我正在使用与WebSphere 8.5.5.8集成的Apache CXF 3.0.11,并且我已经实现了一个WebSphere安装的应用程序,该应用程序提供了自上而下/ WSDL优先开发的Web服务。此Web Service使用通过WSDL中的策略配置的WS-Security。
Web Service,WebServiceA,在名为AppAlpha的应用程序上运行。客户端是一个独立的Java应用程序,称为AppBravo。
政策是:
在检查日志时,我可以看到......
有谁知道为什么Web服务提供商会成功验证请求邮件正文,而不知道邮件安全标头中的时间戳?
WebServiceA的WSDL:
<?xml version='1.0' encoding='UTF-8'?>
<definitions xmlns="http://schemas.xmlsoap.org/wsdl/" xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" xmlns:tns="http://www.example.com/contract/WebServiceA" xmlns:common="http://common.webservicea.webservice.com" xmlns:x1="http://webservicea.webservice.com" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702" name="WebServiceA" targetNamespace="http://www.example.com/contract/WebServiceA">
<types>
<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" targetNamespace="http://common.webservicea.webservice.com" elementFormDefault="qualified" version="1.0">
<xs:include schemaLocation="WebServiceACommonTypes.xsd"/>
</xs:schema>
<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" targetNamespace="http://webservicea.webservice.com" elementFormDefault="qualified" version="1.0">
<xs:element name="sendDataA">
<xs:complexType>
<xs:sequence>
<xs:element name="theDataA" type="xs:string" minOccurs="0"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="sendDataAResponse">
<xs:complexType>
<xs:sequence>
<xs:element name="theResponseA" type="xs:string" minOccurs="0"/>
</xs:sequence>
</xs:complexType>
</xs:element>
</xs:schema>
</types>
<message name="msgSendDataARequest">
<part name="inA" element="x1:sendDataA"/>
</message>
<message name="msgSendDataAResponse">
<part name="outA" element="x1:sendDataAResponse"/>
</message>
<message name="WebServiceAEndpointException">
<part name="fault" element="common:WebServiceAEndpointFault"/>
</message>
<portType name="WebServiceAEndpoint">
<operation name="sendDataA">
<input name="msgSendDataARequest" message="tns:msgSendDataARequest"/>
<output name="msgSendDataAResponse" message="tns:msgSendDataAResponse"/>
<fault name="WebServiceAEndpointException" message="tns:WebServiceAEndpointException"/>
</operation>
</portType>
<binding name="WebServiceAPortBinding" type="tns:WebServiceAEndpoint">
<wsp:PolicyReference URI="#WebServiceABCommonPortBindingPolicy"/>
<soap:binding transport="http://schemas.xmlsoap.org/soap/http" style="document"/>
<operation name="sendDataA">
<soap:operation soapAction="" style="document"/>
<input name="msgSendDataARequest">
<soap:body use="literal"/>
<wsp:PolicyReference URI="#WebServiceABCommonPartsPolicy"/>
</input>
<output name="msgSendDataAResponse">
<soap:body use="literal"/>
<wsp:PolicyReference URI="#WebServiceABCommonPartsPolicy"/>
</output>
<fault name="WebServiceAEndpointException">
<soap:fault name="WebServiceAEndpointException" use="literal"/>
<wsp:PolicyReference URI="#WebServiceABCommonPartsPolicy"/>
</fault>
</operation>
</binding>
<service name="WebServiceA">
<port name="WebServiceAPort" binding="tns:WebServiceAPortBinding">
<soap:address location="http://my.testenvironment.com:9083/AppAlpha/services/WebServiceA"/>
</port>
</service>
<wsp:Policy wsu:Id="WebServiceABCommonPortBindingPolicy">
<wsp:ExactlyOne>
<wsp:All>
<sp:AsymmetricBinding>
<wsp:Policy>
<sp:InitiatorToken>
<wsp:Policy>
<sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:WssX509V3Token11/>
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:InitiatorToken>
<sp:RecipientToken>
<wsp:Policy>
<sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never">
<wsp:Policy>
<sp:WssX509V3Token11/>
<sp:RequireIssuerSerialReference/>
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:RecipientToken>
<sp:Layout>
<wsp:Policy>
<sp:Strict/>
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp/>
<sp:OnlySignEntireHeadersAndBody/>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic128/>
</wsp:Policy>
</sp:AlgorithmSuite>
</wsp:Policy>
</sp:AsymmetricBinding>
<sp:Wss11>
<wsp:Policy>
<sp:MustSupportRefIssuerSerial/>
</wsp:Policy>
</sp:Wss11>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
<wsp:Policy wsu:Id="WebServiceABCommonPartsPolicy">
<wsp:ExactlyOne>
<wsp:All>
<sp:SignedParts>
<sp:Body/>
</sp:SignedParts>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
</definitions>
WebServiceA客户端AppBravo的控制台输出:
SLF4J: Class path contains multiple SLF4J bindings.
