我需要调用一个实现ws-security,rampart的Web服务,它在SSL中使用用户名令牌和时间戳验证。尝试在SOAP消息之后调用服务时,最终将作为具有正在进行的异常的ESB日志中的响应。
响应SOAP消息
"<?xml version="1.0" encoding="UTF-8"?>
<soapenv:Envelope xmlns:soapenv="http://www.w3.org/2003/05/soap-envelope">
<soapenv:Header>
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" soapenv:mustUnderstand="true">
<wsu:Timestamp xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="Timestamp-18784">
<wsu:Created>2016-04-19T04:30:20.850Z</wsu:Created><wsu:Expires>2016-04-19T04:35:20.850Z</wsu:Expires></wsu:Timestamp>
</wsse:Security>
</soapenv:Header>
<soapenv:Body>
<soapenv:Fault xmlns:axis2ns72="http://www.w3.org/2003/05/soap-envelope">
<soapenv:Code>
<soapenv:Value>axis2ns72:Sender</soapenv:Value>
<soapenv:Subcode>
<soapenv:Value xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">wsse:InvalidSecurity</soapenv:Value>
</soapenv:Subcode></soapenv:Code><soapenv:Reason><soapenv:Text xml:lang="en-US">General security error (WSSecurityEngine: No cryptoproperty file supplied for decryption)
</soapenv:Text></soapenv:Reason><soapenv:Detail></soapenv:Detail></soapenv:Fault>
</soapenv:Body>
</soapenv:Envelope>
异常
[2016-04-19 09:59:52,730] ERROR - AxisEngine InvalidSecurity
org.apache.axis2.AxisFault: InvalidSecurity
at org.apache.rampart.handler.PostDispatchVerificationHandler.invoke(PostDispatchVerificationHandler.java:164)
at org.apache.axis2.engine.Phase.invokeHandler(Phase.java:340)
at org.apache.axis2.engine.Phase.invoke(Phase.java:313)
at org.apache.axis2.engine.AxisEngine.invoke(AxisEngine.java:261)
at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:167)
at org.apache.synapse.transport.passthru.ClientWorker.run(ClientWorker.java:247)
at org.apache.axis2.transport.base.threads.NativeWorkerPool$1.run(NativeWorkerPool.java:172)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at java.lang.Thread.run(Thread.java:745)
[2016-04-19 09:59:52,733] ERROR - ClientWorker Fault processing response messagethrough Axis2
org.apache.axis2.AxisFault: InvalidSecuritytDispatchVerificationHandler.java:164)
at org.apache.axis2.engine.Phase.invokeHandler(Phase.java:340)
at org.apache.axis2.engine.Phase.invoke(Phase.java:313)
at org.apache.axis2.engine.AxisEngine.invoke(AxisEngine.java:261)
at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:167)
at org.apache.synapse.transport.passthru.ClientWorker.run(ClientWorker.java:247)
at org.apache.axis2.transport.base.threads.NativeWorkerPool$1.run(NativeWorkerPool.java:172)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at java.lang.Thread.run(Thread.java:745)
代理服务
<?xml version="1.0" encoding="UTF-8"?>
<proxy name="EDI_Proxy" startOnLoad="true" trace="disable"
transports="http https" xmlns="http://ws.apache.org/ns/synapse">
<target>
<inSequence>
<log description="log" level="custom">
<property name="msg" value="Initiating mcash"/>
</log>
<payloadFactory description="pf_mcash" media-type="xml">
<format>
<flw:purchaceFromMMR xmlns:flw="http://flw.mwt.mobitel.com/">
<!--Optional: -->
<bankPurchaseRequest xmlns="">
<amount>1</amount>
<!--Optional: -->
<bankCode>00</bankCode>
<!--Optional: -->
