WSS4J
  1. WSS4J
  2. WSS-231

There is an issue with the position of the <Timestamp> element in the <Security> header when using WSS4J calling .NET Web Services with WS-Security.

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 1.5.8
    • Fix Version/s: 1.6.8
    • Component/s: WSS4J Core
    • Environment:
      Windows, Solaris

      Description

      There is an issue with the position of the <Timestamp> element in the <Security> header when using WSS4J calling .NET Web Services with WS-Security. When using the "Timestamp Signature" action over https, we are receiving the following error: "Signing without primary signature requires timestamp". When I modified org.apache.ws.security.message.WSSecSignature to position <Timestamp> as the first element in <Security> it worked fine (by default <Timestamp> is the last element and after the <Signature>). Can this be fixed or can you make Timestamp positioned first as a configuration option?

      <soapenv:Header>
      <wsse:Security>

      <wsu:Timestamp>
      <wsu:Created>2010-05-06T16:46:31.594Z</wsu:Created>
      <wsu:Expires>2010-05-06T16:51:31.594Z</wsu:Expires>
      </wsu:Timestamp>

      <wsse:BinarySecurityToken</wsse:BinarySecurityToken>

      <ds:Signature>
      ....
      </ds:Signature>
      </wsse:Security>
      </soapenv:Header>

        Issue Links

          Activity

          Hide
          Colm O hEigeartaigh added a comment -

          As Werner said, try reversing the action list to be "Signature Timestamp".

          Colm.

          Show
          Colm O hEigeartaigh added a comment - As Werner said, try reversing the action list to be "Signature Timestamp". Colm.
          Hide
          Chris Weitner added a comment -

          We are signing the Timestamp, so if the order is reversed, Signature is executed prior to Timestamp being generated.

          [java] Error during Signature: ; nested exception is:
          [java] org.apache.ws.security.WSSecurityException: General security error (WSEncryptBody/WSSignEnvelope: Element to encrypt/sign not found: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd, Timesta
          mp)

          Show
          Chris Weitner added a comment - We are signing the Timestamp, so if the order is reversed, Signature is executed prior to Timestamp being generated. [java] Error during Signature: ; nested exception is: [java] org.apache.ws.security.WSSecurityException: General security error (WSEncryptBody/WSSignEnvelope: Element to encrypt/sign not found: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd , Timesta mp)
          Hide
          Colm O hEigeartaigh added a comment -

          I don't think it's possible to construct a security header in that order at the moment in WSS4J, either through config or programatically. The Signature element always gets prepended to the security header, and I can't change this for backwards compatibility reasons.

          Colm.

          Show
          Colm O hEigeartaigh added a comment - I don't think it's possible to construct a security header in that order at the moment in WSS4J, either through config or programatically. The Signature element always gets prepended to the security header, and I can't change this for backwards compatibility reasons. Colm.
          Hide
          Abd K added a comment -

          I've come across the same issue. Are there any plans to fix this?

          Thanks

          Show
          Abd K added a comment - I've come across the same issue. Are there any plans to fix this? Thanks
          Hide
          Colm O hEigeartaigh added a comment -

          I added a test to show how it can be done programatically here ("testSignedTimestamp"):

          http://svn.apache.org/viewvc/webservices/wss4j/branches/1_5_x-fixes/test/wssec/TestWSSecurityNew3.java?view=markup

          I was mistaken in an earlier comment where I said it couldn't be done programatically, as the test above shows. It can't be done via configuration though.

          Colm.

          Show
          Colm O hEigeartaigh added a comment - I added a test to show how it can be done programatically here ("testSignedTimestamp"): http://svn.apache.org/viewvc/webservices/wss4j/branches/1_5_x-fixes/test/wssec/TestWSSecurityNew3.java?view=markup I was mistaken in an earlier comment where I said it couldn't be done programatically, as the test above shows. It can't be done via configuration though. Colm.
          Hide
          Abd K added a comment - - edited

          Colm thanks for that and I'll take a look to see if I can use your changes.

          In the meantime I've attached a a file which shows the changes I've made to get it working. I checked out the 1.5.10 branch.

          Show
          Abd K added a comment - - edited Colm thanks for that and I'll take a look to see if I can use your changes. In the meantime I've attached a a file which shows the changes I've made to get it working. I checked out the 1.5.10 branch.
          Hide
          Srinivasa Kukatla added a comment -

          This needs to be fixed, as it is causing lot of issues. In our case, we need to have the Signed Saml Assertion, timestamp, as well as the signature covering the timestamp only. Hence, we needed to configure SamlTokenSigned, and Timestamp, with the Signature parts as the timestamp element. If we specify the signature again it is failing, as the signature action is decoded from the SamlTokenSigned, and it is signing the timestamp as well.