SLF4J: Found binding in [jar:file:/C:/Program%20Files%20(x86)/IBM/WebSphere/AppServer_1/plugins/com.ibm.ws.prereq.jaxrs.jar!/org/slf4j/impl/StaticLoggerBinder.class]
SLF4J: Found binding in [jar:file:/C:/Users/me/IBM/rationalsdp/workspace_WSDL_20161108/AppBravo/WebContent/WEB-INF/lib/slf4j-jdk14-1.7.14.jar!/org/slf4j/impl/StaticLoggerBinder.class]
SLF4J: See http://www.slf4j.org/codes.html#multiple_bindings for an explanation.
Dec 16, 2016 4:12:59 PM org.springframework.context.support.AbstractApplicationContext prepareRefresh
INFO: Refreshing org.apache.cxf.bus.spring.BusApplicationContext@db64d237: startup date [Fri Dec 16 16:12:59 EST 2016]; root of context hierarchy
Dec 16, 2016 4:12:59 PM org.apache.cxf.bus.spring.BusApplicationContext getConfigResources
INFO: Loaded configuration file cxf.xml.
Dec 16, 2016 4:12:59 PM org.springframework.beans.factory.xml.XmlBeanDefinitionReader loadBeanDefinitions
INFO: Loading XML bean definitions from class path resource [cxf.xml]
Dec 16, 2016 4:12:59 PM org.springframework.beans.factory.support.DefaultListableBeanFactory preInstantiateSingletons
INFO: Pre-instantiating singletons in org.springframework.beans.factory.support.DefaultListableBeanFactory@be48d7d7: defining beans [cxf,org.apache.cxf.bus.spring.BusWiringBeanFactoryPostProcessor,org.apache.cxf.bus.spring.Jsr250BeanPostProcessor,org.apache.cxf.bus.spring.BusExtensionPostProcessor,{http://www.example.com/contract/WebServiceA}WebServiceAPort.jaxws-client.proxyFactory,{http://www.example.com/contract/WebServiceA}WebServiceAPort.jaxws-client]; root of factory hierarchy
Dec 16, 2016 4:13:00 PM org.apache.cxf.wsdl.service.factory.ReflectionServiceFactoryBean buildServiceFromWSDL
INFO: Creating Service {http://www.example.com/contract/WebServiceA}WebServiceA from WSDL: file:/C:/Users/me/IBM/rationalsdp/workspace_WSDL_20161108/TempCXFCodeGenProject/wsdl/WebServiceA.wsdl
Dec 16, 2016 4:13:00 PM org.apache.cxf.services.WebServiceA.WebServiceAPort.WebServiceAEndpoint null
INFO: Outbound Message
---------------------------
ID: 1
Address: http://my.testenvironment.com:9083/AppAlpha/services/WebServiceA
Encoding: UTF-8
Http-Method: POST
Content-Type: text/xml
Headers: {Accept=[*/*], SOAPAction=[""]}
Payload: <soapenv:Envelope xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"><soapenv:Header><wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" soapenv:mustUnderstand="1"><wsu:Timestamp wsu:Id="TS-4b24dbaf-201c-41c1-8dc7-53f234b3a849"><wsu:Created>2016-12-16T21:13:00.846Z</wsu:Created><wsu:Expires>2016-12-16T21:18:00.846Z</wsu:Expires></wsu:Timestamp><wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="X509-fd064e65-9b93-48cd-a56f-041e4d27bb8b">MIICojCCAYqgAwIBAgIEWErPtDANBgkqhkiG9w0BAQUFADATMREwDwYDVQQDEwhBcHBCcmF2bzAeFw0xNjEyMDkxNTM3MjRaFw0xODEyMDkxNTM3MjRaMBMxETAPBgNVBAMTCEFwcEJyYXZvMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAk/iiNtGkSXcP9X2JKD+aCA1WKmzlrr+oOHJb7de+hABnWRGPfy0pBw6nks3ugQIwpC8qkobKo7+he2XePqDxBAvAH8s4w31For9MaKdJo5ZwbCPuZ+8YqYtnJgQEmncazofnqXLWRyWPCZ7vpH3eONvz+TlNPiJri1DLMedDBgupdzg8gyckxerHheqf5xs/wvWOncCWqm/A8bUUN4bias3i7S3UxOfb+QrB1T+cycQTzSXVlauqrVERaC0Fqd0i4pxS6t3z1VIcw697uphbooWEhH1yjyHTUosG1nrWup1sv3sseFxdefaFJlGbjVfuD3QHnrQ6cBgAQS5EUR/ZYQIDAQABMA0GCSqGSIb3DQEBBQUAA4IBAQBzLAFlrcw+qhc5cZe/QkebdfXfPxaAMM/Ve9PWo3H4RS0sHYIqqom9VCQ1JKayHoTgO3XesC2qapPRo1jPsWmfmm2n4RiRPIXW8kjm4tMTGheIxOUVMg2B7H8SennKBRM1LlU4Ewe160Nhfdzs0Y/E3zTlDAINd3g8TdNJT2eUNszYaOTpkGqlKbN5mZE3O2fvlG+H0XqJ6zjHp5+MM8QVg6ESEK6zGEZUdrzxRSXRDmuWZQ+Jx3+7qL5Uh1Ylipn7qMPlC8/ePV+fRuiz4NEcE5PaKZCkFYOQiddHA+LYfIVmGxjAAY2BN2wQdgErTFoFR1kOmUH4AI/pgZa/yGx4</wsse:BinarySecurityToken><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="SIG-3914e870-57e7-4fe1-8b75-52bed65c05f6"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="soapenc soapenv xsd xsi"></ec:InclusiveNamespaces></ds:CanonicalizationMethod><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></ds:SignatureMethod><ds:Reference URI="#TS-4b24dbaf-201c-41c1-8dc7-53f234b3a849"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:Transform></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod><ds:DigestValue>uLm/Y2FEfFcXfp8W6kfQO86bJ9Y=</ds:DigestValue></ds:Reference><ds:Reference URI="#_03eba575-563f-438d-9701-b5a50b8dabe0"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="soapenc xsd xsi"></ec:InclusiveNamespaces></ds:Transform></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod><ds:DigestValue>kQjZ5433MyDvXEcmze8the0EMd8=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>akjjBgGVeeNKAzwmofjOXQo59p3wiHxBfFQPXUdZ2Zo/WbZdnKGzpW1Vg9L+JCpofUAPn0g97OPnE0EII8aMSgOuFEU9VdtjU0Dwn1GPLUSVCWub74qe1r7ojr841VXP5YtSb2+WKBiFLgG74yqnnpneKBA8j+KAnYxo+NvYdhtgrCwoNTZBFie1GqEBsyUpCqsJIVZfydTNRGyApSNbTOv0PnwV5ZGFIoVy+7ZPHBsi6kvqkErCZvZ3uztd4jpPPyE0GousCgvEilkMQSm/BaVzXZDyyTtWHesGMR9l6172B4nJ4KTUwhfLy8rU6hjFLletum+Ys9egdD3LWbWguw==</ds:SignatureValue><ds:KeyInfo Id="KI-8d80ebc9-a6de-4498-b8e3-326eb506fee3"><wsse:SecurityTokenReference xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="STR-2219d15b-208c-42b0-9721-ab3efbd641b7"><wsse:Reference URI="#X509-fd064e65-9b93-48cd-a56f-041e4d27bb8b" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"></wsse:Reference></wsse:SecurityTokenReference></ds:KeyInfo></ds:Signature></wsse:Security></soapenv:Header><soapenv:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="_03eba575-563f-438d-9701-b5a50b8dabe0"><sendDataA xmlns="http://webservicea.webservice.com" xmlns:ns2="http://common.webservicea.webservice.com"><theDataA>Test invocation of Web Service A</theDataA></sendDataA></soapenv:Body></soapenv:Envelope>
--------------------------------------
Dec 16, 2016 4:13:02 PM org.apache.cxf.services.WebServiceA.WebServiceAPort.WebServiceAEndpoint null
INFO: Inbound Message
----------------------------
ID: 1
Response-Code: 500
Encoding: UTF-8
Content-Type: text/xml; charset=UTF-8
