Created attachment 23397 [details] Java Program that Reproduces the bug ---Overview--- I am receiving an XMLSecurityException ("Cannot create a http://www.w3.org/2000/09/xmldsig#:X509IssuerSerial from a http://www.w3.org/2000/09/xmldsig#:X509IssuerSerial element") when trying to create an XMLX509IssuerSerial - public XMLX509IssuerSerial(Element element, String baseURI) ---Steps to Reproduce--- I have attached a short java program that reproduces this issue. This program creates a DOM that should be a valid IssuerSerial block in the correct namespace. The IssuerSerial Element is then passed to the constructor of XMLX509IssuerSerial - public XMLX509IssuerSerial(Element element, String baseURI). ---Actual Results--- An XMLSecurityException ("Cannot create a http://www.w3.org/2000/09/xmldsig#:X509IssuerSerial from a http://www.w3.org/2000/09/xmldsig#:X509IssuerSerial element") is thrown by the constructor. ---Expected Results--- The XMLX509KIssuerSerial Constructor returns normally ---Build--- According to the Manifest - this is version 1.4.2_17-b06 ---Platform--- -Windows XP SP3 -Bea Weblogic 10.3 -Sun JDK 1.6.0_05 ---Additional Information--- I ran across this bug when parsing a SOAP Response from a Web Service call. The SOAP response is encrypted. I looked through the source, and I found that ElementCheckerImpl uses != to verify the namespace instead of a !x.equals(y). I first encountered this bug when moving my code from Tomcat 6 to Weblogic 10.3. It worked correctly on Tomcat, but not on Weblogic. While debugging, I found that Weblogic and Tomcat use a different libraries for parsing the SOAP Response. My guess is that when the Tomcat library builds the SOAP Response, it references org.apache.xml.security.utils.Constants.SignatureSpecNS, while Weblogic references a different String. Therefore, when ElementCheckerImpl executes and compares the namespace to org.apache.xml.security.utils.Constants.SignatureSpecNS, it fails on Weblogic, but passes on Tomcat. I believe the fix should be to change the != to !x.equals(y) in ElementCheckerImpl.
Created attachment 23685 [details] Proposed fix for ElementCheckerImpl.java
Hi Edgar, The reason "==" is used rather than "equals" in XML-Security is for performance reasons, it's not a bug. The side-effect of this is that you need to intern the namespace when passing it through to XML-Security, e.g. the following code adapted from your test-case works fine: String newNamespace = new String("http://www.w3.org/2000/09/xmldsig#"); new org.apache.xml.security.keys.content.x509.XMLX509IssuerSerial( generateIssuerSerial(newNamespace.intern()), ""); Colm.
Hey Colm, Thanks for your comments, I do appreciate you taking the time to look into this. You were correct, it seems that the Weblogic SAAJ SOAP Message Factory is not interning the namespace. So, the parsed soap message fails in XML Security ElementChecker. This means that WS-Security is not compatible with the SOAP Message Factory that is included with Weblogic 10.3. I have spent some time trying to find a work around, and the best I could come up with is to override the default message factory used by Spring-WS (which would otherwise resolve to Weblogic's MessageFactory implementation). The configuration is as follows: <bean id="wsTemplate" class="org.springframework.ws.client.core.WebServiceTemplate"> <property name="interceptors" ref="wsInterceptors"/> <property name="marshaller" ref="wsMarshaller"/> <property name="unmarshaller" ref="wsMarshaller"/> <property name="messageFactory" ref="wsMessageFactory"/> </bean> <bean id="wsMessageFactory" class="org.springframework.ws.soap.saaj.SaajSoapMessageFactory"> <property name="messageFactory"> <bean class="???.MessageFactoryImpl"/> </property> </bean> I'm fairly confident this will work, but I haven't found a SAAJ 1.3 implementation yet (hence the ???.MessageFactoryImpl). I used Sun's implementation, and ran into an UnsupportedOperationException - It seems they didn't actually implement MessageFactory.createMessage(), so that won't work. I started down the path of using the axis2 implementation, but that had dependencies, and I don't really like the idea of mixing Spring WS with Axis2 libraries (although, there is probably nothing wrong with it). I would still suggest that this bug be reconsidered. I believe XML-Security is relying on the implementation of the parsers, rather than the specification. I have attached a new fix for this bug that will give the same performance benefits when using a parser that interns the namespace, but that will also work with parsers that do not intern the namespace.
Created attachment 23771 [details] Proposed fix for ElementCheckerImpl.java
Hi Edgar, Thanks for your patch. We'll definately be addressing this problem for the next release, as a lot of people have run into it. I was thinking about the best way to tackle it last week actually....I need to do some profiling of this method. Falling back to checking .equals is no good if there are a lot of negative comparisons, as then you lose all of the performance benefits of interning. There are other areas of code as well that rely on interned Strings. I think possibly the best solution is to add a System property that configures whether to use .equals or not. > I'm fairly confident this will work, but I haven't found a SAAJ 1.3 > implementation yet (hence the ???.MessageFactoryImpl). I used Sun's > implementation, and ran into an UnsupportedOperationException - It seems they > didn't actually implement MessageFactory.createMessage(), so that won't work. Hrm are you sure about that? It works fine for me. Using Sun's SAAJ 1.3 implementation: MessageFactory factory = MessageFactory.newInstance(); SOAPMessage soapMessage = factory.createMessage(); Where soapMessage is then an instance of: com.sun.xml.messaging.saaj.soap.ver1_1.Message1_1Impl Colm.
Colm, I was incorrectly using MessageFactoryImpl instead of SOAPMessageFactory1_1Impl (which does implement the createMessage() method). I instantiated the implementation directly because MessageFactory.newInstance() will return the weblogic implementation. Below is the new spring configuration I used: <bean id="wsTemplate" class="org.springframework.ws.client.core.WebServiceTemplate"> <property name="interceptors" ref="wsInterceptors"/> <property name="marshaller" ref="wsMarshaller"/> <property name="unmarshaller" ref="wsMarshaller"/> <property name="messageFactory" ref="wsMessageFactory"/> </bean> <bean id="messageFactory" class="org.springframework.ws.soap.saaj.SaajSoapMessageFactory"> <property name="messageFactory"> <bean class="com.sun.xml.messaging.saaj.soap.ver1_1.SOAPMessageFactory1_1Impl"/> </property> </bean> And now everything works perfectly! Thanks for all of your help Colm. -Edgar