如何在WSO2 ESB 4.9.0中启用传出WS-Security?

时间:2015-12-09 16:23:53

标签: wso2 wso2esb esb ws-security

我需要在WSO2 ESB(4.9.0)中创建一个代理,以将安全的后端Web服务公开为一个安全的Web服务,就像这个图像一样:

Exposing WS-Security secured backend WS as a plain WS

我想使用" Sign&使用X.509身份验证进行加密" WS-Security Policy。

这是我的代理"来源视图":

<proxy xmlns="http://ws.apache.org/ns/synapse"
       name="OutgoingSecurityProxy"
       transports="http,https"
       statistics="enable"
       trace="enable"
       startOnLoad="true">
   <target>
      <inSequence>
         <send>
            <endpoint>
               <address uri="http://mylocalIP:80/mock_serverTest">
                  <enableAddressing/>
                  <enableSec policy="SecurityPolicyOut"/>
               </address>
            </endpoint>
         </send>
      </inSequence>
      <outSequence>
         <header xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
                 name="wsse:Security"
                 action="remove"/>
         <send/>
      </outSequence>
   </target>
   <publishWSDL uri="http://mylocalIP:80/mock_serverTest?WSDL"/>
   <description/>
</proxy>

这是使用的安全策略,作为&#34; Local Entry&#34; (它是签名和加密的默认策略 - x.509身份验证方案,仅更改了与密钥库相关的信息。)

<wsp:Policy xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="SigEncr">
      <wsp:ExactlyOne>
         <wsp:All>
            <sp:AsymmetricBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
               <wsp:Policy>
                  <sp:InitiatorToken>
                     <wsp:Policy>
                        <sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
                           <wsp:Policy>
                              <sp:RequireThumbprintReference/>
                              <sp:WssX509V3Token10/>
                           </wsp:Policy>
                        </sp:X509Token>
                     </wsp:Policy>
                  </sp:InitiatorToken>
                  <sp:RecipientToken>
                     <wsp:Policy>
                        <sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never">
                           <wsp:Policy>
                              <sp:RequireThumbprintReference/>
                              <sp:WssX509V3Token10/>
                           </wsp:Policy>
                        </sp:X509Token>
                     </wsp:Policy>
                  </sp:RecipientToken>
                  <sp:AlgorithmSuite>
                     <wsp:Policy>
                        <sp:Basic256/>
                     </wsp:Policy>
                  </sp:AlgorithmSuite>
                  <sp:Layout>
                     <wsp:Policy>
                        <sp:Strict/>
                     </wsp:Policy>
                  </sp:Layout>
                  <sp:IncludeTimestamp/>
                  <sp:OnlySignEntireHeadersAndBody/>
               </wsp:Policy>
            </sp:AsymmetricBinding>
            <sp:Wss11 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
               <wsp:Policy>
                  <sp:MustSupportRefKeyIdentifier/>
                  <sp:MustSupportRefIssuerSerial/>
                  <sp:MustSupportRefThumbprint/>
                  <sp:MustSupportRefEncryptedKey/>
                  <sp:RequireSignatureConfirmation/>
               </wsp:Policy>
            </sp:Wss11>
            <sp:Wss10 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
               <wsp:Policy>
                  <sp:MustSupportRefKeyIdentifier/>
                  <sp:MustSupportRefIssuerSerial/>
               </wsp:Policy>
            </sp:Wss10>
            <sp:SignedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
               <sp:Body/>
            </sp:SignedParts>
            <sp:EncryptedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
               <sp:Body/>
            </sp:EncryptedParts>
         </wsp:All>
      </wsp:ExactlyOne>
      <rampart:RampartConfig xmlns:rampart="http://ws.apache.org/rampart/policy">
         <rampart:user>service</rampart:user>
         <rampart:encryptionUser>useReqSigCert</rampart:encryptionUser>
         <rampart:timestampPrecisionInMilliseconds>true</rampart:timestampPrecisionInMilliseconds>
         <rampart:timestampTTL>300</rampart:timestampTTL>
         <rampart:timestampMaxSkew>300</rampart:timestampMaxSkew>
         <rampart:timestampStrict>false</rampart:timestampStrict>
         <rampart:tokenStoreClass>org.wso2.carbon.security.util.SecurityTokenStore
        </rampart:tokenStoreClass>
         <rampart:nonceLifeTime>300</rampart:nonceLifeTime>
         <rampart:encryptionCrypto>
            <rampart:crypto cryptoKey="org.wso2.carbon.security.crypto.privatestore" provider="org.wso2.carbon.security.util.ServerCrypto">
               <rampart:property name="org.wso2.carbon.security.crypto.alias">client</rampart:property>
               <rampart:property name="org.wso2.carbon.security.crypto.privatestore">mykeystore.jks</rampart:property>
               <rampart:property name="org.wso2.stratos.tenant.id">-1234</rampart:property>
               <rampart:property name="org.wso2.carbon.security.crypto.truststores">mykeystore.jks</rampart:property>
               <rampart:property name="rampart.config.user">service</rampart:property>
            </rampart:crypto>
         </rampart:encryptionCrypto>
         <rampart:signatureCrypto>
            <rampart:crypto cryptoKey="org.wso2.carbon.security.crypto.privatestore" provider="org.wso2.carbon.security.util.ServerCrypto">
               <rampart:property name="org.wso2.carbon.security.crypto.alias">service</rampart:property>
               <rampart:property name="org.wso2.carbon.security.crypto.privatestore">mykeystore.jks</rampart:property>
               <rampart:property name="org.wso2.stratos.tenant.id">-1234</rampart:property>
               <rampart:property name="org.wso2.carbon.security.crypto.truststores">mykeystore.jks</rampart:property>
               <rampart:property name="rampart.config.user">service</rampart:property>
            </rampart:crypto>
         </rampart:signatureCrypto>
      </rampart:RampartConfig>
   </wsp:Policy>

