I've got a JAX-WS web service with a trasport handler that checks requests are signed and make signes on responses.
This security handler uses XWSS (from Glassfish), configuration:
I've got a ws client too which uses the handler but configured with client certificate. Everything is fine.
When I invoke the service with SoapUI I got signature verification fault. I've dumped request messages from my working client and SoapUI, there were no substantial differences only in namespace prefixes, namespace declaration locations and Id values. On the server log I see excepted and actual digestes doesn't match so I think there is problem with XML canonicalization. I've switched on debugging in SoapUI but it uses wss4j for ws security and it doesn't log the canonicalized form of xml.
So if I change the "PrettyPrinted" soapUI request from
to a request with a one-line Body
everything works fine.
Please note, that making the Body a one-liner inside soapUI does not always work, because the xml sent over the line might still contain line termination characters inside the Body element. So do a cut'n'paste the Body element into your favorite code editor and make it a one-liner there, then paste it back into soapUI. This worked for me.
I am absolutely not a WSS guru, so I will not argue about whether it is soapUI or Metro that fails. So I am hoping for someone else to figure this out, and encourage him or her to place a bug report in the right place.