wso2如何使用ws-security策略签署响应出站消息?
我们有这个流程 客户-----安全代理(esb)入站 - > proccess /将消息插入数据库 ...... 安全代理(esb)出站----(确认标志响应)------->客户端
消息架构流程图。
确认必须使用安全政策签署。此安全策略与入站消息相同。
这是我们的代理人。
<?xml version="1.0" encoding="UTF-8"?>
<proxy name="secure_proxy" startOnLoad="true" transports="https http" xmlns="http://ws.apache.org/ns/synapse">
<target>
<inSequence>
<header action="remove" name="wsse:Security" scope="default" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"/>
<dbreport description="queryDataBase">
<connection>
<pool>
<dsName>JNDI/NAME</dsName>
</pool>
</connection>
<statement>
<sql><![CDATA[update TABLE SET PARAM1 =?, PARAM2=? WHERE CONDITION =? AND NUM=?]]></sql>
<parameter expression="get-property('PARAM1')" type="VARCHAR"/>
<parameter expression="get-property(//*[local-name()='PARAM2']" type="VARCHAR"/>
<parameter expression="get-property(//*[local-name()='CONDITION']" type="NUMERIC"/>
<parameter expression="get-property(//*[local-name()='NUM'])" type="NUMERIC"/>
</statement>
</dbreport>
<payloadFactory media-type="xml">
<format>
<ns:recepcionResponse xmlns:ns="http://es.ws">
<ns:return>200></ns:return>
</ns:recepcionResponse>
</format>
<args/>
</payloadFactory>
<header name="wsse:Security" scope="default" value="" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"/>
<loopback/>
</inSequence>
<outSequence>
<log level="full">
<property name="***********************OUT" value="**********ACK_S002"/>
</log>
<send/>
</outSequence>
<faultSequence>
<log description="Error" level="custom">
<property name="text" value="ERROR"/>
<property expression="get-property('ERROR_MESSAGE')" name="ErrorMessage: "/>
<property expression="get-property('ERROR_DETAIL')" name="ErrorDetail: "/>
<property expression="get-property('ERROR_EXCEPTION')" name="Exception:"/>
</log>
</faultSequence>
</target>
<publishWSDL uri="https://URI?wsdl"/>
<policy key="gov:ws-config/policy.xml"/>
<enableSec/>
</proxy>
我们收到使用此OSB秒政策
签署的邮件<WL5G3N0:definitions xmlns:WL5G3N0="http://schemas.xmlsoap.org/wsdl/" xmlns:WL5G3N1="http://schemas.xmlsoap.org/ws/2004/09/policy" xmlns:WL5G3N2="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:WL5G3N3="http://es.xyz" xmlns:WL5G3N4="http://www.w3.org/2006/05/addressing/wsdl" xmlns:WL5G3N5="http://schemas.xmlsoap.org/wsdl/soap/" xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy" targetNamespace="http://es.xyz">
<WL5G3N0:documentation>Policy</WL5G3N0:documentation>
<WL5G3N1:Policy WL5G3N2:Id="Sign.xml">
<wssp:Integrity xmlns:wls="http://www.bea.com/wls90/security/policy/wsee#part" xmlns:wssp="http://www.bea.com/wls90/security/policy" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wssp:SignatureAlgorithm URI="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<wssp:CanonicalizationAlgorithm URI="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<wssp:Target>
<wssp:DigestAlgorithm URI="http://www.w3.org/2000/09/xmldsig#sha1"/>
<wssp:MessageParts Dialect="http://www.bea.com/wls90/security/policy/wsee#part">wls:SystemHeaders()</wssp:MessageParts>
</wssp:Target>
<wssp:Target>
<wssp:DigestAlgorithm URI="http://www.w3.org/2000/09/xmldsig#sha1"/>
<wssp:MessageParts Dialect="http://www.bea.com/wls90/security/policy/wsee#part">wls:SecurityHeader(wsu:Timestamp)</wssp:MessageParts>
</wssp:Target>
<wssp:Target>
<wssp:DigestAlgorithm URI="http://www.w3.org/2000/09/xmldsig#sha1"/>
<wssp:MessageParts Dialect="http://schemas.xmlsoap.org/2002/12/wsse#part">wsp:Body()</wssp:MessageParts>
