaviour?

Regards, Giovanni

Solution

  • The problem you are encountering as well as the solution are described in the following document from IBM:

    http://www-01.ibm.com/support/docview.wss?uid=swg1PK95199