我使用WSO2对邮件进行数字签名和加密:
Web服务部署在weblogic上,期待SAML令牌,正文和标题,并进行签名和转发。
场景1:沿轴api(1.6.2 +)使用stand为wsdl生成一个Web服务客户端,其策略期望SAML令牌。该代码生成一个经过数字签名和加密的SOAP信封,命中端点并成功返回结果。
<ds:Reference URI="#c4243cf4c8b6b8d6bc6570af5c0573e6">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="wsse wsu soapenv" />
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<ds:DigestValue>lWQgTrlIVeFKWqT1ktPs0/kK3tQ=</ds:DigestValue>
</ds:Reference>
场景2:在WSO2 ESB 4.7中使用场景1中的相同代码,上述客户端作为类中介使用,并使用WSO2 ESB jar。除了XML语法的更改之外,请求SOAP信封已完全签名并进行了ecrypted。
<ds:Reference URI="#Id-2003921168">
<ds:Transforms>
<ds:Transform
Algorithm="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform">
<wsse:TransformationParameters>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</wsse:TransformationParameters>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<ds:DigestValue>mfNA+3ZPnCMzS2Y0TJ1GsYcdHNE=</ds:DigestValue>
</ds:Reference>
两种情况下生成的签名似乎有所不同。 WSO2 ESB实现的XML安全性是否与独立的apache XML安全实现不同?
从场景生成的SOAP信封无法在weblogic webserver上验证此签名,并使用以下堆栈跟踪抛出SOAP错误:
<?xml version="1.0" encoding="utf-8"?><env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/"><env:Body><env:Fault><faultcode>env:Server</faultcode><faultstring>Failed to validate signature.</faultstring><detail><bea_fault:stacktrace xmlns:bea_fault="http://www.bea.com/servers/wls70/webservice/fault/1.0.0">weblogic.xml.crypto.wss.WSSecurityException: Failed to validate signature.
at weblogic.xml.crypto.wss.SecurityImpl.unmarshalAndProcessSignature(SecurityImpl.java:740)
at weblogic.xml.crypto.wss.SecurityImpl.unmarshalAndProcessSignature(SecurityImpl.java:689)
at weblogic.xml.crypto.wss.SecurityImpl.unmarshalChildren(SecurityImpl.java:544)
at weblogic.xml.crypto.wss.SecurityImpl.unmarshalInternal(SecurityImpl.java:450)
Caused by: weblogic.xml.crypto.dsig.api.XMLSignatureException
at weblogic.xml.crypto.wss.STRTransform.transform(STRTransform.java:303)
at weblogic.xml.crypto.dsig.ReferenceUtils.applyTransforms(ReferenceUtils.java:49)
at weblogic.xml.crypto.dsig.ReferenceImpl.createDigest(ReferenceImpl.java:161)
Caused by: weblogic.xml.crypto.wss.WSSecurityException: No token handler found for null
at weblogic.xml.crypto.wss.WSSecurityContext.getRequiredTokenHandler(WSSecurityContext.java:410)
at weblogic.xml.crypto.wss.STRTransform.transform(STRTransform.java:193)
Caused by: weblogic.xml.crypto.dsig.api.XMLSignatureException
at weblogic.xml.crypto.wss.STRTransform.transform(STRTransform.java:303)
at weblogic.xml.crypto.dsig.ReferenceUtils.applyTransforms(ReferenceUtils.java:49)
at weblogic.xml.crypto.dsig.ReferenceImpl.createDigest(ReferenceImpl.java:161)
at weblogic.xml.crypto.dsig.ReferenceImpl.validate(ReferenceImpl.java:116)
at weblogic.xml.crypto.dsig.XMLSignatureImpl.validate(XMLSignatureImpl.java:256)
使用的Web服务策略文件是:
<wsp:Policy xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsp:All>
<ns1:AsymmetricBinding
xmlns:ns1="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
<wsp:Policy>
<ns1:InitiatorToken>
<wsp:Policy>
<ns1:X509Token
ns1:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<ns1:WssX509V3Token10 />
</wsp:Policy>
</ns1:X509Token>
</wsp:Policy>
</ns1:InitiatorToken>
<ns1:RecipientToken>
<wsp:Policy>
<ns1:X509Token
ns1:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never">
<wsp:Policy>
<ns1:WssX509V3Token10 />
</wsp:Policy>
</ns1:X509Token>
</wsp:Policy>
</ns1:RecipientToken>
<ns1:AlgorithmSuite>
<wsp:Policy>
<ns1:Basic256 />
</wsp:Policy>
</ns1:AlgorithmSuite>
<ns1:Layout>
<wsp:Policy>
<ns1:Lax />
</wsp:Policy>
</ns1:Layout>
<ns1:IncludeTimestamp />
<ns1:ProtectTokens />
<ns1:OnlySignEntireHeadersAndBody />
</wsp:Policy>
</ns1:AsymmetricBinding>
<ns2:SignedSupportingTokens
xmlns:ns2="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
<wsp:Policy>
<ns2:IssuedToken
ns2:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
<ns2:Issuer>
<Address xmlns="http://www.w3.org/2005/08/addressing">https://HYD-69ZRV01-L:6002/standalonests/SamlSTS
</Address>
</ns2:Issuer>
<ns2:RequestSecurityTokenTemplate>
<t:TokenType xmlns:t="http://docs.oasis-open.org/ws-sx/ws-trust/200512">urn:oasis:names:tc:SAML:1.0:assertion
</t:TokenType>
</ns2:RequestSecurityTokenTemplate>
<wsp:Policy>
<ns2:RequireInternalReference />
</wsp:Policy>
</ns2:IssuedToken>
</wsp:Policy>
<wsp:Policy>
<ns2:SamlToken
ns2:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<ns2:WssSamlV11Token10 />
</wsp:Policy>
</ns2:SamlToken>
</wsp:Policy>
</ns2:SignedSupportingTokens>
<!--
<ns2:SignedSupportingTokens
xmlns:ns2="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
<wsp:Policy>
<ns2:SamlToken
ns2:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<ns2:WssSamlV11Token10 />
</wsp:Policy>
</ns2:SamlToken>
</wsp:Policy>
</ns2:SignedSupportingTokens>
-->
<ns3:Wss10 xmlns:ns3="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
<wsp:Policy>
<ns3:MustSupportRefKeyIdentifier />
<ns3:MustSupportRefIssuerSerial />
</wsp:Policy>
</ns3:Wss10>
<ns4:EncryptedParts
xmlns:ns4="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
<ns4:Body />
</ns4:EncryptedParts>
<ns5:SignedParts
xmlns:ns5="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
<ns5:Body />
</ns5:SignedParts>
</wsp:All>
</wsp:Policy>
感谢。
答案 0 :(得分:0)
在两种情况下使用的Transform算法存在差异。那一定是问题的原因。