在安全标头中使用nonce从java调用soap webservice

时间:2015-02-13 13:54:09

标签: java soap ws-security nonce

我正在尝试从java调用web服务。这基本上并不困难,除了webservice期望以用户名和密码以及nonce形式的某些安全性。 当我尝试从SoapUi调用web服务时,我看到原始消息看起来像这样:

<soapenv:Envelope xmlns:sch="http://somedomain.com/pe/ws/schema"
    xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
    <soapenv:Header>
        <wsse:Security soapenv:mustUnderstand="1"
            xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
            xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
            <wsse:UsernameToken wsu:Id="UsernameToken-E70691ACBDEFEC750814238295617871">
                <wsse:Username>usr</wsse:Username>
                <wsse:Password
                    Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText"
                    >pw</wsse:Password>
                <wsse:Nonce
                    EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"
                    >4smQZF5KMSktEXrQc0v5yw==</wsse:Nonce>
                <wsu:Created>2015-02-13T12:12:41.784Z</wsu:Created>
            </wsse:UsernameToken>
        </wsse:Security>
    </soapenv:Header>
    <soapenv:Body>
        <sch:EventSubmitRequest>
            <sch:Event>
                <sch:EventId>392</sch:EventId>
                <sch:Recoverable>false</sch:Recoverable>
            </sch:Event>
        </sch:EventSubmitRequest>
    </soapenv:Body>
</soapenv:Envelope>

消息中明显的元素是用户名,密码和创建,但令我困惑的是nonce。在该示例中,该字段具有值4smQZF5KMSktEXrQc0v5yw ==,但是每个请求处的该值差异(这是有意义的,因为根据维基百科,nonce是仅使用一次的任意数字)。在搜索时,我找不到任何有关如何在java中生成nonce的可用示例(尽管我在堆栈溢出时发现了一些php示例,但我无法轻松验证它们的工作天气)。虽然我不介意自己构建这个nonce,但我想知道这是否真的有必要,我希望这是java中的标准功能。

以下是我正在使用的代码:

import java.text.SimpleDateFormat;
import java.util.Calendar;
import javax.xml.namespace.QName;
import javax.xml.soap.*;
import javax.xml.transform.*;
import javax.xml.transform.stream.*;

public class soaptest {

    public static void main(String args[]) {
        try {
            // Create SOAP Connection
            SOAPConnectionFactory soapConnectionFactory = SOAPConnectionFactory.newInstance();
            SOAPConnection soapConnection = soapConnectionFactory.createConnection();

            // Send SOAP Message to SOAP Server
            String url = "http://142.10.10.52:8080/pe/ws/pe/";
            SOAPMessage soapResponse = soapConnection.call(createSOAPRequest(), url);

            // Process the SOAP Response
            printSOAPResponse(soapResponse);

            soapConnection.close();
        } catch (Exception e) {
            System.err.println("Error occurred while sending SOAP Request to Server");
            e.printStackTrace();
        }
    }

    private static SOAPMessage createSOAPRequest() throws Exception {
        MessageFactory messageFactory = MessageFactory.newInstance();
        SOAPMessage soapMessage = messageFactory.createMessage();
        SOAPPart soapPart = soapMessage.getSOAPPart();

        SOAPEnvelope envelope = soapPart.getEnvelope();
        SOAPHeader header = soapMessage.getSOAPHeader();

        SOAPElement security = header.addChildElement("Security", "wsse", "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd");

        SOAPElement usernameToken = security.addChildElement("UsernameToken", "wsse");
        usernameToken.addAttribute(new QName("xmlns:wsu"), "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd");

        SOAPElement username = usernameToken.addChildElement("Username", "wsse");
        username.addTextNode("usr");

        SOAPElement password = usernameToken.addChildElement("Password", "wsse");
        password.setAttribute("Type", "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText");
        password.addTextNode("pw");

        SOAPElement nonce = usernameToken.addChildElement("Nonce", "wsse");
        nonce.setAttribute("EncodingType", "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary");
        nonce.addTextNode("???");

        SOAPElement created = usernameToken.addChildElement("Created", "wsse");
        SimpleDateFormat sdf = new SimpleDateFormat("yyyy-MM-dd'T'HH:mm:ss'Z'");
        Calendar c1 = Calendar.getInstance();
        created.addTextNode(sdf.format(c1.getTime()));

        String serverURI = "http://somedomain.com/pe/ws/schema";

        envelope.addNamespaceDeclaration("sch", serverURI);

        // SOAP Body
        SOAPBody soapBody = envelope.getBody();
        SOAPElement soapBodyElem = soapBody.addChildElement("EventSubmitRequest", "sch");
        SOAPElement soapBodyElem1 = soapBody.addChildElement("Event", "sch");
        soapBodyElem.addChildElement(soapBodyElem1);

        SOAPElement soapBodyElem2 = soapBodyElem1.addChildElement("EventId", "sch");
        soapBodyElem2.addTextNode("392");
        SOAPElement soapBodyElem3 = soapBodyElem1.addChildElement("Recoverable", "sch");
        soapBodyElem3.addTextNode("false");

        MimeHeaders headers = soapMessage.getMimeHeaders();
        headers.addHeader("SOAPAction", serverURI  + "EventSubmitRequest");

        soapMessage.saveChanges();

        /* Print the request message */
        System.out.print("Request SOAP Message = ");
        soapMessage.writeTo(System.out);
        System.out.println();

        return soapMessage;
    }

    /**
     * Method used to print the SOAP Response
     */
    private static void printSOAPResponse(SOAPMessage soapResponse) throws Exception {
        TransformerFactory transformerFactory = TransformerFactory.newInstance();
        Transformer transformer = transformerFactory.newTransformer();
        Source sourceContent = soapResponse.getSOAPPart().getContent();
        System.out.print("\nResponse SOAP Message = ");
        StreamResult result = new StreamResult(System.out);
        transformer.transform(sourceContent, result);
    }

}

1 个答案:

答案 0 :(得分:4)

UsernameToken的Oasis reference帮我填写了一些空白。在这种情况下,第7,8,9页是最合适的。特别是这些部分

  

/ wsse:UsernameToken / wsse:Nonce

     

此可选元素指定加密随机的随机数。每条消息   包括一个元素必须使用新的nonce值为web   服务生产者检测重放攻击。

  

/的wsse:UsernameToken的/的wsse:现时标志/ @编码类型

     

此可选属性URI指定随机数的编码类型(请参阅。的定义)   &LT;的wsse:的BinarySecurityToken&GT;对于有效值)。如果未指定此属性,则   使用默认的Base64编码。

关于生成密码随机的&#39; nonce,可以建议你使用this answer,然后从中创建一个编码的字符串。在您的情况下为Base64编码,因为这是您在上面的XML请求中使用的encodingType。