Rampart PostDispatchVerificationHandler:InvalidSecurity - 找不到安全策略

时间:2013-10-25 18:44:40

标签: java web-services axis2 ws-security rampart

修改

我稍稍调整了Rampart配置,现在我又陷入了另一个角落。

在Rampart的PostDispatchVerificationHandler中抛出异常,因为尚未处理安全标头。

// If a security header is there and Rampart is engaged, it has to be processed.  
// If it is not processed, there must have been a problem in picking the policy 

SOAPHeaderBlock secHeader = getSecurityHeader(msgContext);
if (secHeader != null && (secHeader.isProcessed() == false)) {
     throw new AxisFault("InvalidSecurity - Security policy not found");
}

日志:

[DEBUG] [MessageContext: logID=a5012f2f13095af97123a192575c50a7f727850f3a9ecfc5] Invoking Handler 'HTTPLocationBasedDispatcher' in Phase 'Dispatch'
[DEBUG] [MessageContext: logID=a5012f2f13095af97123a192575c50a7f727850f3a9ecfc5] Invoking Handler 'Post dispatch security verification handler' in Phase 'Dispatch'
[ERROR] InvalidSecurity - Security policy not found
org.apache.axis2.AxisFault: InvalidSecurity - Security policy not found
    at org.apache.rampart.handler.PostDispatchVerificationHandler.invoke(PostDispatchVerificationHandler.java:189)
    at org.apache.axis2.engine.Phase.invokeHandler(Phase.java:340)
    at org.apache.axis2.engine.Phase.invoke(Phase.java:313)
    at org.apache.axis2.engine.AxisEngine.invoke(AxisEngine.java:262)
    at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:168)
    at org.apache.axis2.description.OutInAxisOperationClient.handleResponse(OutInAxisOperation.java:364)
    at org.apache.axis2.description.OutInAxisOperationClient.send(OutInAxisOperation.java:421)
    at org.apache.axis2.description.OutInAxisOperationClient.executeImpl(OutInAxisOperation.java:229)
    at org.apache.axis2.client.OperationClient.execute(OperationClient.java:165)
    at webservices.chargepoint.com.dictionary.ChargepointservicesStub.getCPNInstances(ChargepointservicesStub.java:5361)
    at webservices.chargepoint.com.dictionary.Chargepoint.<init>(Chargepoint.java:180)
    at webservices.chargepoint.com.dictionary.Chargepoint.main(Chargepoint.java:81)
[DEBUG] [MessageContext: logID=a5012f2f13095af97123a192575c50a7f727850f3a9ecfc5] Invoking flowComplete() in Phase "Dispatch"

...

org.apache.axis2.AxisFault: InvalidSecurity - Security policy not found
    at org.apache.rampart.handler.PostDispatchVerificationHandler.invoke(PostDispatchVerificationHandler.java:189)
    at org.apache.axis2.engine.Phase.invokeHandler(Phase.java:340)
    at org.apache.axis2.engine.Phase.invoke(Phase.java:313)
    at org.apache.axis2.engine.AxisEngine.invoke(AxisEngine.java:262)
    at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:168)
    at org.apache.axis2.description.OutInAxisOperationClient.handleResponse(OutInAxisOperation.java:364)
    at org.apache.axis2.description.OutInAxisOperationClient.send(OutInAxisOperation.java:421)
    at org.apache.axis2.description.OutInAxisOperationClient.executeImpl(OutInAxisOperation.java:229)
    at org.apache.axis2.client.OperationClient.execute(OperationClient.java:165)
    at webservices.chargepoint.com.dictionary.ChargepointservicesStub.getCPNInstances(ChargepointservicesStub.java:5361)
    at webservices.chargepoint.com.dictionary.Chargepoint.<init>(Chargepoint.java:180)
    at webservices.chargepoint.com.dictionary.Chargepoint.main(Chargepoint.java:81)

这是安全标题:

<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" soapenv:mustUnderstand="1">
<wsu:Timestamp xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsu:Created>2013-12-16T23:07:03.868Z</wsu:Created>
<wsu:Expires>2013-12-16T23:12:03.868Z</wsu:Expires>
</wsu:Timestamp>
</wsse:Security>

这是Rampart的政策文件:

