WSO2 ESB Rampart - 带有自定义Soap标头的无效安全标头

时间:2016-05-20 14:56:40

标签: wso2esb ws-security rampart

有了WSO2 ESB 4.8.1,我们尝试将传出消息签名到后端系统。签名本身运行良好,除非请求中存在自定义SOAP标头(后端系统所需的自定义标头)

示例:

客户请求示例:

<?xml version="1.0" encoding="UTF-8"?>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:head="http://fsb.belgium.be/header" xmlns:ser="http://cjcs-cg.just.fgov.be/service-v1.0">
    <soapenv:Header>
        <head:myHeader xmlns:head="http://mytest.headers/header">
            <head:messageId>594fcbc4-d3d4-11e5-ab30-625662870762</head:messageId>
        </head:myHeader>
        <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" soapenv:mustUnderstand="1">
            <wsu:Timestamp xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="Timestamp-37">
                <wsu:Created>2016-05-20T14:30:54.827Z</wsu:Created>
                <wsu:Expires>2016-05-20T14:35:54.827Z</wsu:Expires>
            </wsu:Timestamp>
            <head:messageId xmlns:head="http://mytest.headers/header">594fcbc4-d3d4-11e5-ab30-625662870762</head:messageId>
            <wsse:BinarySecurityToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="CertId-2541F55E8971D834D1146375465482873">MIIH..long certificate here... ==</wsse:BinarySecurityToken>
            <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="Signature-38">
                <ds:SignedInfo>
                    <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                    <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
                    <ds:Reference URI="#Id-1094174436">
                        <ds:Transforms>
                            <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                        </ds:Transforms>
                        <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                        <ds:DigestValue>P571zv6yej1+7gAVD6gSum61Vz0=</ds:DigestValue>
                    </ds:Reference>
                    <ds:Reference URI="#Timestamp-37">
                        <ds:Transforms>
                            <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                        </ds:Transforms>
                        <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                        <ds:DigestValue>+APmWSyt57oePoeY1KdKjaCNI6E=</ds:DigestValue>
                    </ds:Reference>
                </ds:SignedInfo>
                <ds:SignatureValue>
DDZ6PefoInpfaaL7Ge/SCt02KJRP9xGA2Jd8YJXuzfMF+hIQybEm14JcjLB0YsQVbpVbonO8D
DDZ6 deleted =
                </ds:SignatureValue>
                <ds:KeyInfo Id="KeyId-2541F55E8971D834D1146375465482974">
                    <wsse:SecurityTokenReference xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="STRId-2541F55E8971D834D1146375465482975">
                        <wsse:Reference URI="#CertId-2541F55E8971D834D1146375465482873" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
                    </wsse:SecurityTokenReference>
                </ds:KeyInfo>
            </ds:Signature>
        </wsse:Security>
    </soapenv:Header>
    <soapenv:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="Id-1094174436">
        <ser:listTypesRequest>
        </ser:listTypesRequest>
    </soapenv:Body>
</soapenv:Envelope>

在后端收到以下消息后,注意安全标头中的head:messageId元素,这会导致安全标头无效(至少后端系统声称它无法处理head:messageId元素来自安全令牌)。如果我拦截并切断Security头中的head:messageId元素,后端会认为该消息有效。

Caused by: java.lang.ClassCastException: org.apache.axiom.om.impl.llom.OMElementImpl cannot be cast to org.apache.axiom.soap.SOAPHeaderBlock
        at org.apache.rampart.util.Axis2Util.getDocumentFromSOAPEnvelope(Axis2Util.java:99)

我已经尝试在代理流中清理和定义自定义SOAP Header,但是然后Rampart抛出了一个异常,它无法将OMElement转换为SOAP Header:

{{1}}

所以 - 问题:

  • 是否可以在安全标头中签署WS请求并且没有自定义标头的一部分?我认为它可能是Rampart bug,但是 - 它有可能克服它吗?
  • 我可以在签名之前将自定义SOAP标头插入签名邮件吗? (事实上​​,理论上是的,但我如何让兰帕特满意呢)

提前感谢您提供任何帮助/提示。

0 个答案:

没有答案