[higgins-dev] RE: a nugget of information about xml-security

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

[higgins-dev] RE: a nugget of information about xml-security

From: "George Stanchev" <Gstanchev@xxxxxxxxxx>
Date: Wed, 4 Feb 2009 16:49:15 -0800
Delivered-to: higgins-dev@xxxxxxxxxxx
List-archive: <https://dev.eclipse.org/mailman/private/higgins-dev>
List-help: <mailto:higgins-dev-request@eclipse.org?subject=help>
List-subscribe: <https://dev.eclipse.org/mailman/listinfo/higgins-dev>, <mailto:higgins-dev-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://dev.eclipse.org/mailman/listinfo/higgins-dev>, <mailto:higgins-dev-request@eclipse.org?subject=unsubscribe>
Thread-index: AcmG3vmCtKRsGvfoS/OXFt+cJO4c2wASwnoQAAA+bfA=
Thread-topic: a nugget of information about xml-security

Sorry, accidently pressed send while typing...

Hi,

I just spent couple of hours debugging this and would like to share it. We are issuing tokens that contain non-ascii information - in our case

the subject name identifier was "тест" which is "test" in cyrilic script. The token validation was failing client side even though i was certaion

content was the same. Then I discovered the problem is in xml-security library. The STS uses xml-security 1.4.0 and my axis2 1.4.1 client was

using xml-security 1.4.1 which generates different digests. I guess they have changed (fixed???) how they calculate digests over non-ascii

characters. Whatever the cause is here is the compatibility matrix which i tested:

xml-security

1.4.0 (sign) <-> 1.4.1 (verify): not working

1.4.1 (sign) <-> 1.4.0 (verify): not working

1.4.1 (sign) <-> 1.4.1 (verify): working

1.4.0 (sign) <-> 1.4.0 (verify): working

Axis2 1.4.1 comes with xml-security 1.4.1

So, I think this ought to on the wiki since it could be pain in the neck to debug for people using non-ascii characters and I think the STS should

get upgraded to 1.4.1 which probably is the "fixed" version. In fact on their web site:

"Version 1.4.1 of the Java library has been released. This is a bugfix release that contains a major bugfix to the canonicalization engine introduced in the 1.4 release. It is recommended that 1.4 users upgrade to the new version as signatures containing non ascii characters created by this library are not according to the standard, and will be only validated by 1.4 library."

Thanks!

George

**********************************************************************

This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.

**********************************************************************

References:
- [higgins-dev] A new name for Higgins Web Proxy (please VOTE)
  - From: Paul Trevithick
- Re: [higgins-dev] A new name for Higgins Web Proxy (please VOTE)
  - From: Jim Sermersheim
- Re: [higgins-dev] A new name for Higgins Web Proxy (please VOTE)
  - From: Markus Sabadello

Prev by Date: [higgins-dev] a nugget of information about xml-security
Next by Date: [higgins-dev] rough draft of paper on Higgins project
Previous by thread: [higgins-dev] a nugget of information about xml-security
Next by thread: Re: [higgins-dev] A new name for Higgins Web Proxy (please VOTE)
Index(es):
- Date
- Thread

Breadcrumbs