<wsp:Policy wsu:Id="UsernameToken" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
  <wsp:ExactlyOne>
    <wsp:All>
      <sp:SupportingTokens xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
        <wsp:Policy>
          <sp:UsernameToken sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient"/>
        </wsp:Policy>
      </sp:SupportingTokens>
    </wsp:All>
  </wsp:ExactlyOne>
</wsp:Policy>

用户凭据在Java代码中设置:

Options options = stubWeb._getServiceClient().getOptions();
try
{
    options.setProperty(RampartMessageData.KEY_RAMPART_POLICY,
                        loadPolicy("policy.xml"));
}
catch (XMLStreamException e1)
{
    // TODO Auto-generated catch block
    e1.printStackTrace();
}
options.setUserName("xxx");
options.setPassword("yyy");

stubWeb._getServiceClient().setOptions(options);
stubWeb._getServiceClient().engageModule("rampart");

原帖:

我一直在谷歌搜索这个错误好几天,但我没有想法。

Axis2为基于此WSDL的SOAP Web服务生成代码:https://webservices.chargepoint.com/cp_api_4.1.wsdl

使用soapUI一切正常,我也可以使用我本地Tomcat服务器的代码获得一些模拟响应。 尝试使用Java客户端连接到Web服务时,我总是收到此错误:

  

org.apache.axis2.AxisFault:必须了解标题检查失败   http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd   :安全

这是我的代码(用户名和密码被隐藏):

public static void main(String[] args)
{
    log4j.getRootLogger().setLevel(Level.DEBUG);
    GetCPNInstancesResponse resp = new GetCPNInstancesResponse();

    ChargepointservicesStub stubWeb = null;
    try
    {
        ConfigurationContext ctx = ConfigurationContextFactory.createConfigurationContextFromFileSystem("/Users/jonas/projects/workspace_openHAB/axis2-1.6.2_clean/repository", null);   
        stubWeb = new ChargepointservicesStub(ctx);    
        GetCPNInstances cpn = new GetCPNInstances();        
        SOAPFactory sfac = OMAbstractFactory.getSOAP11Factory(); 
        stubWeb._getServiceClient().engageModule("rampart");

        OMFactory omFactory = OMAbstractFactory.getOMFactory();
        OMNamespace wsseNamespace = omFactory.createOMNamespace("http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd", "wsse");
        OMElement omSecurityElement = omFactory.createOMElement("Security", wsseNamespace);
//          omSecurityElement.addAttribute("soapenv:mustUnderstand", "1", null);
//          OMNamespace soapenv = omFactory.createOMNamespace("http://schemas.xmlsoap.org/soap/envelope/", "soapenv");
//          omSecurityElement.addAttribute("mustUnderstand", "1", soapenv);

        OMElement omusertoken = omFactory.createOMElement("UsernameToken", wsseNamespace);
        OMElement omuserName = omFactory.createOMElement("Username", wsseNamespace);
        omuserName.setText("yyy");
        OMElement omPassword = omFactory.createOMElement("Password", wsseNamespace);
        omPassword.setText("xxx");
        omPassword.addAttribute("Type", "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText", null);

        omusertoken.addChild(omuserName);
        omusertoken.addChild(omPassword);
        omSecurityElement.addChild(omusertoken);

        SOAPHeaderBlock block = ElementHelper.toSOAPHeaderBlock(omSecurityElement, sfac);
        block.setMustUnderstand(true);
        stubWeb._getServiceClient().addHeader(block);

        resp = stubWeb.getCPNInstances(cpn);
    } catch (Exception e)
    {
        // TODO Auto-generated catch block
        e.printStackTrace();
    }
}

生成此请求:

[DEBUG] >> "<?xml version='1.0' encoding='UTF-8'?>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
    <soapenv:Header>
    <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" soapenv:mustUnderstand="1">
        <wsse:UsernameToken>
        <wsse:Username>yyy</wsse:Username>
        <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">xxx</wsse:Password>
        </wsse:UsernameToken>
    </wsse:Security>
    </soapenv:Header>
    <soapenv:Body>
    <ns1:getCPNInstances xmlns:ns1="urn:dictionary:com.chargepoint.webservices" />
    </soapenv:Body>
</soapenv:Envelope>"

完全相同的请求适用于soapUI。

服务器也通过我的代码收到正确的响应:

