Bug 47833 - problem xml parsing: != test instead of !.equals cause a parse error
Summary: problem xml parsing: != test instead of !.equals cause a parse error
Status: RESOLVED DUPLICATE of bug 45637
Alias: None
Product: Security - Now in JIRA
Classification: Unclassified
Component: Signature (show other bugs)
Version: unspecified
Hardware: PC Windows 2000
: P2 normal
Target Milestone: ---
Assignee: XML Security Developers Mailing List
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2009-09-14 03:39 UTC by elisa.laneri
Modified: 2009-09-17 12:38 UTC (History)
0 users


Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description elisa.laneri 2009-09-14 03:39:24 UTC 
Hello,
i'm using cxf 2.2.2 and xmlsec-1.4.2 in BEA. 
My Exception is:
The signature or decryption was invalid (Cannot setup signature data structure);
nested exception is:
        org.apache.xml.security.exceptions.XMLSecurityException: Cannot create a http://www.w3.org/2000/09/xmldsig#:Sign
ature from a http://www.w3.org/2000/09/xmldsig#:Signature element
        at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.createSoapFault(WSS4JInInterceptor.java:514)
        at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:277)
        at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:77)
        at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:236)
        at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:89)
        at org.apache.cxf.transport.servlet.ServletDestination.invoke(ServletDestination.java:99)
        at org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:368)
        at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:183)
        at org.apache.cxf.transport.servlet.AbstractCXFServlet.invoke(AbstractCXFServlet.java:163)
        at org.apache.cxf.transport.servlet.AbstractCXFServlet.doPost(AbstractCXFServlet.java:141)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:763)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:856)
        at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:225)
        at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:127)
        at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:283)
        at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:175)
        at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3214)
        at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
        at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:121)
        at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:1983)
        at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:1890)
        at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1344)
        at weblogic.work.ExecuteThread.execute(ExecuteThread.java:209)
        at weblogic.work.ExecuteThread.run(ExecuteThread.java:181)
Caused by: org.apache.ws.security.WSSecurityException: The signature or decryption was invalid (Cannot setup signature d
ata structure); nested exception is:
        org.apache.xml.security.exceptions.XMLSecurityException: Cannot create a http://www.w3.org/2000/09/xmldsig#:Sign
ature from a http://www.w3.org/2000/09/xmldsig#:Signature element
        at org.apache.ws.security.processor.SignatureProcessor.verifyXMLSignature(SignatureProcessor.java:163)
        at org.apache.ws.security.processor.SignatureProcessor.handleToken(SignatureProcessor.java:85)
        at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:326)
        at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:243)
        at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:179)
        ... 22 more
Caused by: org.apache.xml.security.exceptions.XMLSecurityException: Cannot create a http://www.w3.org/2000/09/xmldsig#:S
ignature from a http://www.w3.org/2000/09/xmldsig#:Signature element
        at org.apache.xml.security.utils.ElementCheckerImpl$InternedNsChecker.guaranteeThatElementInCorrectSpace(Unknown
 Source)
        at org.apache.xml.security.utils.ElementProxy.guaranteeThatElementInCorrectSpace(Unknown Source)
        at org.apache.xml.security.utils.ElementProxy.<init>(Unknown Source)
        at org.apache.xml.security.utils.SignatureElementProxy.<init>(Unknown Source)
        at org.apache.xml.security.signature.XMLSignature.<init>(Unknown Source)
        at org.apache.ws.security.processor.SignatureProcessor.verifyXMLSignature(SignatureProcessor.java:161)
---------------------------------
InternedNsChecker:

 if ((str2 != str4) || (!(str1.equals(str3))))
    {
      Object[] arrayOfObject = { str4 + ":" + str3, str2 + ":" + str1 };
      throw new XMLSecurityException("xml.WrongElement", arrayOfObject);
    }
---------------------------------
if I try my web application in cxf 2.2.2 and xmlsec-1.3.0
this exception is not thrown. If I see the source code is
----------------------------------
if ((!(str1.equals(str3))) || (!(str2.equals(str4))))
    {
      Object[] arrayOfObject = { str4 + ":" + str3, str2 + ":" + str1 };
      throw new XMLSecurityException("xml.WrongElement", arrayOfObject);
    }
  }

Thanks

Elisa
Comment 1 sean.mullan 2009-09-17 12:38:28 UTC 
45637 should address this, by providing a configurable option for DOM implementations that don't intern namespaces. Therefore I am marking this as a duplicate.

*** This bug has been marked as a duplicate of bug 45637 ***