<date>07042016</date>
<!--Optional: -->
<mobile>0711231234</mobile>
<!--Optional: -->
<time>120000</time>
<!--Optional: -->
<transactionId>SDC12345</transactionId>
</bankPurchaseRequest>
</flw:purchaceFromMMR>
</format>
<args/>
</payloadFactory>
<log description="log" level="custom">
<property name="msg" value="Payload created.."/>
</log>
<property
expression="fn:concat('Basic ', base64Encode('aaa:bbb'))"
name="Authorization" scope="operation" type="STRING" xmlns:ns="http://org.apache.synapse/xsd"/>
<call>
<endpoint>
<address trace="disable" uri="https://mywssecendpoint.com/Testservices/TestPurchaseService?wsdl">
<enableSec policy="gov:ws-policy/sample_policy.xml"/>
</address>
</endpoint>
</call>
<log description="log" level="custom">
<property name="msg" value="After calling address endpoint"/>
</log>
</inSequence>
<outSequence>
<log description="log" level="full"/>
</outSequence>
<faultSequence/>
</target>
<parameter name="engagedModules">rampart,rahas</parameter>
</proxy>
政策文件
<wsp:Policy wsu:Id="SgnEncrUsername"
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"
xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing"
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsp:ExactlyOne>
<wsp:All>
<sp:SymmetricBinding>
<wsp:Policy>
<sp:ProtectionToken>
<wsp:Policy>
<sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never">
<wsp:Policy>
<sp:RequireThumbprintReference/>
<sp:WssX509V3Token10/>
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:ProtectionToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic256/>
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Lax/>
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp/>
<sp:OnlySignEntireHeadersAndBody/>
</wsp:Policy>
</sp:SymmetricBinding>
<sp:SignedParts>
<sp:Body/>
</sp:SignedParts>
<sp:EncryptedParts>
<sp:Body/>
</sp:EncryptedParts>
<sp:SignedSupportingTokens>
<wsp:Policy>
<sp:UsernameToken sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:WssUsernameToken10/>
</wsp:Policy>
</sp:UsernameToken>
</wsp:Policy>
</sp:SignedSupportingTokens>
<sp:Wss11>
<wsp:Policy>
<sp:MustSupportRefKeyIdentifier/>
<sp:MustSupportRefIssuerSerial/>
<sp:MustSupportRefThumbprint/>
<sp:MustSupportRefEncryptedKey/>
<sp:RequireSignatureConfirmation/>
</wsp:Policy>
</sp:Wss11>
<sp:Trust10>
<wsp:Policy>
<sp:MustSupportIssuedTokens/>
<sp:RequireClientEntropy/>
<sp:RequireServerEntropy/>
</wsp:Policy>
</sp:Trust10>
</wsp:All>
</wsp:ExactlyOne>
<rampart:RampartConfig xmlns:rampart="http://ws.apache.org/rampart/policy">
<rampart:passwordCallbackClass>com.wssec.PWCallbackHandler</rampart:passwordCallbackClass>
<rampart:user>Testuser</rampart:user>
<rampart:encryptionUser>wso2carbon</rampart:encryptionUser>
<rampart:timestampPrecisionInMilliseconds>true</rampart:timestampPrecisionInMilliseconds>
<rampart:timestampTTL>300</rampart:timestampTTL>
<rampart:timestampMaxSkew>300</rampart:timestampMaxSkew>
<rampart:timestampStrict>true</rampart:timestampStrict>
<rampart:tokenStoreClass>org.wso2.carbon.security.util.SecurityTokenStore
</rampart:tokenStoreClass>
<rampart:nonceLifeTime>300</rampart:nonceLifeTime>