<?xml version='1.0' encoding='utf-8'?>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
    <soapenv:Header>
        <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" soapenv:mustUnderstand="1"><wsu:Timestamp xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
            <wsu:Created>2013-10-25T16:54:30.767Z</wsu:Created>
            <wsu:Expires>2013-10-25T16:59:30.767Z</wsu:Expires></wsu:Timestamp>
        </wsse:Security>
    </soapenv:Header>
    <soapenv:Body>
        <ns1:getCPNInstancesResponse xmlns:ns1="urn:dictionary:com.chargepoint.webservices">
            <CPN>
                <cpnID>1</cpnID>
                <cpnName>USA</cpnName>
                <cpnDescription>ChargePoint Operations</cpnDescription>
            </CPN>
            <CPN>
                <cpnID>2</cpnID>
                <cpnName>EU</cpnName>
                <cpnDescription>ChargePoint Europe</cpnDescription>
            </CPN>
            <CPN>
                <cpnID>3</cpnID>
                <cpnName>AU</cpnName>
                <cpnDescription>ChargePoint Australia</cpnDescription>
            </CPN>
        </ns1:getCPNInstancesResponse>
    </soapenv:Body>
</soapenv:Envelope>

然后安全模块搞砸了。

这是调试日志的一部分:

[DEBUG] XMLStreamWriter is org.apache.axiom.util.stax.dialect.WoodstoxStreamWriterWrapper 
[DEBUG] Calling MTOMXMLStreamWriter.flush 
[DEBUG] forceExpand: expanding element {http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security 
[DEBUG] forceExpand stack java.lang.Exception: Debug Stack Trace    
at org.apache.axiom.om.impl.llom.OMSourcedElementImpl.forceExpand(OMSourcedElementImpl.java:264)    
at org.apache.axiom.om.impl.llom.OMSourcedElementImpl.getAttribute(OMSourcedElementImpl.java:416)   
at org.apache.axiom.soap.impl.llom.SOAPHeaderBlockImpl.setAttribute(SOAPHeaderBlockImpl.java:91)    
at org.apache.axiom.soap.impl.llom.soap11.SOAP11HeaderBlockImpl.setMustUnderstand(SOAP11HeaderBlockImpl.java:105)   
at chargepoint.com.dictionary.Chargepoint.main(Chargepoint.java:74)

当我使用

  

omSecurityElement.addAttribute(“soapenv:mustUnderstand”,“1”,null);

而不是

  

block.setMustUnderstand(真);

上面的例外消失了,我收到了这个错误:

[DEBUG] serialize OutputStream optimisation: false [DEBUG] getReader [DEBUG] 
XMLStreamReader is org.apache.axiom.util.stax.dialect.WoodstoxStreamReaderWrapper 
org.apache.axiom.om.OMException: com.ctc.wstx.exc.WstxParsingException: Undeclared namespace prefix "soapenv" (for attribute "mustUnderstand")  at [row,col {unknown-source}]: [1,137] 
at org.apache.axiom.om.impl.builder.StAXOMBuilder.next(StAXOMBuilder.java:296)  
at org.apache.axiom.om.impl.llom.OMDocumentImpl.buildNext(OMDocumentImpl.java:153)  
at org.apache.axiom.om.impl.llom.OMDocumentImpl.getFirstOMChild(OMDocumentImpl.java:242) 
at org.apache.axiom.om.impl.llom.OMDocumentImpl.getChildren(OMDocumentImpl.java:204)

使用此代码,错误消失但问题仍然存在。

OMNamespace soapenv = omFactory.createOMNamespace("http://schemas.xmlsoap.org/soap/envelope/", "soapenv");
omSecurityElement.addAttribute("mustUnderstand", "1", soapenv);

这是调试日志中最有趣的部分:

[DEBUG] [MessageContext: logID=ca3f0db9a4fb557a33edc579a48f31508ff1f2b457c617f6] Invoking phase "Security"
[DEBUG] [MessageContext: logID=ca3f0db9a4fb557a33edc579a48f31508ff1f2b457c617f6] Invoking Handler 'SecurityOutHandler' in Phase 'Security'
[DEBUG] WSDoAllReceiver: enter invoke() 
[DEBUG] Signature crypto property file is not set. Property file key - signaturePropFile
[DEBUG] Signature crypto property file is not set. Property file key - signaturePropFile
[DEBUG] WSDoAllReceiver: exit invoke()

...