</wssp:Target>
<wssp:SupportedTokens>
<wssp:SecurityToken IncludeInMessage="true" TokenType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3">
<wssp:TokenIssuer>
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
</wssp:TokenIssuer>
</wssp:SecurityToken>
</wssp:SupportedTokens>
</wssp:Integrity>
<wssp:MessageAge xmlns:wssp="http://www.bea.com/wls90/security/policy" Age="60"/>
</WL5G3N1:Policy>
这是我们的第二条政策。我们必须使用此sec策略来响应发送出站消息。
<wsp:ExactlyOne>
<wsp:All>
<sp:AsymmetricBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:InitiatorToken>
<wsp:Policy>
<sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:WssX509V3Token10/>
<!-- sp:WssX509V3Token10/ -->
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:InitiatorToken>
<sp:RecipientToken>
<wsp:Policy>
<sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never">
<wsp:Policy>
<sp:WssX509V3Token10/>
<!-- sp:WssX509V3Token10/ -->
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:RecipientToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:TripleDesRsa15/>
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Strict/>
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp/>
<sp:ProtectTokens/>
<sp:OnlySignEntireHeadersAndBody/>
</wsp:Policy>
</sp:AsymmetricBinding>
<sp:Wss10 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:MustSupportRefKeyIdentifier/>
<sp:MustSupportRefIssuerSerial/>
</wsp:Policy>
</sp:Wss10>
<sp:SignedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<sp:Body/>
</sp:SignedParts>
</wsp:All>
</wsp:ExactlyOne>
<rampart:RampartConfig xmlns:rampart="http://ws.apache.org/rampart/policy">
<rampart:user>my_private_key</rampart:user>
<rampart:encryptionUser>your_public_key</rampart:encryptionUser>
<rampart:timestampPrecisionInMilliseconds>true</rampart:timestampPrecisionInMilliseconds>
<rampart:timestampTTL>300</rampart:timestampTTL>
<rampart:timestampMaxSkew>300</rampart:timestampMaxSkew>
<rampart:timestampStrict>false</rampart:timestampStrict>
<rampart:passwordCallbackClass>es.example.wso2.PWCBHandler</rampart:passwordCallbackClass>
<rampart:tokenStoreClass>org.wso2.carbon.security.util.SecurityTokenStore</rampart:tokenStoreClass>
<rampart:nonceLifeTime>300</rampart:nonceLifeTime>
<rampart:encryptionCrypto>
<rampart:crypto cryptoKey="org.wso2.carbon.security.crypto.privatestore" provider="org.wso2.carbon.security.util.ServerCrypto">
<rampart:property name="org.wso2.carbon.security.crypto.alias">your_public_key</rampart:property>
<rampart:property name="org.wso2.carbon.security.crypto.privatestore">test.jks</rampart:property>
<rampart:property name="org.wso2.stratos.tenant.id">-1234</rampart:property>
<rampart:property name="org.wso2.carbon.security.crypto.truststores">test.jks</rampart:property>
<rampart:property name="rampart.config.user">your_public_key</rampart:property>
</rampart:crypto>
</rampart:encryptionCrypto>
<rampart:signatureCrypto>
<rampart:crypto cryptoKey="org.wso2.carbon.security.crypto.privatestore" provider="org.wso2.carbon.security.util.ServerCrypto">
<rampart:property name="org.wso2.carbon.security.crypto.alias">my_private_key</rampart:property>
<rampart:property name="org.wso2.carbon.security.crypto.privatestore">test.jks</rampart:property>
<rampart:property name="org.wso2.stratos.tenant.id">-1234</rampart:property>
<rampart:property name="org.wso2.carbon.security.crypto.truststores">test.jks</rampart:property>
<rampart:property name="rampart.config.user">my_private_key</rampart:property>
