我在将WSO2身份服务器与ESB集成时遇到问题。
在我按照指南"Using XACML Fine Grained Authorization with the WSO2 Product Platform"后,我发现ESB已收到来自客户端的消息,但我没有发现ESB已向Identity Server发送消息。
我尝试使用wso2esb-4.7.0和wso2is-4.1.0
以下是我采取的步骤:
将WSO2 Identity Server配置为XACML引擎并启动Identity Server;
在WSO2 ESB中配置权利中介并启动ESB;
在IDE中运行客户端代码。
在ESB和IS中,没有输出消息。
在客户端IDE中,控制台中会出现以下消息:
......
13/08/05 15:24:15 INFO deployment.ModuleDeployer: Deploying module: rahas - file:/D:/project/wso2/test/wso2esb-4.7.0/repository/components/plugins/rampart-trust_1.6.1.wso2v8.jar
13/08/05 15:24:15 ERROR sandesha2.SandeshaModule: Could not load module policies. Using default values.
13/08/05 15:24:15 INFO tcp.TCPTransportSender: TCP Sender started
13/08/05 15:24:17 ERROR engine.AxisEngine: Missing wsse:Security header in request
org.apache.axis2.AxisFault: Missing wsse:Security header in request
at org.apache.rampart.handler.RampartReceiver.setFaultCodeAndThrowAxisFault(RampartReceiver.java:180)
at org.apache.rampart.handler.RampartReceiver.invoke(RampartReceiver.java:99)
at org.apache.axis2.engine.Phase.invokeHandler(Phase.java:340)
at org.apache.axis2.engine.Phase.invoke(Phase.java:313)
at org.apache.axis2.engine.AxisEngine.invoke(AxisEngine.java:261)
at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:167)
at org.apache.axis2.description.OutInAxisOperationClient.handleResponse(OutInAxisOperation.java:356)
at org.apache.axis2.description.OutInAxisOperationClient.send(OutInAxisOperation.java:413)
at org.apache.axis2.description.OutInAxisOperationClient.executeImpl(OutInAxisOperation.java:224)
at org.apache.axis2.client.OperationClient.execute(OperationClient.java:149)
at org.apache.axis2.client.ServiceClient.sendReceive(ServiceClient.java:554)
at org.apache.axis2.client.ServiceClient.sendReceive(ServiceClient.java:530)
at org.wso2.entitlement.sample.WSEntitlementTestClient.main(WSEntitlementTestClient.java:59)
Caused by: org.apache.rampart.RampartException: Missing wsse:Security header in request
at org.apache.rampart.RampartEngine.process(RampartEngine.java:141)
at org.apache.rampart.handler.RampartReceiver.invoke(RampartReceiver.java:92)
... 11 more
Exception in thread "main" org.apache.axis2.AxisFault: Missing wsse:Security header in request
at org.apache.rampart.handler.RampartReceiver.setFaultCodeAndThrowAxisFault(RampartReceiver.java:180)
at org.apache.rampart.handler.RampartReceiver.invoke(RampartReceiver.java:99)
at org.apache.axis2.engine.Phase.invokeHandler(Phase.java:340)
at org.apache.axis2.engine.Phase.invoke(Phase.java:313)
at org.apache.axis2.engine.AxisEngine.invoke(AxisEngine.java:261)
at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:167)
at org.apache.axis2.description.OutInAxisOperationClient.handleResponse(OutInAxisOperation.java:356)
at org.apache.axis2.description.OutInAxisOperationClient.send(OutInAxisOperation.java:413)
at org.apache.axis2.description.OutInAxisOperationClient.executeImpl(OutInAxisOperation.java:224)
at org.apache.axis2.client.OperationClient.execute(OperationClient.java:149)
at org.apache.axis2.client.ServiceClient.sendReceive(ServiceClient.java:554)
at org.apache.axis2.client.ServiceClient.sendReceive(ServiceClient.java:530)
at org.wso2.entitlement.sample.WSEntitlementTestClient.main(WSEntitlementTestClient.java:59)
Caused by: org.apache.rampart.RampartException: Missing wsse:Security header in request
at org.apache.rampart.RampartEngine.process(RampartEngine.java:141)
