如何在WSO2 ESB 4.9.0中启用代理服务安全性

时间:2015-10-12 07:37:07

标签: wso2 wso2esb

我有新安装的WSO2 ESB 4.9.0,我正在尝试使用HTTP基本身份验证来保护代理服务,但我失败了。

我尝试了this tutorial from official documentation,但这种方法最高可达4.8.1。在版本4.9.0中,我无法单击安全性以打开服务页面的安全性。

所以我尝试了另一种方法:

我在注册表中创建了策略UTOverTransport(从4.8.1复制)。

HttpCookie cookie = new HttpCookie("appts");
cookie.Expires = DateTime.Now.AddYears(-1);
Response.Cookies.Add(cookie);

在代理服务配置中,我添加了:

<wsp:Policy wsu:Id="UTOverTransport" xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
    <wsp:ExactlyOne>
        <wsp:All>
            <sp:TransportBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
                <wsp:Policy>
                    <sp:TransportToken>
                        <wsp:Policy>
                            <sp:HttpsToken RequireClientCertificate="false"/>
                        </wsp:Policy>
                    </sp:TransportToken>
                    <sp:AlgorithmSuite xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
                        <wsp:Policy>
                            <sp:Basic256/>
                        </wsp:Policy>
                    </sp:AlgorithmSuite>
                    <sp:Layout>
                        <wsp:Policy>
                            <sp:Lax/>
                        </wsp:Policy>
                    </sp:Layout>
                    <sp:IncludeTimestamp/>
                </wsp:Policy>
            </sp:TransportBinding>
            <sp:SignedSupportingTokens xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
                <wsp:Policy>
                    <sp:UsernameToken xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy" sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient"/>
                </wsp:Policy>
            </sp:SignedSupportingTokens>
        </wsp:All>
    </wsp:ExactlyOne>
    <rampart:RampartConfig xmlns:rampart="http://ws.apache.org/rampart/policy">
        <rampart:encryptionUser>useReqSigCert</rampart:encryptionUser>
        <rampart:timestampPrecisionInMilliseconds>true</rampart:timestampPrecisionInMilliseconds>
        <rampart:timestampTTL>300</rampart:timestampTTL>
        <rampart:timestampMaxSkew>300</rampart:timestampMaxSkew>
        <rampart:timestampStrict>false</rampart:timestampStrict>
        <rampart:tokenStoreClass>org.wso2.carbon.security.util.SecurityTokenStore</rampart:tokenStoreClass>
        <rampart:nonceLifeTime>300</rampart:nonceLifeTime>
    </rampart:RampartConfig>
</wsp:Policy>

现在在管理控制台中,我看到代理服务是安全的,但是,当我调用此服务时,我收到错误:

   <parameter name="allowRoles">admin</parameter>
   <parameter name="ScenarioID">scenario1</parameter>
   <enableSec/>
   <policy key="conf:/repository/policies/UTOverTransport"/>

请求:

java.lang.ClassCastException: org.apache.axiom.om.impl.dom.ElementImpl cannot be cast to org.apache.axiom.soap.SOAPHeaderBlock
    org.wso2.carbon.security.pox.POXSecurityHandler.isSOAPWithoutSecHeader(POXSecurityHandler.java:362)
    org.wso2.carbon.security.pox.POXSecurityHandler.invoke(POXSecurityHandler.java:102)
    org.apache.axis2.engine.Phase.invokeHandler(Phase.java:340)

我还尝试使用带有SecurityAdminService的API和操作applySecurity来保护代理(这在4.8.1中有效)但是我收到错误org.apache.axis2.AxisFault:找不到名称test的服务。

有人可以帮助我并解释如何做到这一点吗?

2 个答案:

答案 0 :(得分:4)

基本身份验证的策略文件(带有用户名令牌)应如下所示:

<wsp:Policy wsu:Id="UTOverTransport"
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsp:ExactlyOne>
    <wsp:All>
        <sp:TransportBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
            <wsp:Policy>
                <sp:TransportToken>
                    <wsp:Policy>
                        <sp:HttpsToken RequireClientCertificate="false"/>
                    </wsp:Policy>
                </sp:TransportToken>
                <sp:AlgorithmSuite>
                    <wsp:Policy>
                        <sp:Basic256/>
                    </wsp:Policy>
                </sp:AlgorithmSuite>
                <sp:Layout>
                    <wsp:Policy>
                        <sp:Lax/>
                    </wsp:Policy>
                </sp:Layout>
                <sp:IncludeTimestamp/>
            </wsp:Policy>
        </sp:TransportBinding>
        <sp:SignedSupportingTokens xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
            <wsp:Policy>
                <sp:UsernameToken sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient"/>
            </wsp:Policy>
        </sp:SignedSupportingTokens>
    </wsp:All>
</wsp:ExactlyOne>
<rampart:RampartConfig xmlns:rampart="http://ws.apache.org/rampart/policy">
    <rampart:user>wso2carbon</rampart:user>
    <rampart:encryptionUser>useReqSigCert</rampart:encryptionUser>
    <rampart:timestampPrecisionInMilliseconds>true</rampart:timestampPrecisionInMilliseconds>
    <rampart:timestampTTL>300</rampart:timestampTTL>
    <rampart:timestampMaxSkew>300</rampart:timestampMaxSkew>
    <rampart:timestampStrict>false</rampart:timestampStrict>
    <rampart:tokenStoreClass>org.wso2.carbon.security.util.SecurityTokenStore&#xd;
    </rampart:tokenStoreClass>
    <rampart:nonceLifeTime>300</rampart:nonceLifeTime>
</rampart:RampartConfig>
<sec:CarbonSecConfig xmlns:sec="http://www.wso2.org/products/carbon/security">
    <sec:Authorization>
        <sec:property name="org.wso2.carbon.security.allowedroles">admin</sec:property>
    </sec:Authorization>
</sec:CarbonSecConfig>

在代理服务配置中添加:

<policy key="conf:/repository/policies/UTOverTransport"/>
<enableSec/>

conf:/ repository / policies / UTOverTransport是策略文件的路径

开发者工作室不是必需的。

我希望这会有所帮助

答案 1 :(得分:0)

从ESB 4.9.0版开始,从WSO2 ESB管理控制台中删除了所有这些服务质量(QOS)功能。因此,我们建议您使用与ESB 4.9.0版本兼容的WSO2 Developer Studio 3.8版本来执行与QOS相关的内容,如安全性,可靠性等。

相关问题
最新问题