-
1. Re: XML-Signature verification fails
ctomc Jul 16, 2015 8:29 AM (in response to captain_goldfish)Can you try with WildFly 9 as some stuff changed in this area since 8.2
-
2. Re: XML-Signature verification fails
captain_goldfish Jul 16, 2015 8:47 AM (in response to ctomc)I'm sorry but WildFly 9 does not cure the problem
-
3. Re: XML-Signature verification fails
mayerw01 Jul 17, 2015 11:20 AM (in response to captain_goldfish)I've found something strange here.
When checking the provider of this XMLSignatureFactory then Glassfish responds with 'XMLDSig version 1.8' while WildFly responds with 'XMLDSig version 1.0'.
But I am not sure about the reason of this discrepancy and whether this is related to your issue.
-
4. Re: XML-Signature verification fails
captain_goldfish Jul 18, 2015 3:41 AM (in response to mayerw01)unfortunately I would'nt even know how to fix that behaviour. But I just tried another thing. I created the signature using the apache-Stax-API and verfied it using the DOM-API. It works on WildFly but throws exception in junit test and glassfish. This is kinda funny and sad at the same time...
-
5. Re: XML-Signature verification fails
mayerw01 Jul 18, 2015 5:00 AM (in response to captain_goldfish)Maybe this solves your issue as well [WFLY-4317] JBoss Module does not add package "org.jcp.xml.dsig.internal" as system package - JBoss Issue Tracker
-
6. Re: XML-Signature verification fails
captain_goldfish Jul 20, 2015 5:45 AM (in response to mayerw01)I just found some time to test the solution of the given link but it did not solve the problem either...
-
7. Re: XML-Signature verification fails
mayerw01 Jul 20, 2015 9:10 AM (in response to captain_goldfish)Hmm, that is strange ...
And you really changed the entry in "standalone.conf" file to add "org.jcp.xml.dsig.internal" package after package "org.jboss.byteman" as described ihttps://issues.jboss.org/browse/WFLY-4317n WFLY-4317?
if [ "x$JBOSS_MODULES_SYSTEM_PKGS" = "x" ]; then
JBOSS_MODULES_SYSTEM_PKGS="org.jboss.byteman,org.jcp.xml.dsig.internal"
fiYou also restarted the server and got the same issue?
I've just reproduced this in my environment and this worked fine as well on wildfly-8.1.0.Final as on wildfly-9.0.0.Final
-
8. Re: XML-Signature verification fails
captain_goldfish Jul 20, 2015 1:05 PM (in response to mayerw01)I just tried it again and it still does not work. I'm not sure what is wrong in what I am doing...
Here is the copy of my "${wildfly_home}/bin/standalone.conf"
## -*- shell-script -*- ###################################################### ## ## ## JBoss Bootstrap Script Configuration ## ## ## ############################################################################## # # This file is optional; it may be removed if not needed. # # # Specify the maximum file descriptor limit, use "max" or "maximum" to use # the default, as queried by the system. # # Defaults to "maximum" # #MAX_FD="maximum" # # Specify the profiler configuration file to load. # # Default is to not load profiler configuration file. # #PROFILER="" # # Specify the location of the Java home directory. If set then $JAVA will # be defined to $JAVA_HOME/bin/java, else $JAVA will be "java". # #JAVA_HOME="/opt/java/jdk" # # Specify the exact Java VM executable to use. # #JAVA="" if [ "x$JBOSS_MODULES_SYSTEM_PKGS" = "x" ]; then JBOSS_MODULES_SYSTEM_PKGS="org.jboss.byteman,org.jcp.xml.dsig.internal" fi # Uncomment the following line to prevent manipulation of JVM options # by shell scripts. # #PRESERVE_JAVA_OPTS=true # # Specify options to pass to the Java VM. # if [ "x$JAVA_OPTS" = "x" ]; then JAVA_OPTS="-Xms64m -Xmx512m -XX:MaxPermSize=256m -Djava.net.preferIPv4Stack=true" JAVA_OPTS="$JAVA_OPTS -Djboss.modules.system.pkgs=$JBOSS_MODULES_SYSTEM_PKGS -Djava.awt.headless=true" else echo "JAVA_OPTS already set in environment; overriding default settings with values: $JAVA_OPTS" fi # Sample JPDA settings for remote socket debugging #JAVA_OPTS="$JAVA_OPTS -agentlib:jdwp=transport=dt_socket,address=8787,server=y,suspend=n" # Sample JPDA settings for shared memory debugging #JAVA_OPTS="$JAVA_OPTS -agentlib:jdwp=transport=dt_shmem,server=y,suspend=n,address=jboss" # Uncomment to not use JBoss Modules lockless mode #JAVA_OPTS="$JAVA_OPTS -Djboss.modules.lockless=false" # Uncomment to gather JBoss Modules metrics #JAVA_OPTS="$JAVA_OPTS -Djboss.modules.metrics=true" # Uncomment this in order to be able to run WildFly on FreeBSD # when you get "epoll_create function not implemented" message in dmesg output #JAVA_OPTS="$JAVA_OPTS -Djava.nio.channels.spi.SelectorProvider=sun.nio.ch.PollSelectorProvider"
as you can see, I added the snippet you suggested but it doesn't make any difference. I am currently running my server on a windows 8.1 environment with JDK 7u80 and also tried with JDK 8u45. But no luck at all...