at org.apache.rampart.handler.RampartReceiver.invoke(RampartReceiver.java:92)
... 11 more
以下是客户端源代码:
package org.wso2.entitlement.sample;
import org.apache.axiom.om.OMAbstractFactory;
import org.apache.axiom.om.OMElement;
import org.apache.axiom.om.OMFactory;
import org.apache.axiom.om.OMNamespace;
import org.apache.axiom.om.impl.builder.StAXOMBuilder;
import org.apache.axis2.Constants;
import org.apache.axis2.addressing.EndpointReference;
import org.apache.axis2.client.Options;
import org.apache.axis2.client.ServiceClient;
import org.apache.axis2.context.ConfigurationContext;
import org.apache.axis2.context.ConfigurationContextFactory;
import org.apache.neethi.Policy;
import org.apache.neethi.PolicyEngine;
import org.apache.rampart.RampartMessageData;
public class WSEntitlementTestClient {
final static String ADDR_URL = "http://localhost:8280/services/echo"; //"http://localhost:8280/services/MarketDataService";
final static String TRANS_URL = "https://localhost:8243/services/EntitlementService"; // "https://localhost:8243/services/EntitlementProxy";
public static void main(String[] args) throws Exception {
ServiceClient client = null;
Options options = null;
OMElement response = null;
ConfigurationContext context = null;
String trustStore = null;
// You need to import the ESBs public certificate to this key store.
trustStore = "wso2carbon.jks";
// We are accessing ESB over HTTPS - so need to set trustStore parameters.
System.setProperty("javax.net.ssl.trustStore", trustStore);
// Password of mykeystore.jks
System.setProperty("javax.net.ssl.trustStorePassword", "wso2carbon");
// Create configuration context - you will have Rampart module engaged in the client.axis2.xml
context = ConfigurationContextFactory.createConfigurationContextFromFileSystem("repo","repo/conf/axis2_client.xml");
// This is the security policy of the proxy service applied UT.
StAXOMBuilder builder = new StAXOMBuilder("policy.xml");
Policy policy = PolicyEngine.getPolicy(builder.getDocumentElement());
// context = ConfigurationContextFactory.createConfigurationContextFromFileSystem("repo","repo/conf/client.axis2.xml");
client = new ServiceClient(context, null);
options = new Options();
options.setAction("urn:echoString");
// This is the addressing URL pointing to the echo service deployed in ESB
options.setTo(new EndpointReference(ADDR_URL));
// To the ESB, the proxy service
options.setUserName("admin");
options.setPassword("admin");
// TRANS_URL points to proxy service
options.setProperty(Constants.Configuration.TRANSPORT_URL, TRANS_URL);
options.setProperty(RampartMessageData.KEY_RAMPART_POLICY, policy);
client.setOptions(options);
client.engageModule("addressing");
client.engageModule("rampart");
response = client.sendReceive(getPayload("Hello world"));
System.out.println(response);
}
private static OMElement getPayload(String value) {
OMFactory factory = null;
OMNamespace ns = null;
OMElement elem = null;
OMElement childElem = null;
factory = OMAbstractFactory.getOMFactory();
ns = factory.createOMNamespace("http://echo.services.core.carbon.wso2.org", "ns1");
elem = factory.createOMElement("echoString", ns);
childElem = factory.createOMElement("in", null);
childElem.setText(value);
elem.addChild(childElem);
return elem;
}
}
以下是Identity Server中的权利策略:
<Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicyId="Note" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable" Version="1.0">
