我正在连接到安全的服务。
我有一个SOAP UI项目,配置为使用jks文件提供证书,以及相应的安全设置,以便我获得有效的响应。
我已经使用AXIS 2和Rampart从JAVA项目创建SOAP请求。 使用TCPMon我已经设法获取SOAP请求。
当请求在JAVA项目中运行时,我得到响应:
org.apache.axis2.AxisFault:缺少wsse:请求中的安全标头
但如果我采用相同的请求,在TCPMon中捕获并将其放入SOAP UI项目中,我会成功获得响应。
有人有任何想法吗?
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header>
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
soapenv:mustUnderstand="1">
<wsu:Timestamp xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
wsu:Id="Timestamp-1">
<wsu:Created>2012-06-01T15:09:12.520Z</wsu:Created>
<wsu:Expires>2012-06-01T15:14:12.520Z</wsu:Expires>
</wsu:Timestamp>
<wsse:BinarySecurityToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"
wsu:Id="CertId-ECDB0E....01">
MIID4DCCA0mgAwIBAgIBFjAN....</wsse:BinarySecurityToken>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
Id="Signature-2">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<ds:Reference URI="#Id-15..93">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<ds:DigestValue>
3wgvhJ8SI2soC..IA=</ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#Timestamp-1">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<ds:DigestValue>
VlzDT69YEl..qTlbj0=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
ZCRypw/..=</ds:SignatureValue>
<ds:KeyInfo Id="KeyId-ECD..2">
<wsse:SecurityTokenReference xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
wsu:Id="STRId-ECDB0E6..6193">
<wsse:Reference URI="#CertId-ECDB0E..01"
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" />
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
</wsse:Security></soapenv:Header><soapenv:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="Id-15..3"><ns2:ProductSearchV2Request xmlns:ns2="http://product.webservice.sxc.com">
<ns2:Strength>900</ns2:Strength>
<ns2:MaximumResultSetInd>true</ns2:MaximumResultSetInd>
<ns2:MaximumResultSet>100</ns2:MaximumResultSet>
</ns2:ProductSearchV2Request>
这是我正在使用的WS-POLICY文档:
<?xml version="1.0" encoding="UTF-8"?>
<!--
!
! Copyright 2006 The Apache Software Foundation.
!
! Licensed under the Apache License, Version 2.0 (the "License");
! you may not use this file except in compliance with the License.
! You may obtain a copy of the License at
!
! http://www.apache.org/licenses/LICENSE-2.0
!
! Unless required by applicable law or agreed to in writing, software
! distributed under the License is distributed on an "AS IS" BASIS,
! WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
! See the License for the specific language governing permissions and
! limitations under the License.
!-->
<wsp:Policy wsu:Id="SigOnly"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
<wsp:ExactlyOne>
<wsp:All>
<sp:AsymmetricBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:InitiatorToken>
<wsp:Policy>
<sp:X509Token
sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:RequireThumbprintReference/>
<sp:WssX509V3Token10/>
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:InitiatorToken>
<sp:RecipientToken>
<wsp:Policy>
<sp:X509Token
sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never">
<wsp:Policy>
<sp:RequireThumbprintReference/>
<sp:WssX509V3Token10/>
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:RecipientToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:TripleDesRsa15/>
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Strict/>
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp/>
<sp:OnlySignEntireHeadersAndBody/>
</wsp:Policy>
