Apache CXF + WS-Security = “The signature or decryption was invalid”

Our SOAP web service with WS-Security written in Java using Apache CXF returns a SOAP Fault saying “The signature or decryption was invalid” when it’s run on Linux, but not when it’s run on Windows.

We are having this strange problem with a SOAP client and server, both written in Java using Apache CXF. The development started by creating the WSDL in which we used WS-SecurityPolicy to define the WS-Security settings. All further development was done on a Windows 7 machine using Eclipse, maven and Tomcat. The result works great in the development environment (Windows 7), but when we test it in an Ubuntu Linux environment it doesn’t work. The server returns a SOAP Fault saying “The signature or decryption was invalid”.

The first post about this problem we found was this thread, but there is no answer given. A bit later, somebody else found a bug report on the CXF website with the title:

Carriage return (\r) in String argument to service method causes “SoapFault: The signature or decryption was invalid”

In this thread the conclusion is :

This isn’t really a “bug” in CXF. It’s a bug in the Stax parser built into the JDK. If you add the wstx jar that we ship with CXF to the libs, the testcase works fine.

We added :
<dependency>
    <groupId>org.apache.cxf</groupId>
    <artifactId>cxf-wstx-msv-validation</artifactId>
    <version>2.4.2</version>
</dependency>

in both the Maven pom.xml file of the client and the server, but the result stays the same: “The signature or decryption was invalid”.

Update:

We also tested on Oracle Solaris, and it doesn’t work either.

We were able to trace the SOAP Fault back on the server side to an exception with the message: “com.sun.org.apache.xml.internal.security.utils.resolver.ResourceResolverException: Cannot resolve element with ID TS-16”. If we have a look inside the XML of the request we see :

<wsu:Timestamp wsu:Id="TS-16">
    <wsu:Created>2011-09-28T12:35:00.711Z</wsu:Created>
    <wsu:Expires>2011-09-28T12:40:00.711Z</wsu:Expires>
</wsu:Timestamp>

Which is the element searched for. And we see :

<ds:Reference URI="#TS-16">
...
</ds:Reference>

Which is the reference to the previous element.

If we dissable signing, encrypting and timestamping it works. But then there are nu references used. Once one of these features is enabled it stops working.

Update October 4th 2011:

We managed to find the solution. Our test environment consists of :

  • OS : Ubuntu Linux 11.04 Natty Narwhal
  • Tomcat : 6.0.28

We were using the OpenJDK packages, and that appeared to be the problem. When removing those packages and installing the packages from sun-java6, everything started working.

Leave a Reply

Your email address will not be published. Required fields are marked *