后端&#34;安全&#34; WS(http://mylocalIP:80/mock_serverTest)是一个支持ws-security&#34; mock&#34;使用在桌面计算机上运行的SoapUI创建的普通WS的服务。

当我尝试使用SOAPUI调用ESB服务时,我在rampart配置策略中遇到错误&#34; org.apache.axis2.AxisFault:未指定密码CallbackHandler ,或者CallbackHandler实例不可用在MessageContext&#34; :

16:17:45,465 [-] [PassThroughMessageProcessor-1]  WARN TRACE_LOGGER Executing fault handler due to exception encountered
16:17:45,466 [-] [PassThroughMessageProcessor-1]  WARN TRACE_LOGGER ERROR_CODE : 0
16:17:45,466 [-] [PassThroughMessageProcessor-1]  WARN TRACE_LOGGER ERROR_MESSAGE : Unexpected error during sending message out
16:17:45,471 [-] [PassThroughMessageProcessor-1]  WARN TRACE_LOGGER ERROR_DETAIL : org.apache.synapse.SynapseException: Unexpected error during sending message out
    at org.apache.synapse.core.axis2.Axis2Sender.handleException(Axis2Sender.java:247)
    at org.apache.synapse.core.axis2.Axis2Sender.sendOn(Axis2Sender.java:91)
    at org.apache.synapse.core.axis2.Axis2SynapseEnvironment.send(Axis2SynapseEnvironment.java:461)
    at org.apache.synapse.endpoints.AbstractEndpoint.send(AbstractEndpoint.java:372)
    at org.apache.synapse.endpoints.AddressEndpoint.send(AddressEndpoint.java:65)
    at org.apache.synapse.mediators.builtin.SendMediator.mediate(SendMediator.java:105)
    at org.apache.synapse.mediators.AbstractListMediator.mediate(AbstractListMediator.java:81)
    at org.apache.synapse.mediators.AbstractListMediator.mediate(AbstractListMediator.java:48)
    at org.apache.synapse.mediators.base.SequenceMediator.mediate(SequenceMediator.java:149)
    at org.apache.synapse.core.axis2.ProxyServiceMessageReceiver.receive(ProxyServiceMessageReceiver.java:185)
    at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:180)
    at org.apache.synapse.transport.passthru.ServerWorker.processEntityEnclosingRequest(ServerWorker.java:395)
    at org.apache.synapse.transport.passthru.ServerWorker.run(ServerWorker.java:142)
    at org.apache.axis2.transport.base.threads.NativeWorkerPool$1.run(NativeWorkerPool.java:172)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
    at java.lang.Thread.run(Thread.java:745)
Caused by: org.apache.axis2.AxisFault: Password CallbackHandler not specified in rampart configuration policy or the CallbackHandler instance not available in the MessageContext
    at org.apache.rampart.handler.RampartSender.invoke(RampartSender.java:76)
    at org.apache.axis2.engine.Phase.invokeHandler(Phase.java:340)
    at org.apache.axis2.engine.Phase.invoke(Phase.java:313)
    at org.apache.axis2.engine.AxisEngine.invoke(AxisEngine.java:261)
    at org.apache.axis2.engine.AxisEngine.send(AxisEngine.java:426)
    at org.apache.synapse.core.axis2.DynamicAxisOperation$DynamicOperationClient.send(DynamicAxisOperation.java:185)
    at org.apache.synapse.core.axis2.DynamicAxisOperation$DynamicOperationClient.executeImpl(DynamicAxisOperation.java:167)
    at org.apache.axis2.client.OperationClient.execute(OperationClient.java:149)
    at org.apache.synapse.core.axis2.Axis2FlexibleMEPClient.send(Axis2FlexibleMEPClient.java:542)
    at org.apache.synapse.core.axis2.Axis2Sender.sendOn(Axis2Sender.java:79)
    ... 15 more
Caused by: org.apache.rampart.RampartException: Password CallbackHandler not specified in rampart configuration policy or the CallbackHandler instance not available in the MessageContext
    at org.apache.rampart.builder.BindingBuilder.getSignatureBuilder(BindingBuilder.java:312)
    at org.apache.rampart.builder.BindingBuilder.getSignatureBuilder(BindingBuilder.java:265)
    at org.apache.rampart.builder.AsymmetricBindingBuilder.doSignature(AsymmetricBindingBuilder.java:761)
    at org.apache.rampart.builder.AsymmetricBindingBuilder.doSignBeforeEncrypt(AsymmetricBindingBuilder.java:457)
    at org.apache.rampart.builder.AsymmetricBindingBuilder.build(AsymmetricBindingBuilder.java:97)
    at org.apache.rampart.MessageBuilder.build(MessageBuilder.java:147)
    at org.apache.rampart.handler.RampartSender.invoke(RampartSender.java:65)
    ... 24 more

任何线索?

提前致谢!

1 个答案:

答案 0 :(得分:1)

上面的链接(WSO2 ESB的示例100)没有实现密码回调处理程序。您需要为您的签名和加密策略创建必需的密码回调处理程序。这里有关于如何创建PWCB http://pathberiya.blogspot.co.uk/2010/02/how-to-create-password-callback-class.html

的信息

的问候。