我正在从Websphere企业服务总线(WESB)调用位于Websphere Application Server(WAS)上的java Web服务。 Provider使用JAAS启用了安全性。 因此,我为我的模块创建了WS-Security用户名令牌客户端策略集。 来自WESB的我的出站呼叫的痕迹看起来像
<soapenv:Header xmlns:wsa="http://www.w3.org/2005/08/addressing">
<s:Security xmlns:s="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" soapenv:mustUnderstand="1">
<s:UsernameToken>
<s:Username>**username**</s:Username>
<s:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">**password**</s:Password>
</s:UsernameToken>
</s:Security>
但是提供者期望安全有效负载如下所示在用户名标记
中发送一些命名空间<soapenv:Header>
<wsse:Security wsse:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<wsse:UsernameToken>
<wsse:Username wsu:Id="UsernameToken-1" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">**username**</wsse:Username>
<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">**password**</wsse:Password>
</wsse:UsernameToken>
</wsse:Security>
我在调用java服务时遇到以下错误
AxisEngine E org.apache.axis2.engine.AxisEngine收到必须了解标题soapenv检查失败:{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}安全 org.apache.axis2.AxisFault:必须理解标题soapenv的检查失败:{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}安全性 at org.apache.axis2.jaxws.handler.HandlerUtils.checkUnprocessed(HandlerUtils.java:196) 在org.apache.axis2.jaxws.handler.HandlerUtils.checkMustUnderstand(HandlerUtils.java:163) at org.apache.axis2.jaxws.server.EndpointController.inboundHeaderAndHandlerProcessing(EndpointController.java:363)
通过创建WS安全客户端策略集来处理JAAS是正确的方法还是我必须以不同的方式处理。
答案 0 :(得分:1)
第二个示例中该UsernameToken上的wsu名称空间适用于wsu:Id。仅当某些内容引用该元素时才需要wsu:Id。您没有引用该元素,因此不需要它。
如果您收到错误,因为安全处理程序不喜欢wsu:Id丢失的事实,您将获得SoapSecurityException,而不是MustUnderstand检查。
MustUnderstand检查意味着您已经发送了一个标头,运行时中没有处理程序标记为已处理。要么没有注册处理程序来处理它,要么没有注册处理程序标记标题。对于安全头,这通常意味着没有应用WS-Security约束。
您可以通过发送没有安全标头的消息来验证是否应用了WS-Security约束。
如果你发送的消息包含像你的第二个例子那样的安全标题?
您的客户对响应有安全限制吗?如果您没有响应限制但服务器在响应中发送了安全标头,您将收到同样的错误。
这就是我要做的事情:
1)在WAS服务器上启用WS-Security跟踪
com.ibm.ws.webservices.wssecurity =所有:com.ibm.wsspi.wssecurity =所有:com.ibm.ws.wssecurity =所有:COM。 。ibm.websphere.wssecurity =所有:com.ibm.xml.soapsec =所有:com.ibm.ws.webservices.trace =所有:com.ibm.ws。 。websvcs.trace =所有:com.ibm.ws.wssecurity.platform.audit =关:com.ibm.ws.webservices.multiprotocol.AgnosticService =所有:com.ibm.ws.websvcs .utils.SecurityContextMigrator =所有
2)重启服务器
3)从客户端发送消息
4)在跟踪中搜索绑定的http&#39;。
4a)您应该看到入站HTTP SOAP请求
4b)再次搜索
4c)您应该看到Outbound HTTP SOAP Response
4ci)响应是否有预期的响应或错误?
4cii)如果响应是错误,那么您有服务器问题
4cii)如果是预期的响应,响应是否包含安全标头?
4ciii)如果是,那么MustUnderstand检查来自客户端,您很可能需要将安全响应约束应用于您的客户端。
5)如果在步骤4中确定您遇到了服务器问题,请在跟踪中向后搜索看起来像这样的内容(在当前线程上):
WSSecurityCon 3 isServerSide == true
WSSecurityCon 3没有PolicyType绑定
5a)如果您看到这一点,那么您没有将安全约束应用于您的提供者应用程序。以下是在WebSphere中应用UsernameToken策略的一些说明(假设您的应用程序是JAX-WS):
对于那些删除帖子的人,因为他们有链接:
为独立安全令牌(UsernameToken或LTPA令牌)配置策略集和绑定
您可以通过为独立安全令牌配置消息级WS-Security策略集和绑定来保护Web服务,该独立安全令牌是轻量级第三方认证(LTPA)令牌或用户名令牌。 开始之前
此任务假定您正在配置的服务提供者和客户端位于JaxWSServicesSamples应用程序中。请参阅有关访问示例的文档以了解如何获取和安装此应用程序。在服务器上指定以下跟踪规范,以便调试可能发生的任何未来配置问题。
=信息:com.ibm.wsspi.wssecurity =所有:com.ibm.ws.webservices.wssecurity =所有: com.ibm.ws.wssecurity。 = all:com.ibm.xml.soapsec。 = all:com.ibm.ws.webservices.trace。 = all: com.ibm.ws.websvcs.trace =所有:。com.ibm.ws.wssecurity.platform.audit =关:
如果使用LTPA令牌,则必须在用于客户端和服务的应用程序服务器上启用应用程序安全性。 关于此任务
本主题介绍如何为Username令牌或LTPA令牌配置WS-Security策略集和提供程序绑定。为简单起见,此过程演示了如何从策略中删除时间戳,数字签名和加密属性;但是,您可能希望在最终配置中包含这些属性。有关详细信息,请参阅有关使用客户端和提供程序应用程序特定绑定配置非对称XML数字签名或XML加密的策略集和绑定的文档。
在此任务中,默认提供程序常规绑定用于提供程序应用程序以使用令牌。如果需要调用者配置,则将为提供者添加特定于应用程序的绑定。
程序
Create the custom policy set.
