使用Apache CXF 3.0的WS策略

时间:2016-12-08 21:03:34

标签: soap wsdl cxf

尝试在WS-Policy内实施WSDL

有我的配置:

WS-Policy内的

WSDL



    <wsp:Policy wsu:Id="Signature">
        <wsp:ExactlyOne>
            <wsp:All>
                <sp:AsymmetricBinding>
                    <wsp:Policy>
                        <sp:InitiatorToken>
                            <wsp:Policy>
                                <sp:X509Token sp:IncludeToken=
                                                      "http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
                                    <wsp:Policy>
                                        <sp:WssX509V3Token10 />
                                    </wsp:Policy>
                                </sp:X509Token>
                            </wsp:Policy>
                        </sp:InitiatorToken>
                        <sp:RecipientToken>
                            <wsp:Policy>
                                <sp:X509Token sp:IncludeToken=
                                                      "http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never">
                                    <wsp:Policy>
                                        <sp:WssX509V3Token10 />
                                    </wsp:Policy>
                                </sp:X509Token>
                            </wsp:Policy>
                        </sp:RecipientToken>
                        <sp:AlgorithmSuite>
                            <wsp:Policy>
                                <sp:TripleDesRsa15/>
                            </wsp:Policy>
                        </sp:AlgorithmSuite>
                        <sp:Layout>
                            <wsp:Policy>
                                <sp:LaxTsFirst />
                            </wsp:Policy>
                        </sp:Layout>
                        <sp:IncludeTimestamp />
                        <sp:OnlySignEntireHeadersAndBody />
                    </wsp:Policy>
                </sp:AsymmetricBinding>
                <sp:SignedParts>
                    <sp:Body />
                </sp:SignedParts>
            </wsp:All>
        </wsp:ExactlyOne>
    </wsp:Policy>

CXF配置:



    EndpointImpl endpoint = new EndpointImpl(bus, service);
    endpoint.setWsdlLocation("classpath:/wsdl/ws.wsdl");
    endpoint.setProperties(new HashMap<String, Object>() {
        {
            put("ws-security.signature.validator", customSignatureValidator);
            put("ws-security.signature.properties", new Properties() {{
                put("org.apache.ws.security.crypto.provider", "org.apache.ws.security.components.crypto.Merlin");
                put("org.apache.ws.security.crypto.merlin.keystore.type", "jks");
                put("org.apache.ws.security.crypto.merlin.keystore.password", keystorePassword);
                put("org.apache.ws.security.crypto.merlin.file", keystorePath);
            }});
            put("ws-security.signature.username", privateKeyName);
            put("ws-security.callback-handler", (CallbackHandler) callbacks -> {
                WSPasswordCallback passwordCallback = (WSPasswordCallback) callbacks[0];

                passwordCallback.setPassword(privateKeyPassword);
            });
        }
    });
    endpoint.publish("/ws");

问题:

发送带有时间戳的SOAP请求,签名密钥信息等。我收到SOAP错误消息:

    These policy alternatives can not be satisfied: 
    {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}AsymmetricBinding: Received Timestamp does not match the requirements
    {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}InitiatorToken
    {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}RecipientToken
    {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}IncludeTimestamp
    {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}OnlySignEntireHeadersAndBody

即使我没有发送时间戳,也会出现错误。根据日志(CXF),我看到签名是正确的。

1 个答案:

答案 0 :(得分:0)

经过一些调试和实验后发现了问题:根据WS-Policy提供的SOAP请求不正确:TimestampBody必须使用相同的签名进行签名。如果仅签名Body - 将面临列出的错误(这有点不准确)。