验证加密的SOAP请求会引发错误错误

时间:2016-08-14 00:48:28

标签: soap soapui ws-security

这张图片显示了我对soapui的简单ws-security配置:

enter image description here

我将此配置应用于soap请求:

enter image description here

然后{soap}请求的<arg0>内容被加密。这是加密的肥皂消息。

<soapenv:Envelope xmlns:soap="http://soap.aaa.com/" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
   <soapenv:Header><wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"><wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="9C55238F5BB25B8A7214711332555022">MIICxzCCAa+gAwIBAgIECZhGTzANBgkqhkiG9w0BAQsFADAUMRIwEAYDVQQDEwlsb2NhbGhvc3QwHhcNMTYwODEyMDgzMDI5WhcNMTYxMTEwMDgzMDI5WjAUMRIwEAYDVQQDEwlsb2NhbGhvc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCbufayp7O8wye5q8tPKPWRJPzAIHbtFBkepltFAji7U2fWU5ihSP2TRygym6B/UHvvPZ5QsaTog0oMw+vRLxWAemVganoSvTJWRidTYmvm3kqhBLC7+GEM895k/yU7nduKqSFJr3qa4R5eSO/JLGwIvcb3OkhNHTu1/8EEJDcxbGMPwn08W4gn2qnGDkSEsanfXhCaNtS4mZHWvs5vr+C4gYR4is6Z3wSIFQZGkKtPj7Z3wg3E9l9GAAdg+6JegDKRzzSQtSjgUySipYqbHYOBol78Wf7+dqNiHvohiQTRHB3b2AebEdUcQTu65ELUhWGC28eWWaCv5ksL5eL2bJc/AgMBAAGjITAfMB0GA1UdDgQWBBTcHE/ieHAarvD2RC7DiMdPZ6O66TANBgkqhkiG9w0BAQsFAAOCAQEAja62f/8GeKm0XMMMoUo3ayk/WluF89PC71jB28r3M3+1bqkfK7KJaO7yF7DG9zpm6BztKi9Ykz6izg2IktuUnTG4dbg0CY8ZuL8NEmvirCgfJXXur3goEOIfItb8dR9Mi6i4ZV46oJTgX8XliwEoZQVloi3JcTbPeZ3DrSmOyaUppGk//kryx4bhwdazxPQ3H7PcRQjMq+l3e7q9sTJRyYm7PcsvyZt34CgZkhal28p35jQk7U1MKibL8a5FlQejDP4p/6/8qv/3TzHK467zlXr/oFGQGCXFc96j12Cj5Eiv+22C+8ZRMCtMig42uXNamE5YGuQMHDLrsQd9VThkUQ==</wsse:BinarySecurityToken><xenc:EncryptedKey Id="EK-9C55238F5BB25B8A7214711332555001" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"><xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><wsse:SecurityTokenReference><wsse:Reference URI="#9C55238F5BB25B8A7214711332555022" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/></wsse:SecurityTokenReference></ds:KeyInfo><xenc:CipherData><xenc:CipherValue>GudjGW52R0Iu+KnTZARE7nHFwPGvmXRZCuIQqnhz8it9WJs+2Jai7W0dAmhtkNxi2k0/g8IhL1v1EpA6JuJUEzkOnyuCoUttyR5ROLxpbHzD1DtEZT8AEgiOwFmmov7t6UsKDSn2jxL8ftraf44ISxrMCbJ10cuN6gJT9ghT9USdvvT/1vKhuBqm251bn9kgPkqNTDcYntQpwSkRCTZz+yf+pv77DVE5MPMk8FLHE4TeROsqLyNC8YzH8ncITGqOrDM4PY+1/H2XUkWaAeMz9ZcqqseD97Mr86ZpOgwP/V0Z6v9iRSrBYTpnDqPd8TIJ1wJs88sJ6+QIOMA6kySMtQ==</xenc:CipherValue></xenc:CipherData><xenc:ReferenceList><xenc:DataReference URI="#ED-9C55238F5BB25B8A7214711332555093"/></xenc:ReferenceList></xenc:EncryptedKey></wsse:Security></soapenv:Header>
   <soapenv:Body>
      <soap:sayHello>
         <!--Optional:-->
         <arg0><xenc:EncryptedData Id="ED-9C55238F5BB25B8A7214711332555093" Type="http://www.w3.org/2001/04/xmlenc#Content" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"><xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><wsse:SecurityTokenReference wsse11:TokenType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd"><wsse:Reference URI="#EK-9C55238F5BB25B8A7214711332555001"/></wsse:SecurityTokenReference></ds:KeyInfo><xenc:CipherData><xenc:CipherValue>CKtrCSg+Q1HqzLQulEi0YmGxGNlrjlANGsgbSirlbXE=</xenc:CipherValue></xenc:CipherData></xenc:EncryptedData></arg0>
      </soap:sayHello>
   </soapenv:Body>
</soapenv:Envelope>