-
9. Re: XML-Signature verification fails
jewellgm Jul 20, 2015 7:43 PM (in response to captain_goldfish)I just tried it again and it still does not work. I'm not sure what is wrong in what I am doing...
Here is the copy of my "${wildfly_home}/bin/standalone.conf"
as you can see, I added the snippet you suggested but it doesn't make any difference. I am currently running my server on a windows 8.1 environment
The standalone.conf file is for *nix systems, but you're on Windows 8.1. You need to make the analagous changes to standalone.conf.bat if you start the server with standalone.bat, or standalone.conf.ps1 if you start the server with standalone.ps1.
-
10. Re: XML-Signature verification fails
captain_goldfish Jul 21, 2015 2:48 AM (in response to jewellgm)I tried it again with wildfly 8.2 and 9 (currently on win 7 system). I altered the specified entry and it still does not work... I was not sure if I should seperate the entries by comma or semicolon so I tried both and still no luck.
changes made on standalone.conf.bat
first try
rem # Make Byteman classes visible in all module loaders rem # This is necessary to inject Byteman rules into AS7 deployments set "JAVA_OPTS=%JAVA_OPTS% -Djboss.modules.system.pkgs=org.jboss.byteman,org.jcp.xml.dsig.internal"
second try
rem # Make Byteman classes visible in all module loaders rem # This is necessary to inject Byteman rules into AS7 deployments set "JAVA_OPTS=%JAVA_OPTS% -Djboss.modules.system.pkgs=org.jboss.byteman;org.jcp.xml.dsig.internal"
I also restarted the server each time I made a change.
-
11. Re: XML-Signature verification fails
mayerw01 Jul 21, 2015 5:52 AM (in response to captain_goldfish)Maybe this is a stupid question. But do you start Wildfly-9.0.0-Final in standalone mode?
This is what I just did:
- Copy your directory to the Windows server.
- start Wildfly-9.0.0-Final on Windows 7 Professional (Service Pack 1).
- run mvn in the SignatureFailOnJBoss directory
- Deploy de.gold-1.0-SNAPSHOT.war
- open URL: localhost:8080/de.gold-1.0-SNAPSHOT/service/signature/create
- open URL: localhost:8080/de.gold-1.0-SNAPSHOT/service/signature/verify
- -> response: false
- Change standalone.conf.bat:
rem # This is necessary to inject Byteman rules into AS7 deployments
set "JAVA_OPTS=%JAVA_OPTS% -Djboss.modules.system.pkgs=org.jboss.byteman,org.jcp.xml.dsig.internal"
- open URL: localhost:8080/de.gold-1.0-SNAPSHOT/service/signature/create
- open URL: localhost:8080/de.gold-1.0-SNAPSHOT/service/signature/verify
- -> response: true
Did you make something different or what did I miss here?
-
12. Re: XML-Signature verification fails
jewellgm Jul 21, 2015 10:32 AM (in response to captain_goldfish)I am not at all familiar with this aspect of XML security, but the JIRA issue that was linked to seems to indicate that the method used to instantiate the XMLSignatureFactory was incorrect. In the JIRA ticket and your linked code, the factory is instantiated similarly:
String providerName = System.getProperty("jsr105Provider", "org.jcp.xml.dsig.internal.dom.XMLDSigRI");
XMLSignatureFactory fac = XMLSignatureFactory.getInstance("DOM", (Provider) Class.forName(providerName).newInstance());
When the submitter changed the code to the following, based on a suggestion by one of the commenters, he said that things started working:
XMLSignatureFactory fac = XMLSignatureFactory.getInstance("DOM", "XMLDSig");
According to the commenter, since this provider is part of the JDK/JRE, this is the proper method to retrieve the instance, rather than trying to instantiate the Provider class directly.
-
13. Re: XML-Signature verification fails
captain_goldfish Jul 21, 2015 11:26 AM (in response to mayerw01)alright this is starting to smell funny.
I did exactly the steps described by you and it still does not work. I even used a clean wildfly 9 instance to make sure that none of my settings are interfering.
the server was clean. I build the project with maven deployed via management-console and called the URLs...
I have no idea what might be different here...
@Greg:
XMLSignatureFactory fac = XMLSignatureFactory.getInstance("DOM", "XMLDSig");
According to the commenter, since this provider is part of the JDK/JRE, this is the proper method to retrieve the instance, rather than trying to instantiate the Provider class directly.This is no solution either, unfortunately.
-
14. Re: XML-Signature verification fails
ctomc Jul 21, 2015 11:28 AM (in response to captain_goldfish)what is the JDK version you guys used?