"org.apache.ws.security.WSSecurityException: The signature or decryption was invalid." when soap reference returns a SOAPFault

Solution Unverified - Updated -

Issue

We have discovered a strange behavior of Fuse / Switchyard regarding SOAPFaults.
When we call a Switchyard soap endpoint which calls a soap proxy webservice and this proxy call results in a SOAPFault our client produces the error org.apache.ws.security.WSSecurityException: The signature or decryption was invalid..

When turning on xmlsec debug logging I have discovered that the Pre-digested input of the body-element is different on client and on server side.
It seems that the namespace prefix Switchyard uses for the soapfault (SOAP-ENV:Fault) is missing a namespace definition, this definition is removed or is not used when generating the signature.

When adding the namespace manually in the switchyard project in a bean the client can handle the response. However, the namespace workaround is inconvenient and only applicable when a bean is involved, so we need a more general solution.

Environment

  • Red Hat JBoss Fuse on EAP
    • 6.2.1
    • 6.3.0

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content