<Description>Note description </Description>
<Target>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">http://localhost:8280/services/echo</AttributeValue>
<AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
</Match>
</AllOf>
</AnyOf>
</Target>
<Rule Effect="Permit" RuleId="primary-group-rule">
<Target>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue>
<AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
</Match>
</AllOf>
</AnyOf>
</Target>
<Condition>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
<AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
</Apply>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">admin</AttributeValue>
</Apply>
</Condition>
</Rule>
<Rule Effect="Deny" RuleId="deny-rule"/>
以下是ESB中的EntitlementService源:
<?xml version="1.0" encoding="UTF-8"?>
<proxy xmlns="http://ws.apache.org/ns/synapse"
name="EntitlementService"
transports="https"
statistics="disable"
trace="disable"
startOnLoad="true">
<target>
<inSequence>
<entitlementService remoteServiceUrl="https://localhost:9445/services/"
remoteServiceUserName="admin"
remoteServicePassword="enc:kuv2MubUUveMyv6GeHrXr9il59ajJIqUI4eoYHcgGKf/BBFOWn96NTjJQI+wYbWjKW6r79S7L7ZzgYeWx7DlGbff5X3pBN2Gh9yV0BHP1E93QtFqR7uTWi141Tr7V7ZwScwNqJbiNoV+vyLbsqKJE7T3nP8Ih9Y6omygbcLcHzg=">
<onReject/>
<onAccept/>
<obligations/>
<advice/>
</entitlementService>
<header name="wsse:Security" scope="transport" action="remove"/>
<send/>
<drop/>
</inSequence>
<outSequence>
<send/>
<drop/>
</outSequence>
</target>
<enableSec/>
<policy key="conf:/repository/axis2/service-groups/EntitlementService/services/EntitlementService/policies/UTOverTransport"/>
<description/>
</proxy>
在ESB SOAP消息跟踪器中,我可以看到以下请求消息:
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header xmlns:wsa="http://www.w3.org/2005/08/addressing">
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" soapenv:mustUnderstand="1">
<wsu:Timestamp xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="Timestamp-1">
<wsu:Created>2013-08-05T06:10:20.503Z</wsu:Created>
<wsu:Expires>2013-08-05T06:15:20.503Z</wsu:Expires>
</wsu:Timestamp>
<wsse:UsernameToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="UsernameToken-2">
<wsse:Username>aaa</wsse:Username>
<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">admin</wsse:Password>
</wsse:UsernameToken>
</wsse:Security>
<wsa:To>http://localhost:8280/services/echo</wsa:To>
<wsa:MessageID>urn:uuid:269da889-ce33-4138-b050-3f4913dbbc17</wsa:MessageID>
<wsa:Action>urn:echoString</wsa:Action>
</soapenv:Header>
<soapenv:Body>
<ns1:echoString xmlns:ns1="http://echo.services.core.carbon.wso2.org">
<in>Hello world</in>
</ns1:echoString>
</soapenv:Body>
</soapenv:Envelope>
以及以下回复:
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header xmlns:wsa="http://www.w3.org/2005/08/addressing">
<wsa:Action>urn:echoStringResponse</wsa:Action>
<wsa:RelatesTo>urn:uuid:269da889-ce33-4138-b050-3f4913dbbc17</wsa:RelatesTo>
</soapenv:Header>
<soapenv:Body>
<ns:echoStringResponse xmlns:ns="http://echo.services.core.carbon.wso2.org">
<return>Hello world</return>
</ns:echoStringResponse>
</soapenv:Body>
</soapenv:Envelope>
但在Identity Server SOAP Message Tracer中,请求消息和响应消息都是空的。看起来ESB不会向Identity Server发送任何消息。
有谁知道出了什么问题?
答案 0 :(得分:0)
首先,WSO2 ESB 4.7.0和WSO2 IS 4.1.0不是兼容版本。您可以将ESB 4.6.0与IS 4.1.0一起使用,也可以使用当前ESB的WSO2 IS 4.5.0(即将发布)。
您遇到的这个错误'缺少wsse:请求中的安全标头'可能是因为BasicAuth方案,它首先发送没有用户名和密码的请求,让服务器提交质询。只有在收到挑战后,客户端才会发送basicAuth参数。
干杯,
Pushpalanka