<rampart:encryptionCrypto>
<rampart:crypto
cryptoKey="org.wso2.carbon.security.crypto.privatestore" provider="org.wso2.carbon.security.util.ServerCrypto">
<rampart:property name="org.wso2.carbon.security.crypto.alias">mcash.cer</rampart:property>
<rampart:property name="org.wso2.carbon.security.crypto.privatestore">wso2carbon.jks</rampart:property>
<rampart:property name="org.wso2.stratos.tenant.id">-1234</rampart:property>
<rampart:property name="org.wso2.carbon.security.crypto.truststores">wso2carbon.jks</rampart:property>
<rampart:property name="rampart.config.user">wso2carbon</rampart:property>
</rampart:crypto>
</rampart:encryptionCrypto>
<rampart:signatureCrypto>
<rampart:crypto
cryptoKey="org.wso2.carbon.security.crypto.privatestore" provider="org.wso2.carbon.security.util.ServerCrypto">
<rampart:property name="org.wso2.carbon.security.crypto.alias">mcash.cer</rampart:property>
<rampart:property name="org.wso2.carbon.security.crypto.privatestore">wso2carbon.jks</rampart:property>
<rampart:property name="org.wso2.stratos.tenant.id">-1234</rampart:property>
<rampart:property name="org.wso2.carbon.security.crypto.truststores">wso2carbon.jks</rampart:property>
<rampart:property name="rampart.config.user">wso2carbon</rampart:property>
</rampart:crypto>
</rampart:signatureCrypto>
</rampart:RampartConfig>
<sec:CarbonSecConfig xmlns:sec="http://www.wso2.org/products/carbon/security">
<sec:Authorization>
<sec:property name="org.wso2.carbon.security.allowedroles">admin</sec:property>
</sec:Authorization>
</sec:CarbonSecConfig>
</wsp:Policy>
我按照question中的说法使用了rampart模块。编写了一个密码回调处理程序类,并将其添加到已成功调用的<ESB_HOME>/repository/components/lib中。
我在注册表资源中编写了一个策略文件,并进行了必要的配置(密码回调处理,密钥库)。
如果有人可以提供帮助或指出我是否通过查看回复和异常而错过任何内容,那将非常高兴。
提前致谢。
- 编辑 - 电汇中的请求
"POST /Testservices/BankPurchaseService?wsdl HTTP/1.1[\r][\n]" {org.apache.synapse.transport.http.wire}
"Cookie: region3_registry_menu=visible; menuPanel=visible; menuPanelType=main; JSESSIONID=95CAE85DE74F34BBAB10163E36087B12; requestedURI="../../carbon/service-mgt/index.jsp?region=region1&item=services_list_menu"; region1_configure_menu=none; region4_monitor_menu=none; region5_tools_menu=none; current-breadcrumb=manage_menu%2Cservices_menu%2Cservices_list_menu%23[\r][\n]" {org.apache.synapse.transport.http.wire}
"Content-Type: application/soap+xml; charset=UTF-8; action="urn:mediate"[\r][\n]" {org.apache.synapse.transport.http.wire}
"Transfer-Encoding: chunked[\r][\n]" {org.apache.synapse.transport.http.wire}
"Host: mobextintvpn.mobitel.lk:443[\r][\n]" {org.apache.synapse.transport.http.wire}
"Connection: Keep-Alive[\r][\n]" {org.apache.synapse.transport.http.wire}
"User-Agent: Synapse-PT-HttpComponents-NIO[\r][\n]" {org.apache.synapse.transport.http.wire}
"[\r][\n]" {org.apache.synapse.transport.http.wire}
"1287[\r][\n]" {org.apache.synapse.transport.http.wire}