Headers: {connection=[Close], Content-Language=[en-US], content-type=[text/xml; charset=UTF-8], Date=[Fri, 16 Dec 2016 21:13:02 GMT], transfer-encoding=[chunked], X-Powered-By=[Servlet/3.0]}
Payload: <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><soap:Fault><faultcode xmlns:ns1="http://ws.apache.org/wss4j">ns1:SecurityError</faultcode><faultstring>A security error was encountered when verifying the message</faultstring></soap:Fault></soap:Body></soap:Envelope>
--------------------------------------
Dec 16, 2016 4:13:02 PM org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor handleMessageInternal
WARNING: The request is a SOAP Fault, but it is not secured
Exception in thread "main" javax.xml.ws.soap.SOAPFaultException: A security error was encountered when verifying the message
at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:160)
at com.sun.proxy.$Proxy36.sendDataA(Unknown Source)
at com.ws.impl.WebServiceAClientStandalone.sendDataA(WebServiceAClientStandalone.java:35)
at com.ws.impl.WebServiceAClientStandalone.main(WebServiceAClientStandalone.java:29)
Caused by: org.apache.cxf.binding.soap.SoapFault: A security error was encountered when verifying the message
at org.apache.cxf.binding.soap.interceptor.Soap11FaultInInterceptor.unmarshalFault(Soap11FaultInInterceptor.java:86)
at org.apache.cxf.binding.soap.interceptor.Soap11FaultInInterceptor.handleMessage(Soap11FaultInInterceptor.java:52)
at org.apache.cxf.binding.soap.interceptor.Soap11FaultInInterceptor.handleMessage(Soap11FaultInInterceptor.java:41)
at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:307)
at org.apache.cxf.interceptor.AbstractFaultChainInitiatorObserver.onMessage(AbstractFaultChainInitiatorObserver.java:113)
以下是AppAlpha日志文件的摘录:
org.apache.jcp.xml.dsig.internal.dom.DOMSignatureMethod verify JCA Algorithm: SHA1withRSA
org.apache.jcp.xml.dsig.internal.dom.DOMSignatureMethod verify Signature Bytes length: 256
...
org.apache.jcp.xml.dsig.internal.DigesterOutputStream write <wsu:Timestamp...
org.apache.jcp.xml.dsig.internal.dom.DOMReference validate Expected digest: uLm/Y2FEfFcXfp8W6kfQO86bJ9Y=
org.apache.jcp.xml.dsig.internal.dom.DOMReference validate Actual digest: ONplUDjf+u6NMCXv7QuuR38YBrQ=
org.apache.jcp.xml.dsig.internal.dom.DOMXMLSignature validate Reference[#TS-4b24dbaf-201c-41c1-8dc7-53f234b3a849] is valid: false
...
DigesterOutpu 1 org.apache.jcp.xml.dsig.internal.DigesterOutputStream write Pre-digested input:
DigesterOutpu 1 org.apache.jcp.xml.dsig.internal.DigesterOutputStream write <soapenv:Body...
DOMReference 1 org.apache.jcp.xml.dsig.internal.dom.DOMReference validate Expected digest: kQjZ5433MyDvXEcmze8the0EMd8=
DOMReference 1 org.apache.jcp.xml.dsig.internal.dom.DOMReference validate Actual digest: kQjZ5433MyDvXEcmze8the0EMd8=
SignatureProc 1 org.apache.wss4j.dom.processor.SignatureProcessor verifyXMLSignature Reference #_03eba575-563f-438d-9701-b5a50b8dabe0 check: true