但是,此加密soap消息的验证会引发错误错误:

enter image description here

错误信息是

line 6:Element not allowed: EncryptedData@http://www.w3.org/2001/04/xmlenc# in element arg0

我根本找不到任何参考资料。

更新1

SoapUI仍会抛出相同的异常。为简单起见,我使用keytool命令-genkeypair选项创建了单个jks文件。

keytool –genkeypair -keyalg RSA -alias servicekey –keypass password123  -storepass password123 –validity 365 –keystore serviceKeystore.jks -dname "cn=localhost"

我修改了ws客户端和服务,如下所示,

== index.jsp

<body>
<% 
String SERVICE_URL = "http://localhost:8080/SOAPEncryptWeb/HelloWorld";

try {
    QName serviceName = new QName("http://soap.aaa.com/", "HelloWorldService");

    URL wsdlURL;
    wsdlURL = new URL(SERVICE_URL + "?wsdl");
    Service service = Service.create(wsdlURL, serviceName);

    IHelloWorld port = (IHelloWorld) service.getPort(IHelloWorld.class); 

    ((BindingProvider) port).getRequestContext().put(SecurityConstants.CALLBACK_HANDLER, new KeystorePasswordCallback());
    ((BindingProvider) port).getRequestContext().put(SecurityConstants.ENCRYPT_PROPERTIES, 
            Thread.currentThread().getContextClassLoader().getResource("META-INF/client.properties"));
    ((BindingProvider) port).getRequestContext().put(SecurityConstants.ENCRYPT_USERNAME, "servicekey");

    ((BindingProvider) port).getRequestContext().put(SecurityConstants.RETURN_SECURITY_ERROR, "true");

    out.println(port.sayHello("jina"));
} catch (Exception e) {
    // TODO Auto-generated catch block
    e.printStackTrace();
}
%>
</body>

==服务器端配置

<jaxws-config xmlns="urn:jboss:jbossws-jaxws-config:4.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"  
            xmlns:javaee="http://java.sun.com/xml/ns/javaee" 
            xsi:schemaLocation="urn:jboss:jbossws-jaxws-config:4.0 schema/jbossws-jaxws-config_4_0.xsd">   

   <endpoint-config>     
      <config-name>Custom WS-Security Endpoint</config-name>     
      <property>       
         <property-name>ws-security.encryption.properties</property-name>      
         <property-value>META-INF/server.properties</property-value>     
      </property>     
      <property>       
         <property-name>ws-security.encryption.username</property-name>
         <property-value>servicekey</property-value>     
      </property>
      <property>       
         <property-name>ws-security.return.security.error</property-name>
         <property-value>true</property-value>     
      </property>     
      <property>       
         <property-name>ws-security.callback-handler</property-name>       
         <property-value>
         com.aaa.soap.KeystorePasswordCallback
         </property-value>         
      </property>   
   </endpoint-config> 
</jaxws-config>

但是这个配置会抛出异常,但在wildfly 10.0中没有异常

17:25:22,588 WARNING [org.apache.cxf.phase.PhaseInterceptorChain] (default task-12) Interceptor for {http://soap.aaa.com/}HelloWorldService has thrown exception, unwinding now: org.apache.cxf.binding.soap.SoapFault: An error was discovered processing the <wsse:Security> header
    at org.apache.cxf.ws.security.wss4j.WSS4JUtils.createSoapFault(WSS4JUtils.java:216)
    at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessageInternal(WSS4JInInterceptor.java:329)
    at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:184)
    at org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JInInterceptor.handleMessage(PolicyBasedWSS4JInInterceptor.java:79)
    at org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JInInterceptor.handleMessage(PolicyBasedWSS4JInInterceptor.java:66)
    at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:308)
    at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121)
    at org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:251)
    at org.jboss.wsf.stack.cxf.RequestHandlerImpl.handleHttpRequest(RequestHandlerImpl.java:108)
    at org.jboss.wsf.stack.cxf.transport.ServletHelper.callRequestHandler(ServletHelper.java:134)
    at org.jboss.wsf.stack.cxf.CXFServletExt.invoke(CXFServletExt.java:88)
    at org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:293)
    at org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:212)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:707)
    at org.jboss.wsf.stack.cxf.CXFServletExt.service(CXFServletExt.java:136)
    at org.jboss.wsf.spi.deployment.WSFServlet.service(WSFServlet.java:140)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
    at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
    at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
    at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
    at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
    at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
    at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
    at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
    at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
    at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
    at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
    at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
    at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
    at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
    at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
    at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
    at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
    at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
    at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
    at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284)
    at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263)
    at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
    at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174)
    at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
    at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
    at java.lang.Thread.run(Thread.java:745)
Caused by: org.apache.wss4j.common.ext.WSSecurityException: An error was discovered processing the <wsse:Security> header
    at org.apache.wss4j.common.crypto.AlgorithmSuiteValidator.checkSymmetricEncryptionAlgorithm(AlgorithmSuiteValidator.java:149)
    at org.apache.wss4j.dom.processor.EncryptedKeyProcessor.decryptDataRef(EncryptedKeyProcessor.java:550)
    at org.apache.wss4j.dom.processor.EncryptedKeyProcessor.decryptDataRefs(EncryptedKeyProcessor.java:481)
    at org.apache.wss4j.dom.processor.EncryptedKeyProcessor.handleToken(EncryptedKeyProcessor.java:199)
    at org.apache.wss4j.dom.processor.EncryptedKeyProcessor.handleToken(EncryptedKeyProcessor.java:76)
    at org.apache.wss4j.dom.engine.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:344)
    at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessageInternal(WSS4JInInterceptor.java:280)
    ... 42 more

2 个答案:

答案 0 :(得分:1)

不要犹豫 testStep请求中的Validate选项。

此选项根据您在 SOAPUI 中用于加载项目的xsd中的请求的wsdl架构验证请求

可能您的wsdl缺少[ ws安全策略]的定义,它告诉您WS中实现的安全性要求。

对于您的情况,您的wsdl必须包含以下内容:

<wsdl:definitions xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/"
                  xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/"
                  xmlns:wsp="http://www.w3.org/ns/ws-policy"
                  xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
                  xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200802">
    ...
    <wsp:Policy>
        ...
        <sp:EncryptedParts>...</sp:EncryptedParts>
        ...
    </wsp:Policy>
</wsdl:definitions>

因此,由于缺少此请求,因此不会对您的wsdl进行验证。

无论如何,你在 SOAPUI 上加载的wsdl可能与WS实现不同(因为它不是最新的或类似的东西)。因此,只需尝试发送请求(尽管它不符合wsdl验证)并查看您的WS响应。

希望这有帮助,

答案 1 :(得分:1)

您在SoapUI的xml-tab中有已加密的消息,并尝试根据xsd对其进行验证。这将无法工作,因为xsd对“xenc:EncryptedData”一无所知!

发送请求后,加密邮件将显示在“Raw”选项卡中,因为SoapUI会在发送时执行加密。你不应该自己“申请离任”!