"org.apache.ws.security.WSSecurityException: The signature or decryption was invalid." when soap reference returns a SOAPFault

Solution Unverified - Updated -


We have discovered a strange behavior of Fuse / Switchyard regarding SOAPFaults.
When we call a Switchyard soap endpoint which calls a soap proxy webservice and this proxy call results in a SOAPFault our client produces the error org.apache.ws.security.WSSecurityException: The signature or decryption was invalid..

When turning on xmlsec debug logging I have discovered that the Pre-digested input of the body-element is different on client and on server side.
It seems that the namespace prefix Switchyard uses for the soapfault (SOAP-ENV:Fault) is missing a namespace definition, this definition is removed or is not used when generating the signature.

When adding the namespace manually in the switchyard project in a bean the client can handle the response. However, the namespace workaround is inconvenient and only applicable when a bean is involved, so we need a more general solution.


  • Red Hat JBoss Fuse on EAP
    • 6.2.1
    • 6.3.0

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.

Current Customers and Partners

Log in for full access

Log In