          This issue causes failure in lot of scenarios where the signature is involved with other actions.

          Show
          Srinivasa Kukatla added a comment - This needs to be fixed, as it is causing lot of issues. In our case, we need to have the Signed Saml Assertion, timestamp, as well as the signature covering the timestamp only. Hence, we needed to configure SamlTokenSigned, and Timestamp, with the Signature parts as the timestamp element. If we specify the signature again it is failing, as the signature action is decoded from the SamlTokenSigned, and it is signing the timestamp as well. This issue causes failure in lot of scenarios where the signature is involved with other actions.
          Hide
          Colm O hEigeartaigh added a comment -

          Hi Srinivasa,

          I recommend you use WS-SecurityPolicy to specify your security requirements - using a String of actions is not flexible enough to handle this scenario.

          Colm.

          Show
          Colm O hEigeartaigh added a comment - Hi Srinivasa, I recommend you use WS-SecurityPolicy to specify your security requirements - using a String of actions is not flexible enough to handle this scenario. Colm.
          Hide
          Abd K added a comment -

          I'm not sure what I've done with the source code.

          There are not that many changes, so it may be easier to update the code manually.

          Show
          Abd K added a comment - I'm not sure what I've done with the source code. There are not that many changes, so it may be easier to update the code manually.
          Hide
          Raj Kumar added a comment -

          Can someone show me how to do that reordering using a CXF interceptor?

          Show
          Raj Kumar added a comment - Can someone show me how to do that reordering using a CXF interceptor?
          Hide
          nag added a comment -

          Is this ever fixed in any releases? I 'm having same issue.

          Thanks

          Show
          nag added a comment - Is this ever fixed in any releases? I 'm having same issue. Thanks
          Hide
          nag added a comment -

          Hi Colm,

          When you are going to release 1.6.8 version?

          Thanks

          Show
          nag added a comment - Hi Colm, When you are going to release 1.6.8 version? Thanks
          Hide
          Colm O hEigeartaigh added a comment -

          This is now fixed for 1.6.8 (probably released at the end of this month). To get it to work you must have the actions as "Signature Timestamp". There is a workaround that detects this case (and if the Timestamp is to be signed) to append the Signature Element after the Timestamp instead. It does not work for the "Timestamp Signature" case - that still prepends the Signature to the security header.

          Colm.

          Show
          Colm O hEigeartaigh added a comment - This is now fixed for 1.6.8 (probably released at the end of this month). To get it to work you must have the actions as "Signature Timestamp". There is a workaround that detects this case (and if the Timestamp is to be signed) to append the Signature Element after the Timestamp instead. It does not work for the "Timestamp Signature" case - that still prepends the Signature to the security header. Colm.
          Hide
          nag added a comment -

          When I switch the actions to Signature Timestamp I am getting this error?

          org.apache.ws.security.WSSecurityException: General security error (WSEncryptBody/WSSignEnvelope: Element to encrypt/sign not found: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd, Timestamp); nested exception is org.apache.ws.security.WSSecurityException: Error during Signature: ; nested exception is:
          org.apache.ws.security.WSSecurityException: General security error (WSEncryptBody/WSSignEnvelope: Element to encrypt/sign not found: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd, Timestamp)

          Show
          nag added a comment - When I switch the actions to Signature Timestamp I am getting this error? org.apache.ws.security.WSSecurityException: General security error (WSEncryptBody/WSSignEnvelope: Element to encrypt/sign not found: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd , Timestamp); nested exception is org.apache.ws.security.WSSecurityException: Error during Signature: ; nested exception is: org.apache.ws.security.WSSecurityException: General security error (WSEncryptBody/WSSignEnvelope: Element to encrypt/sign not found: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd , Timestamp)
          Hide
          Colm O hEigeartaigh added a comment -

          It doesn't work prior to the fix I have just committed.

          Colm.

          Show
          Colm O hEigeartaigh added a comment - It doesn't work prior to the fix I have just committed. Colm.
          Hide
          nag added a comment -

          Is there any temporary work around ? I need to complete my project to cal .net webservice asap.

          Show
          nag added a comment - Is there any temporary work around ? I need to complete my project to cal .net webservice asap.
          Hide
          Colm O hEigeartaigh added a comment - - edited

          You could switch to using WSS4J 1.6.8-SNAPSHOT?

          Colm.

          Show
          Colm O hEigeartaigh added a comment - - edited You could switch to using WSS4J 1.6.8-SNAPSHOT? Colm.
          Hide
          nag added a comment -

          thats only change in 1.6.8? I am using 1.5.9 today.