In the administrative console, click Services > Policy sets > Application Policy sets.
Click New.
Specify Name = OneTokenPolicy.
Click Apply.
Under Policies, click Add > WS-Security.
Edit the custom policy set
Remove digital signature, encryption, and timestamp.
In the administrative console, clickWS-Security > Main Policy.
Deselect Message level protection.
Click Apply.
Add the UsernameToken or LTPA token.
Under Policy details, click Request token policies.
Select Add Token Type.
If you want to use a UsernameToken, select UserName. If you want to use an LTPA token, select LTPA.
Token name=myToken.
Click OK.
Configure the client to use the OneTokenPolicy policy set.
In the administrative console, click Applications > Application types > WebSphere enterprise applications > JaxWSServicesSamples > Service client policy sets and bindings.
Select the web services client resource.
Click Attach Policy Set.
Select OneTokenPolicy .
Create a custom binding for the client.
Select the web services resource again.
Click Assign Binding.
Click New Application Specific Binding to create an application-specific binding
Specify the bindings configuration name. name: oneTokenClientBinding
Click Add > WS-Security
If the Main Message Security Policy Bindings' panel does not display, select WS-Security.
Edit the custom binding for the client.
Edit the identity token generator to send the identity username.
Click request:myToken.
Click Apply.
Click Callback handler. User name=(yourUserid) Password=(yourPassword)
Avoid trouble Avoid trouble: This is a userid/password that is valid on the user registry on the provider's system. If you are using LTPA tokens, the userid/password must be valid on both the consumer and provider registries.
(Optional) If configuring a UsernameToken, add the following WS-Security custom properties:
*com.ibm.wsspi.wssecurity.token.username.addNonce=true
*com.ibm.wsspi.wssecurity.token.username.addTimestamp=true
These custom properties are added because they are specified on the UsernameToken consumer default general bindings. If we do not specify those properties here, you will either need to remove those properties from the default provider general bindings or create application-specific bindings for the provider that does not include those properties.
Click OK.
Click Save
Configure the provider to use the OneTokenPolicy policy set.
In the administrative console, click Applications > Application types > WebSphere enterprise applications > JaxWSServicesSamples > Service provider policy sets and bindings
Select the web services provider resource (OneTokenPolicy)
Click Attach Policy Set.
Select OneTokenPolicy
Note: Since no bindings are attached to the provider application, it will use the default provider general bindings for the token consumers.
(Optional) If you want to create a Caller configuration for the provider, create custom bindings for the provider.
Select the web services provider resource again.
Click Assign Binding
Click New Application Specific Binding to create an application-specific binding
Specify Bindings configuration name:oneTokenProvBinding
Click Add > WS-Security
If the Main Message Security Policy Bindings' Panel does not display, select WS-Security
(Optional) If a Caller configuration will be created, edit the custom bindings for the provider.
Click Caller > New. Name: myCaller.
If using a UsernameToken, enter the following:
Caller identity local name: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#UsernameToken
If using an LTPA token, enter the following:
Caller identity local name: LTPAv2
Caller identity local URI: http://www.ibm.com/websphere/appserver/tokentype
Click OK.
Click Save to save your configuration changes.
Restart the client provider.
Stop the client and the provider
Restart the client and the provider
Test the Service.
Point your web browser at the JaxWSServicesSamples: http://localhost:9080/wssamplesei/demo
Avoid trouble Avoid trouble: Make sure you provide the correct hostname and port if your profile is not on the same machine or the port is not 9080.
Select Message Type Synchronous Echo
Make sure Use SOAP 1.2 is not selected
Enter a message and click Send Message. The sample application should reply with JAXWS==>Message.
结果
JaxWSServicesSamples Web服务应用程序配置为在请求消息中生成和使用UsernameToken或LTPA令牌。