"<?xml version='1.0' encoding='UTF-8'?><soapenv:Envelope xmlns:soapenv="http://www.w3.org/2003/05/soap-envelope" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"><soapenv:Header><wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" soapenv:mustUnderstand="true"><wsu:Timestamp xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="Timestamp-1"><wsu:Created>2016-04-19T10:18:22.520Z</wsu:Created><wsu:Expires>2016-04-19T10:23:22.520Z</wsu:Expires></wsu:Timestamp><xenc:EncryptedKey Id="EncKeyId-95F8BA9FA0125DE2C814610611030642"><xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">[\n]" {org.apache.synapse.transport.http.wire}
"<wsse:SecurityTokenReference><wsse:KeyIdentifier EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1">a/jhNus21KVuoFx65LmkW2O/l10=</wsse:KeyIdentifier></wsse:SecurityTokenReference>[\n]" {org.apache.synapse.transport.http.wire}
"</ds:KeyInfo><xenc:CipherData><xenc:CipherValue>OAbkdbMWv8icJf+Y9u34aiQI79G1qWYA8Femy/VDAd0osCW8kVglQ7SpfKUEvVfz7qNZUHabOEQh3opPEA/o7/0wEWYLZbdXj1cUtl1ViwobdJr1UaWH2IuWQVPoJFSh88/5LJWDDdhrpgIrpMVyuu7/DL6d/DJJFdcOfznjTpM=</xenc:CipherValue></xenc:CipherData></xenc:EncryptedKey><xenc:ReferenceList><xenc:DataReference URI="#EncDataId-4"/></xenc:ReferenceList><wsse:UsernameToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="UsernameToken-2"><wsse:Username>Hnbmwtuser</wsse:Username><wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">Hnbmwtuser</wsse:Password></wsse:UsernameToken><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="Signature-3">[\n]" {org.apache.synapse.transport.http.wire}
"<ds:SignedInfo>[\n]" {org.apache.synapse.transport.http.wire}
"<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>[\n]" {org.apache.synapse.transport.http.wire}
"<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1"/>[\n]" {org.apache.synapse.transport.http.wire}
"<ds:Reference URI="#Id-1995499025">[\n]" {org.apache.synapse.transport.http.wire}
"<ds:Transforms>[\n]" {org.apache.synapse.transport.http.wire}
"<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>[\n]" {org.apache.synapse.transport.http.wire}
"</ds:Transforms>[\n]" {org.apache.synapse.transport.http.wire}
"<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>[\n]" {org.apache.synapse.transport.http.wire}
"<ds:DigestValue>zOGehBXKICE+35najzJhEV+lxfo=</ds:DigestValue>[\n]" {org.apache.synapse.transport.http.wire}
"</ds:Reference>[\n]" {org.apache.synapse.transport.http.wire}
"<ds:Reference URI="#Timestamp-1">[\n]" {org.apache.synapse.transport.http.wire}
"<ds:Transforms>[\n]" {org.apache.synapse.transport.http.wire}
"<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>[\n]" {org.apache.synapse.transport.http.wire}
"</ds:Transforms>[\n]" {org.apache.synapse.transport.http.wire}
"<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>[\n]" {org.apache.synapse.transport.http.wire}
"<ds:DigestValue>MVyAyqaqT/h9KmttU1wP4QSTo1A=</ds:DigestValue>[\n]" {org.apache.synapse.transport.http.wire}
"</ds:Reference>[\n]" {org.apache.synapse.transport.http.wire}
"<ds:Reference URI="#UsernameToken-2">[\n]" {org.apache.synapse.transport.http.wire}
"<ds:Transforms>[\n]" {org.apache.synapse.transport.http.wire}
"<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>[\n]" {org.apache.synapse.transport.http.wire}
"</ds:Transforms>[\n]" {org.apache.synapse.transport.http.wire}
