[jbossws-dev] Re: security + whitespace in soap message
Jason T. Greene
jason.greene at redhat.com
Thu Feb 8 20:53:23 EST 2007
On Thu, 2007-02-08 at 11:41 +0100, Thomas Diesler wrote:
> Jason,
>
> relates to:
> http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4012935#4012935
>
> Amberpoint is having an issue where whitespace + comments are not
> preserved in jbossws-1.0.0. Their thirdparty security fails because of
> this. Isn't it true that for security processing a message needs to be
> normalized? I assume that comments should be preserved in a normalized
> message, right?
XML Signature performs XML Canonicalization which normalizes and
depending on the type strips comments. Note that the canonicalization
process does not actually alter the SOAP message, it just uses this to
build a byte array that the signature algorithm can be performed on.
We, along with most other WS-Security implementations I have seen,
exclude comments:
SignatureOperation.java:
transforms.addTransform(Transforms.TRANSFORM_C14N_EXCL_OMIT_COMMENTS);
This value is actually declared in the message header. So, if another
party does not exclude comments, and does properly declare it
(#WithComments specified in header), then it should process correctly,
provided that it can see the comments in the SAAJ tree.
> If both is true, they might only have an issue with 1.0.0 not preserving
> comments.
Yes, if there is a SAAJ bug then security will fail.
-Jason
More information about the jbossws-dev
mailing list