[DEBUG] [MessageContext: logID=ba3f0db9a4fb557a33edc579a48f31508ff1f2b457c617f6] Checking post-conditions for phase "OperationInPhase"
[DEBUG] MustUnderstand header not processed or registered as understood{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security
[DEBUG] org.apache.axis2.i18n.resource::handleGetObject(mustunderstandfailed)
[ERROR] Must Understand check failed for header http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd : Security
org.apache.axis2.AxisFault: Must Understand check failed for header http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd : Security
    at org.apache.axis2.engine.AxisEngine.checkMustUnderstand(AxisEngine.java:105)

您可以在此处查看整个调试日志:https://drive.google.com/file/d/0B_iw7qzMyYhOSDNEMW5oOHgzY0k/edit?usp=sharing

如果您有任何建议如何解决这个问题,我将非常感激。

2 个答案:

答案 0 :(得分:1)

我承认我不熟悉这些技术,但我发现SOAPHeaderBlock.setProcessed的Javadoc很有趣:

我们需要知道节点是否已经处理了所有mustUnderstand头。这将由执行链末尾的特定验证处理程序完成。对于这个处理特定头块的所有处理程序必须明确说他通过调用setProcessed()

来处理[sic]标题

所以也许这样的事情必须发生?

SOAPHeaderBlock block = ElementHelper.toSOAPHeaderBlock(omSecurityElement, sfac);
block.setProcessed();

可以找到另一种可能性here,其中海报通过添加以下内容来更改Rampart配置文件META-INF/module.xml的内容:

<InFaultFlow>
    <handler name="PolicyBasedSecurityInHandler" class="org.apache.rampart.handler.RampartReceiver">
        <order phase="Security" phaseFirst="true"/>
    </handler>
    <handler name="SecurityInHandler" class="org.apache.rampart.handler.WSDoAllReceiver">
        <order phase="Security"/>
    </handler>
    <handler name="PostDispatchVerificationHandler" class="org.apache.rampart.handler.PostDispatchVerificationHandler">
        <order phase="Dispatch" phaseLast="true"/>
    </handler>
</InFaultFlow> 

我发现这不太可能成为问题,但你的问题似乎令人沮丧,我想我会把它扔出去。

祝你好运。

答案 1 :(得分:1)

这可能不是解决方案。我有同样的情况,我使用wsdl2java工具生成的存根。我发送请求时不包括安全标头。所以我使用ServiceClient类创建了请求,然后导入策略。它看起来像这样

ConfigurationContext ctx = ConfigurationContextFactory.createConfigurationContextFromFileSystem("clientrepo", null);

ServiceClient sc = new ServiceClient(ctx, null);
sc.engageModule("rampart");   

        // create option object
Options opts = new Options();
        // setting target EPR
opts.setTo(new EndpointReference(serviceUrl);

opts.setAction("urn:something");

try {
    opts.setProperty(RampartMessageData.KEY_RAMPART_POLICY,
                          loadPolicy("policy.xml"));
    } catch (Exception e) {
            // TODO Auto-generated catch block
            e.printStackTrace();
    }
sc.setOptions(opts);
OMElement res = sc.sendReceive(payload);

加载政策

 public Policy loadPolicy(String xmlPath) throws Exception {

    StAXOMBuilder builder = new StAXOMBuilder(xmlPath);
    Policy policy = PolicyEngine.getPolicy(builder.getDocumentElement());

    RampartConfig rc = new RampartConfig();
    rc.setUser(username);
    rc.setPwCbClass(PWDCallBackHandler.class.getName());

    CryptoConfig sigCryptoConfig = new CryptoConfig();
    sigCryptoConfig.setProvider("org.apache.ws.security.components.crypto.Merlin");

    Properties prop1 = new Properties();
    prop1.put("org.apache.ws.security.crypto.merlin.keystore.type", "JKS");
    prop1.put("org.apache.ws.security.crypto.merlin.file", AppConstants.KEYSTORE);
    prop1.put("org.apache.ws.security.crypto.merlin.keystore.password",
              password);
    sigCryptoConfig.setProp(prop1);

    rc.setSigCryptoConfig(sigCryptoConfig);
    policy.addAssertion(rc);
    return policy;
}