"<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>[\n]" {org.apache.synapse.transport.http.wire}
"<ds:DigestValue>ftAIvRUNNgVoN1mPq4L08UBdwHs=</ds:DigestValue>[\n]" {org.apache.synapse.transport.http.wire}
"</ds:Reference>[\n]" {org.apache.synapse.transport.http.wire}
"</ds:SignedInfo>[\n]" {org.apache.synapse.transport.http.wire}
"<ds:SignatureValue>B4HfIv89mQBvAH0E5pqm70k0hOc=</ds:SignatureValue>[\n]" {org.apache.synapse.transport.http.wire}
"<ds:KeyInfo Id="KeyId-95F8BA9FA0125DE2C814610611031013">[\n]" {org.apache.synapse.transport.http.wire}
"<wsse:SecurityTokenReference xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="STRId-95F8BA9FA0125DE2C814610611031014"><wsse:Reference URI="#EncKeyId-95F8BA9FA0125DE2C814610611030642" ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey"/></wsse:SecurityTokenReference>[\n]" {org.apache.synapse.transport.http.wire}
"</ds:KeyInfo>[\n]" {org.apache.synapse.transport.http.wire}
"</ds:Signature></wsse:Security></soapenv:Header><soapenv:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="Id-1995499025"><xenc:EncryptedData Id="EncDataId-4" Type="http://www.w3.org/2001/04/xmlenc#Content"><xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">[\n]" {org.apache.synapse.transport.http.wire}
"<wsse:SecurityTokenReference xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"><wsse:Reference URI="#EncKeyId-95F8BA9FA0125DE2C814610611030642"/></wsse:SecurityTokenReference>[\n]" {org.apache.synapse.transport.http.wire}
"</ds:KeyInfo><xenc:CipherData><xenc:CipherValue>wIL1a9udg+JfIITcM++vJ0iA+oYahKZzUtq3xLpK/2eTHg8boNsrT+omZbq+aqscUmxqV9ofgei/[\n]" {org.apache.synapse.transport.http.wire}
"vlj1evRic21e82d5R9oIXE35s5NYR7M1ij23bfsPo5WCtg2QTXWg3Ijdae9ASSXBgShhsxYeCBkv[\n]" {org.apache.synapse.transport.http.wire}
"07cgLYZjOOqrpww5B/PG4cBccTJevTWTgkU8yW6WlqPtjlQgg9olRw598JIBvgX6/od/dLMtReA4[\n]" {org.apache.synapse.transport.http.wire}
"cTsjzRIMeQiG3u8oBwzDav9zdYiNV2Pyhr+M8juiEX4jlKCNF3XBS/k4RdAJBObAIu3RBNKbWkjT[\n]" {org.apache.synapse.transport.http.wire}
"8bSs7GxlW8yVgeMb6UzoZHlfES+siSm7iINnskl0AdZMLhn8na9iAJS94Cw6925/eulAKLAOS0dj[\n]" {org.apache.synapse.transport.http.wire}
"Hf7lISscNRZxHEcD84Q9PBK6/XGn/qyE5Q0gyNTFu2ASLq3w9+yMOZAI7X+z6qprOTssOE6VltAW[\n]" {org.apache.synapse.transport.http.wire}
"VpBCZN/XmbZSdT40y7dfQ/ykQjsCFAnF5lSJ7TP9vf5Qc+76qCNnZyrwOTdeuqNr0Sle9AQ717YH[\n]" {org.apache.synapse.transport.http.wire}
"Yw==</xenc:CipherValue></xenc:CipherData></xenc:EncryptedData></soapenv:Body></soapenv:Envelope>[\r][\n]"
答案 0 :(得分:0)
错误信息非常明确:“WSSecurityEngine:没有提供用于解密的cryptoproperty文件”。看起来你在服务器端使用wss4j。您应该配置Wss4JSecurityInterceptor以使用正确的cryptoproperties。否则,它无法验证您的请求中的已签名内容。如果你正在使用xml-config,你应该添加如下内容:
<bean class="org.springframework.ws.soap.security.wss4j.Wss4jSecurityInterceptor">
<property name="validationActions" value="Signature"/>
<property name="validationSignatureCrypto">
<bean class="org.springframework.ws.soap.security.wss4j.support.CryptoFactoryBean">
<property name="keyStorePassword" value="<your_keystore_pwd>/>
<property name="keyStoreLocation" value="<your_keystore>"/>
</bean>
</property>
</bean>
如果你使用普通的java,那么mehtods非常相似。