[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[
List Home]
[higgins-dev] RE: a nugget of information about xml-security
|
Sorry, accidently pressed send
while typing...
Hi,
I just spent couple of hours debugging this and would like to share it.
We are issuing tokens that contain non-ascii information - in our
case
the subject name identifier was "ัะตัั" which is "test" in cyrilic script.
The token validation was failing client side even though i was
certaion
content was the same. Then I discovered the problem is in xml-security
library. The STS uses xml-security 1.4.0 and my axis2 1.4.1 client
was
using xml-security 1.4.1 which generates different digests. I guess they
have changed (fixed???) how they calculate digests over non-ascii
characters. Whatever the cause is here is the compatibility matrix which
i tested:
xml-security
1.4.0 (sign) <-> 1.4.1 (verify): not
working
1.4.1
(sign) <-> 1.4.0
(verify): not working
1.4.1 (sign) <-> 1.4.1 (verify):
working
1.4.0 (sign) <-> 1.4.0 (verify): working
Axis2 1.4.1 comes with xml-security
1.4.1
So, I think this ought to on the wiki
since it could be pain in the neck to debug for people using non-ascii
characters and I think the STS should
get upgraded to 1.4.1 which probably is
the "fixed" version. In fact on their web site:
"Version 1.4.1 of the Java library has
been released. This is a bugfix release that contains a major bugfix to the
canonicalization engine introduced in the 1.4 release. It is recommended that
1.4 users upgrade to the new version as signatures containing non ascii
characters created by this library are not according to the standard, and will
be only validated by 1.4 library."
Thanks!
George
**********************************************************************
This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.
**********************************************************************