</sp:AsymmetricBinding>
<sp:Wss10 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:MustSupportRefKeyIdentifier/>
<sp:MustSupportRefIssuerSerial/>
</wsp:Policy>
</sp:Wss10>
<sp:SignedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<sp:Body/>
</sp:SignedParts>
<ramp:RampartConfig xmlns:ramp="http://ws.apache.org/rampart/policy">
<ramp:user>ctr</ramp:user>
<ramp:encryptionUser>ctr</ramp:encryptionUser>
<ramp:passwordCallbackClass>com.gtnet.rampart.PWCBHandler
</ramp:passwordCallbackClass>
<ramp:signatureCrypto>
<ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin">
<ramp:property name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property>
<ramp:property name="org.apache.ws.security.crypto.merlin.file">build\resources\qa.jks</ramp:property>
<ramp:property name="org.apache.ws.security.crypto.merlin.keystore.password">123123</ramp:property>
</ramp:crypto>
</ramp:signatureCrypto>
</ramp:RampartConfig>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
由于 艾伦
答案 0 :(得分:3)
看起来错误不是出站请求,而是处理响应。 响应没有安全标头,当我们尝试解密它时,会发生异常。
我需要以某种方式将我的Rampart配置更改为仅执行出站安全性,而不是入站
我会报告回来:))
好的问题是,一旦Rampart参与其中,它希望响应具有相同的安全标头。 解决问题的方法是将处理程序移除到Rampart.mar文件中的Inflow安全性。
我不确定这是否是最佳解决方案,但它对我们有用。
要删除流入处理程序: 解压缩rampart.mar文件
注释掉流入部分
压缩META_INF文件夹。然后将.zip文件重命名为.mar
现在当你使用它时,因为没有为流入定义处理程序,它将只使用标准的Axis2响应处理程序。
我想如果你有几个使用Rampart的项目,其中一些项目在响应中有安全标头,而有些则没有,你需要采用不同的方法。
此处详述另一种方法。 这可能是一种更好的方法:
http://blog.rampartfaq.com/2009/11/how-to-generate-non-secure-response-to.html
例外:
org.apache.axis2.AxisFault:请求中缺少wsse:Security标头 在 org.apache.rampart.handler.RampartReceiver.setFaultCodeAndThrowAxisFault(RampartReceiver.java:180) 在 org.apache.rampart.handler.RampartReceiver.invoke(RampartReceiver.java:99) 在org.apache.axis2.engine.Phase.invoke(Phase.java:318)at org.apache.axis2.engine.AxisEngine.invoke(AxisEngine.java:251)at at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:160)at at org.apache.axis2.description.OutInAxisOperationClient.handleResponse(OutInAxisOperation.java:364) 在 org.apache.axis2.description.OutInAxisOperationClient.send(OutInAxisOperation.java:417) 在 org.apache.axis2.description.OutInAxisOperationClient.executeImpl(OutInAxisOperation.java:229)
答案 1 :(得分:0)
经过大量导航并阅读了相同的页面几次之后,我终于找到了令我满意的解决方案。
从上一篇文章中我引用:“好吧,问题是一旦Rampart被使用,它期望响应具有相同的安全头。” (根据要求) 这是绝对正确的!
我认为最好的方法是在以下链接中找到:http://xacmlinfo.org/2012/11/09/disabling-ws-security-for-in-or-out-messages-in-axis2/
但是,在我的情况下,我不想创建一个新模块,所以我决定在代码中模拟该模块。我试图通过三个步骤来解释它。
私有字符串getPolicy() { 返回“用于策略的xml” }
重要:该方法必须将以下xml作为String返回(更好地阅读)
<wsp:Policy wsu:Id="emptryPolicy"
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsp:ExactlyOne>
<wsp:All>
<sp:TransportBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
</wsp:Policy>
</sp:TransportBinding>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
InputStream流=新的ByteArrayInputStream(getPolicy()。getBytes());
政策p = PolicyEngine.getPolicy(stream);
Stub._getServiceClient()。getOptions()。setProperty(RampartMessageData.KEY_RAMPART_OUT_POLICY, Web服务的安全策略 );
Stub._getServiceClient()。getOptions()。setProperty(RampartMessageData.KEY_RAMPART_IN_POLICY,p);
重要 Web服务的安全策略取决于Web服务使用的安全性...如果您的提供者在wsdl中提供了该策略,则不必为此苦恼...但是在其他情况下,您只需使用城墙政策。在城墙站点中,针对每种类型的安全策略都非常清楚地描述了示例。 (UsernameToken身份验证,AsymmetricBinding等)
此示例构建具有安全性的请求和不具有安全性的响应。 它对我有用!
答案 2 :(得分:-1)
在我的情况下同样的问题但我通过更改存根中的soap请求版本名称空间uri得到了成功响应。我更改了名称空间uri来自&#34; http://www.w3.org/2003/05/soap-envelope&#34;到&#34; http://schemas.xmlsoap.org/soap/envelope/&#34;。