AXIS2 + RAMPART Error at server side: The signature or decryption was invalid

Hello everyone,

I have a web service using AXIS2 with WS-Security provided by RAMPART. I'm using OAS as application server and HTTPS for the transport protocol.

The client application has a RAMPART policy that sings and encrypts data before sending the request to the server. The server has the corresponding services.xml configuration (with keystores and certificates).

Every single time I try to consume the web service using the client, I always get a : The signature or decryption was invalid in the server log.

To clear things, this is the output of the console in my server log:

[org.apache.xml.security.encryption.XMLCipher:?] DEBUG - Decrypted octets: <ns2:process ...>MESSAGE CONTENT</ns2:process>

The previous part prints the information I've sent from mi client and is all right. But just after that, AXIS2 prints the following exception:

12/09/07 17:31:36 [org.apache.axis2.engine.AxisEngine:219] ERROR - The signature or decryption was invalid org.apache.axis2.AxisFault: The signature or decryption was invalid at org.apache.rampart.handler.RampartReceiver.setFaultCodeAndThrowAxisFault(RampartReceiver.java:186) at org.apache.rampart.handler.RampartReceiver.invoke(RampartReceiver.java:95) at org.apache.axis2.engine.Phase.invokeHandler(Phase.java:340) at org.apache.axis2.engine.Phase.invoke(Phase.java:313) at org.apache.axis2.engine.AxisEngine.invoke(AxisEngine.java:262) at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:168) at org.apache.axis2.transport.http.HTTPTransportUtils.processHTTPPostRequest(HTTPTransportUtils.java:172) at org.apache.axis2.transport.http.AxisServlet.doPost(AxisServlet.java:146) at javax.servlet.http.HttpServlet.service(HttpServlet.java:763) at javax.servlet.http.HttpServlet.service(HttpServlet.java:856) at com.evermind.server.http.ServletRequestDispatcher.invoke(ServletRequestDispatcher.java:711) at com.evermind.server.http.ServletRequestDispatcher.forwardInternal(ServletRequestDispatcher.java:368) at com.evermind.server.http.HttpRequestHandler.doProcessRequest(HttpRequestHandler.java:866) at com.evermind.server.http.HttpRequestHandler.processRequest(HttpRequestHandler.java:448) at com.evermind.server.http.HttpRequestHandler.serveOneRequest(HttpRequestHandler.java:216) at com.evermind.server.http.HttpRequestHandler.run(HttpRequestHandler.java:117) at com.evermind.server.http.HttpRequestHandler.run(HttpRequestHandler.java:110) at oracle.oc4j.network.ServerSocketReadHandler$SafeRunnable.run(ServerSocketReadHandler.java:260) at oracle.oc4j.network.ServerSocketAcceptHandler.procClientSocket(ServerSocketAcceptHandler.java:239) at oracle.oc4j.network.ServerSocketAcceptHandler.access$700(ServerSocketAcceptHandler.java:34) at oracle.oc4j.network.ServerSocketAcceptHandler$AcceptHandlerHorse.run(ServerSocketAcceptHandler.java:880) at com.evermind.util.ReleasableResourcePooledExecutor$MyWorker.run(ReleasableResourcePooledExecutor.java:298) at java.lang.Thread.run(Thread.java:595) Caused by: org.apache.ws.security.WSSecurityException: The signature or decryption was invalid at org.apache.ws.security.processor.ReferenceListProcessor.decryptEncryptedData(ReferenceListProcessor.java:244) at org.apache.ws.security.processor.EncryptedKeyProcessor.decryptDataRef(EncryptedKeyProcessor.java:519) at org.apache.ws.security.processor.EncryptedKeyProcessor.decryptDataRefs(EncryptedKeyProcessor.java:469) at org.apache.ws.security.processor.EncryptedKeyProcessor.handleEncryptedKey(EncryptedKeyProcessor.java:383) at org.apache.ws.security.processor.EncryptedKeyProcessor.handleEncryptedKey(EncryptedKeyProcessor.java:119) at org.apache.ws.security.processor.EncryptedKeyProcessor.handleToken(EncryptedKeyProcessor.java:95) at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:328) at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:245) at org.apache.rampart.RampartEngine.process(RampartEngine.java:166) at org.apache.rampart.handler.RampartReceiver.invoke(RampartReceiver.java:92) ... 21 more Caused by: java.lang.IllegalArgumentException at oracle.xml.jaxp.JXDocumentBuilderFactory.setAttribute(JXDocumentBuilderFactory.java:147) at org.apache.xml.security.encryption.XMLCipher$Serializer.deserialize(Unknown Source) at org.apache.xml.security.encryption.XMLCipher.decryptElement(Unknown Source) at org.apache.xml.security.encryption.XMLCipher.decryptElementContent(Unknown Source) at org.apache.xml.security.encryption.XMLCipher.doFinal(Unknown Source) at org.apache.ws.security.processor.ReferenceListProcessor.decryptEncryptedData(ReferenceListProcessor.java:242) ... 30 more

I don't know why does this happens if the first part of the log shows in clear text the right information. Any help would be appreciated.

I have run into the same issue - same technologies involved (Axis2, Rampart, and OAS). Were you apple to resolve this issue?

T Rane wrote:I have run into the same issue - same technologies involved (Axis2, Rampart, and OAS). Were you apple to resolve this issue?

Hello T Rane,

Unfortunately I couldn't solve that. In my case it seems that the MTOM makes the RAMPART module to create a wrong encryption of the body message. In my case, due that we use HTTPS for the communication, we decided that since HTTPS encrypts all the messages by default, then we only need the message to be signed. I've made that change and now we only use de: SignOnly capability of the WSSecurity.

Hope this helps you too, and if you find a way to solve de decryption problem I'll be greatly grateful. Tell me if you need further information.