Uploaded image for project: 'CXF'
  1. CXF
  2. CXF-7172

Error Validating Signed MTOM Message CXF 3.0.6 and up



    • Type: Bug
    • Status: Closed
    • Priority: Critical
    • Resolution: Not A Problem
    • Affects Version/s: 3.0.6, 3.1.8
    • Fix Version/s: None
    • Component/s: WS-* Components
    • Labels:
    • Estimated Complexity:


      As explained :

      I created a simple web service using CXF that has MTOM enabled, it also expects a time stamp and the body to be signed, it configured like this:




      { "classpath:META-INF/cxf/cxf.xml" }

      public class CXFConfig {
      Bus cxfBus;
      MyService ws;

      public Endpoint endpoint()

      { EndpointImpl endpoint = new EndpointImpl(cxfBus, ws); endpoint.publish("/MyService"); SOAPBinding binding = (SOAPBinding)endpoint.getBinding(); binding.setMTOMEnabled(true); Map<String, Object> inProps = new HashMap<String, Object>(); inProps.put(WSHandlerConstants.ACTION, WSHandlerConstants.SIGNATURE+" "+WSHandlerConstants.TIMESTAMP); inProps.put(WSHandlerConstants.SIG_PROP_FILE, "wsserver.properties"); WSS4JInInterceptor inc = new WSS4JInInterceptor(inProps); endpoint.getInInterceptors().add(inc); return endpoint; }

      My Service Interface is:

      public interface MyService {

      public String doStuff(@WebParam(name="FileData") MTOMMessage message) throws IOException;
      My Data Type is:

      public class MTOMMessage {

      @XmlElement(name = "data", required = true)
      protected DataHandler data;

      @XmlElement(name = "FileName", required = true)
      protected String fileName;
      //Getters and Setters
      I then have a client to call it:

      public static void main(String[] args) throws IOException {
      String xmlLoc = "classpath:com/avum/dasn/ws/test/client-context.xml";
      ClassPathXmlApplicationContext ctx = new ClassPathXmlApplicationContext(xmlLoc);
      MyService svc = ctx.getBean(MyService.class);
      MTOMMessage msg = new MTOMMessage();
      msg.setXmlData(new DataHandler(getURLForTestFile()));
      The client-context.xml looks like this:

      <entry key="mtom-enabled" value="true"/>
      <bean class="org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor">
      <entry key="action" value="Signature Timestamp"/>
      <entry key="signaturePropFile" value="wsclient.properties"/>
      <entry key="user" value="ws-security" />
      <entry key="passwordCallbackClass" value="com.co.test.PasswordCallbackHandler"/>
      <bean class="org.apache.cxf.interceptor.LoggingOutInterceptor" />
      If I’m using CXF version 3.0.5 or lower this works fine. However if I use 3.0.6 or later I get “A security error was encountered when verifying the message.”. On the server I’m getting messages like “Couldn't validate the References”. This is because the server doesn’t get the same DigestValue that comes across in the ds:DigestValue element.

      I think it has something to do with the way MTOM message are handled by the server side code because if I disable MTOM (on the client and server) then it works fine. I’m not sure how to get this working in later versions of CXF. Does anyone have any ideas what I’m doing wrong?




            • Assignee:
              coheigea Colm O hEigeartaigh
              slavus Hrvoje Slavicek
            • Votes:
              0 Vote for this issue
              2 Start watching this issue


              • Created: