尝试在WS-Policy
内实施WSDL
。
有我的配置:
WS-Policy
内的 WSDL
:
<wsp:Policy wsu:Id="Signature">
<wsp:ExactlyOne>
<wsp:All>
<sp:AsymmetricBinding>
<wsp:Policy>
<sp:InitiatorToken>
<wsp:Policy>
<sp:X509Token sp:IncludeToken=
"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:WssX509V3Token10 />
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:InitiatorToken>
<sp:RecipientToken>
<wsp:Policy>
<sp:X509Token sp:IncludeToken=
"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never">
<wsp:Policy>
<sp:WssX509V3Token10 />
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:RecipientToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:TripleDesRsa15/>
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:LaxTsFirst />
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp />
<sp:OnlySignEntireHeadersAndBody />
</wsp:Policy>
</sp:AsymmetricBinding>
<sp:SignedParts>
<sp:Body />
</sp:SignedParts>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
CXF
配置:
EndpointImpl endpoint = new EndpointImpl(bus, service);
endpoint.setWsdlLocation("classpath:/wsdl/ws.wsdl");
endpoint.setProperties(new HashMap<String, Object>() {
{
put("ws-security.signature.validator", customSignatureValidator);
put("ws-security.signature.properties", new Properties() {{
put("org.apache.ws.security.crypto.provider", "org.apache.ws.security.components.crypto.Merlin");
put("org.apache.ws.security.crypto.merlin.keystore.type", "jks");
put("org.apache.ws.security.crypto.merlin.keystore.password", keystorePassword);
put("org.apache.ws.security.crypto.merlin.file", keystorePath);
}});
put("ws-security.signature.username", privateKeyName);
put("ws-security.callback-handler", (CallbackHandler) callbacks -> {
WSPasswordCallback passwordCallback = (WSPasswordCallback) callbacks[0];
passwordCallback.setPassword(privateKeyPassword);
});
}
});
endpoint.publish("/ws");
问题:
发送带有时间戳的SOAP
请求,签名密钥信息等。我收到SOAP
错误消息:
These policy alternatives can not be satisfied: {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}AsymmetricBinding: Received Timestamp does not match the requirements {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}InitiatorToken {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}RecipientToken {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}IncludeTimestamp {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}OnlySignEntireHeadersAndBody
即使我没有发送时间戳,也会出现错误。根据日志(CXF
),我看到签名是正确的。
答案 0 :(得分:0)
经过一些调试和实验后发现了问题:根据WS-Policy
提供的SOAP请求不正确:Timestamp
和Body
必须使用相同的签名进行签名。如果仅签名Body
- 将面临列出的错误(这有点不准确)。