我正在使用WSS4J来验证soap消息中的符号和时间戳。但是当我收到没有签名时间戳的消息时,wssj4认为一切正常,我希望在那种情况下看到错误。
我的好消息是这样的:
<?xml version="1.0" encoding="UTF-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Header>
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" soap:mustUnderstand="1">
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="SIG-3">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="soap"/>
</ds:CanonicalizationMethod>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1"/>
<ds:Reference URI="#id-2">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList=""/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>u8CMT7Q7fJJ1Dv5dEmzGU1FO5Y0=</ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#TS-1">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="wsse soap"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>m8XN2C3FUjK4WHAXhO9gLI82XeE=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>X9EntCBO7nmNrYsYuugpHxN13wSUNhTF4exkRRWj0tTrfEqbz8potg==</ds:SignatureValue>
<ds:KeyInfo Id="KI-B60AEEFF94DBA35E9413402583324452">
<wsse:SecurityTokenReference wsu:Id="STR-B60AEEFF94DBA35E9413402583324473">
<ds:X509Data>
<ds:X509IssuerSerial>
<ds:X509IssuerName>CN=TEST,OU=Unknown,O=Unknown,L=Unknown,ST=Unknown,C=Unknown</ds:X509IssuerName>
<ds:X509SerialNumber>1332750124</ds:X509SerialNumber>
</ds:X509IssuerSerial>
</ds:X509Data>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
<wsu:Timestamp wsu:Id="TS-1">
<wsu:Created>2012-06-21T05:58:52.392Z</wsu:Created>
<wsu:Expires>2012-06-21T06:03:52.392Z</wsu:Expires>
</wsu:Timestamp>
</wsse:Security>
</soap:Header>
<soap:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="id-2">
[...]
</soap:Body>
</soap:Envelope>
坏消息(这个消息应该抛出“时间戳未签名”之类的异常):
<?xml version="1.0" encoding="UTF-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Header>
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" soap:mustUnderstand="1">
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="SIG-3">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="soap"/>
</ds:CanonicalizationMethod>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1"/>
<ds:Reference URI="#id-2">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList=""/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>u8CMT7Q7fJJ1Dv5dEmzGU1FO5Y0=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>U6TSJXJTCryEm5FhoMBbEoiUIL0jjFDvPxPJ3ihoOHsWCwk4t3++2w==</ds:SignatureValue>
<ds:KeyInfo Id="KI-9AEDF8EC92B112ADE113402583983992">
<wsse:SecurityTokenReference wsu:Id="STR-9AEDF8EC92B112ADE113402583984013">
<ds:X509Data>
<ds:X509IssuerSerial>
<ds:X509IssuerName>CN=TEST,OU=Unknown,O=Unknown,L=Unknown,ST=Unknown,C=Unknown</ds:X509IssuerName>
<ds:X509SerialNumber>1332750124</ds:X509SerialNumber>
</ds:X509IssuerSerial>
</ds:X509Data>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
<wsu:Timestamp wsu:Id="TS-1">
<wsu:Created>2012-06-21T05:59:58.376Z</wsu:Created>
<wsu:Expires>2012-06-21T06:04:58.376Z</wsu:Expires>
</wsu:Timestamp>
</wsse:Security>
</soap:Header>
<soap:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="id-2">
[...]
</soap:Body>
</soap:Envelope>
所以我的错误信息不包含:
<ds:Reference URI="#TS-1">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="wsse soap"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>m8XN2C3FUjK4WHAXhO9gLI82XeE=</ds:DigestValue>
</ds:Reference>
目前我的非常好的拦截器配置如下:
// verifying incepteptor
final String actions = WSHandlerConstants.TIMESTAMP + " " + WSHandlerConstants.SIGNATURE;
Map<String, Object> inProps = new HashMap<String, Object>();
Map<QName, Validator> validatorMap = new HashMap<QName, Validator>();
validatorMap.put(WSSecurityEngine.SIGNATURE, new SignatureTrustValidator());
validatorMap.put(WSSecurityEngine.TIMESTAMP, new TimeStampValidator());
inProps.put(WSS4JInInterceptor.VALIDATOR_MAP, validatorMap);
inProps.put(WSHandlerConstants.ACTION, actions);
inProps.put(WSHandlerConstants.SIGNATURE_PARTS, "{Element}{http://schemas.xmlsoap.org/soap/envelope/}Body;{Element}{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd}Timestamp");
inProps.put(WSHandlerConstants.SIG_PROP_FILE, SIG_PROPFILE);
WSS4JInInterceptor verifying = new WSS4JInInterceptor(inProps);
如何设置wss4j来实现这样的行为? BTW: CXF版本:2.5.1 WSS4J版本:1.6.2
答案 0 :(得分:3)
答案是 org.apache.cxf.ws.security.wss4j.CryptoCoverageChecker :
<util:constant id="typeSigned" static-field="org.apache.cxf.ws.security.wss4j.CryptoCoverageUtil.CoverageType.SIGNED"/>
<util:constant id="scoopeElement" static-field="org.apache.cxf.ws.security.wss4j.CryptoCoverageUtil.CoverageScope.ELEMENT"/>
<util:map id="prfx">
<entry key="soap" value="http://schemas.xmlsoap.org/soap/envelope/"/>
<entry key="wsse" value="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"/>
<entry key="wsu" value="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"/>
</util:map>
<bean id="bodyVerifier" class="org.apache.cxf.ws.security.wss4j.CryptoCoverageChecker.XPathExpression">
<constructor-arg index="0" value="/soap:Envelope/soap:Body" />
<constructor-arg index="1"><ref bean="typeSigned" /></constructor-arg>
<constructor-arg index="2"><ref bean="scoopeElement" /></constructor-arg>
</bean>
<bean id="timestampVerifier" class="org.apache.cxf.ws.security.wss4j.CryptoCoverageChecker.XPathExpression">
<constructor-arg index="0" value="/soap:Envelope/soap:Header/wsse:Security/wsu:Timestamp" />
<constructor-arg index="1"><ref bean="typeSigned" /></constructor-arg>
<constructor-arg index="2"><ref bean="scoopeElement" /></constructor-arg>
</bean>
<util:list id="paths" >
<ref bean="bodyVerifier" />
<ref bean="timestampVerifier" />
</util:list>
<bean id="coverageChecker" class="org.apache.cxf.ws.security.wss4j.CryptoCoverageChecker">
<constructor-arg index="0"><ref bean="prfx" /></constructor-arg>
<constructor-arg index="1"><ref bean="paths" /></constructor-arg>
</bean>
接下来我们必须将其添加为拦截器:
<jaxws:endpoint id="someId" implementor="#example" address="/">
<jaxws:inInterceptors>
<ref bean="coverageChecker" />
</jaxws:inInterceptors>
</jaxws:endpoint>