Granny's Programming Pearls
"inside of every large program is a small program struggling to get out"
The moose likes Web Services and the fly likes WS-Security with XWSS and SoapUI Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Java » Web Services
Bookmark "WS-Security with XWSS and SoapUI" Watch "WS-Security with XWSS and SoapUI" New topic

WS-Security with XWSS and SoapUI

Ujfalusi Sandor

Joined: Jan 12, 2011
Posts: 1

I've got a JAX-WS web service with a trasport handler that checks requests are signed and make signes on responses.
This security handler uses XWSS (from Glassfish), configuration:

I've got a ws client too which uses the handler but configured with client certificate. Everything is fine.

When I invoke the service with SoapUI I got signature verification fault. I've dumped request messages from my working client and SoapUI, there were no substantial differences only in namespace prefixes, namespace declaration locations and Id values. On the server log I see excepted and actual digestes doesn't match so I think there is problem with XML canonicalization. I've switched on debugging in SoapUI but it uses wss4j for ws security and it doesn't log the canonicalized form of xml.

Any idea what should I do now?

Invalid request:

Valid request:

Joseph McDonald

Joined: Feb 18, 2011
Posts: 1
I'm having the same problem. digests do not match. did you figure out a way to see their c14n version of the xml they're digesting?
Ernst Mikkelsen

Joined: Apr 15, 2011
Posts: 1
Until about one hour ago, I was facing the exact same problem while testing a self-made Netbeans/GlassFish/Metro webservice using soapUI.

I broke down the WS to be nothing more than a demo based on the Calculator sample from Netbeans. But still I was presented a WSS1717 exception, whenever the WS was called from soapUI.

The article at String Digest Verification Failure in Java WS-Security client was pointing me in a direction of a workaround in the canonicalization section, where 0x0D/0x0A line terminations are discussed.

So if I change the "PrettyPrinted" soapUI request from
to a request with a one-line Body
everything works fine.

Please note, that making the Body a one-liner inside soapUI does not always work, because the xml sent over the line might still contain line termination characters inside the Body element. So do a cut'n'paste the Body element into your favorite code editor and make it a one-liner there, then paste it back into soapUI. This worked for me.

I am absolutely not a WSS guru, so I will not argue about whether it is soapUI or Metro that fails. So I am hoping for someone else to figure this out, and encourage him or her to place a bug report in the right place.

Best regards
Ernst Mikkelsen

I agree. Here's the link:
subject: WS-Security with XWSS and SoapUI
It's not a secret anymore!