          Is it safe to use snapshot in my prod env?

          Show
          nag added a comment - thats only change in 1.6.8? I am using 1.5.9 today. Is it safe to use snapshot in my prod env?
          Hide
          Colm O hEigeartaigh added a comment -

          There are huge changes in 1.6.x compared to 1.5.x. No, of course it is not safe to use a SNAPSHOT jar in a production environment.

          Colm.

          Show
          Colm O hEigeartaigh added a comment - There are huge changes in 1.6.x compared to 1.5.x. No, of course it is not safe to use a SNAPSHOT jar in a production environment. Colm.
          Hide
          nag added a comment -

          is it possible to make the same change to 1.5.9 ? so that I can use it.

          Show
          nag added a comment - is it possible to make the same change to 1.5.9 ? so that I can use it.
          Hide
          Colm O hEigeartaigh added a comment -

          It will be fixed for 1.5.13.

          Colm.

          Show
          Colm O hEigeartaigh added a comment - It will be fixed for 1.5.13. Colm.
          Hide
          nag added a comment -

          when 1.5.13 will be released?

          Thanks

          Show
          nag added a comment - when 1.5.13 will be released? Thanks
          Hide
          nag added a comment -

          We are currently stuck with this issue? when 1.5.13 will be released?

          Thanks

          Show
          nag added a comment - We are currently stuck with this issue? when 1.5.13 will be released? Thanks
          Hide
          Colm O hEigeartaigh added a comment -

          By the end of the month.

          Colm.

          Show
          Colm O hEigeartaigh added a comment - By the end of the month. Colm.
          Hide
          nag added a comment -

          Hi Colm,

          I have tried using 1.6.8-SNAPSHOT and still get same error as above? I s this change committed?

          Show
          nag added a comment - Hi Colm, I have tried using 1.6.8-SNAPSHOT and still get same error as above? I s this change committed?
          Hide
          nag added a comment -

          Also <wsse:Security /BinarySecurityToken is getting inserted before wsa:Action and reply to which is causing .net webservice rejecting the client.

          Show
          nag added a comment - Also <wsse:Security /BinarySecurityToken is getting inserted before wsa:Action and reply to which is causing .net webservice rejecting the client.
          Hide
          Colm O hEigeartaigh added a comment -

          Yes the change is committed. What web services client are you using? WSS4J 1.6.x is not directly compatible with 1.5.x, so you must update the web service framework you are using to one that supports WSS4J 1.6.x.

          Have you tried with WSS4J 1.5.13-SNAPSHOT?

          Colm.

          Show
          Colm O hEigeartaigh added a comment - Yes the change is committed. What web services client are you using? WSS4J 1.6.x is not directly compatible with 1.5.x, so you must update the web service framework you are using to one that supports WSS4J 1.6.x. Have you tried with WSS4J 1.5.13-SNAPSHOT? Colm.
          Hide
          Colm O hEigeartaigh added a comment -

          Any update on this? I'll release 1.5.13 once you confirm the fix.

          Colm.

          Show
          Colm O hEigeartaigh added a comment - Any update on this? I'll release 1.5.13 once you confirm the fix. Colm.
          Hide
          nag added a comment -

          If I have two secured elements like this ,I get error .

          "

          {Element}{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd}Timestamp;{Element} {http://www.w3.org/2005/08/addressing}

          To"

          but If I have only one element

          {Element} {http://www.w3.org/2005/08/addressing}

          To that works fine.

          If I have only one Element using older versions also works.

          Show
          nag added a comment - If I have two secured elements like this ,I get error . " {Element}{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd}Timestamp;{Element} {http://www.w3.org/2005/08/addressing} To" but If I have only one element {Element} {http://www.w3.org/2005/08/addressing} To that works fine. If I have only one Element using older versions also works.
          Hide
          Colm O hEigeartaigh added a comment - - edited

          If you want me to help you, you'll need to provide more information. Are you using WSS4J 1.5.13-SNAPSHOT? Does it work with WSS4J 1.5.12? Could you attach the message that is generated with both WSS4J 1.5.12 and 1.5.13-SNAPSHOT? What web service framework are you using with WSS4J?

          Colm.

          Show
          Colm O hEigeartaigh added a comment - - edited If you want me to help you, you'll need to provide more information. Are you using WSS4J 1.5.13-SNAPSHOT? Does it work with WSS4J 1.5.12? Could you attach the message that is generated with both WSS4J 1.5.12 and 1.5.13-SNAPSHOT? What web service framework are you using with WSS4J? Colm.

            People

            • Assignee:
              Colm O hEigeartaigh
              Reporter:
              Chris Weitner
            • Votes:
              1 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Development