</rampart:crypto>
</rampart:signatureCrypto>
</rampart:RampartConfig>
</wsp:Policy>
我们怎么能这样?欢迎任何帮助。
提前致谢。
2 个答案:
答案 0 :(得分:0)
Hasn这个样本[1]帮助实现了你的流程。在[2]中,您可以找到对传出消息进行签名和加密的策略,如果不需要,可以调整删除加密部分,并从代理服务定义中引用它。()
[1] - https://docs.wso2.com/display/EI600/Sample+100%3A+Using+WS-Security+for+Outgoing+Messages
答案 1 :(得分:0)
这是我过去https://pastebin.com/0s2DzPn5
的工作政策<wsp:Policy wsu:Id="SigOnly"
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy" xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsp:ExactlyOne>
<wsp:All>
<sp:AsymmetricBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:InitiatorToken>
<wsp:Policy>
<sp:X509Token
sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:WssX509V3Token10/>
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:InitiatorToken>
<sp:RecipientToken>
<wsp:Policy>
<sp:X509Token
sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never">
<wsp:Policy>
<sp:WssX509V3Token10/>
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:RecipientToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic256/>
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Strict/>
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp/>
<sp:OnlySignEntireHeadersAndBody/>
</wsp:Policy>
</sp:AsymmetricBinding>
<sp:Wss10 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:MustSupportRefKeyIdentifier/>
<sp:MustSupportRefIssuerSerial/>
</wsp:Policy>
</sp:Wss10>
<sp:SignedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<sp:Body/>
</sp:SignedParts>
</wsp:All>
</wsp:ExactlyOne>
<rampart:RampartConfig xmlns:rampart="http://ws.apache.org/rampart/policy">
<rampart:user>wso2carbon</rampart:user>
<rampart:passwordCallbackClass>com.apogado.wso2egov.passwordcallback.SimplePasswordCallback</rampart:passwordCallbackClass>
<rampart:signatureCrypto>
<rampart:crypto provider="org.apache.ws.security.components.crypto.Merlin" cryptoKey="org.apache.ws.security.crypto.merlin.file" cacheRefreshInterval="300000">
<rampart:property name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</rampart:property>
<rampart:property name="org.apache.ws.security.crypto.merlin.file">repository/resources/security/wso2carbon.jks</rampart:property>
<rampart:property name="org.apache.ws.security.crypto.merlin.keystore.password">wso2carbon</rampart:property>
</rampart:crypto>
</rampart:signatureCrypto>
<rampart:encryptionCypto>
<rampart:crypto provider="org.apache.ws.security.components.crypto.Merlin" cryptoKey="org.apache.ws.security.crypto.merlin.file" cacheRefreshInterval="300000">
<rampart:property name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</rampart:property>
<rampart:property name="org.apache.ws.security.crypto.merlin.file">repository/resources/security/wso2carbon.jks</rampart:property>
<rampart:property name="org.apache.ws.security.crypto.merlin.keystore.password">dkkdkvdt123</rampart:property>
</rampart:crypto>
</rampart:encryptionCypto>
</rampart:RampartConfig>
</wsp:Policy>
请注意,这将包括主题标识符作为响应中的标记而不是整个证书(二进制标记),但是一旦您使用它,您就可以使用选项
这是我使用的另一项政策:https://pastebin.com/9iYL5TCj
相关问题
- 使用ws-security签名邮件时要签名的内容
- iOS - 如何使用x509证书签署SOAP消息
- 使用x509证书和策略对SOAP正文进行数字签名
- securitypolicy策略不是<wsp:policy>元素</wsp:policy>
- 如何在WSO2 ESB中自定义用户名令牌安全策略
- 如何在wso2esb中编写自定义策略以获取简单的用户名和;密码
- 我们如何在WSO2 ESB 5.0中实现这个ws-security策略
- wso2如何使用ws-security策略签署响应出站消息?
- 使用Flask响应Salesforce出站消息(SOAP RPC)
- 从WSO2策略创建的ws-security标头中删除<timestamp>标签
最新问题
- 我写了这段代码,但我无法理解我的错误
- 我无法从一个代码实例的列表中删除 None 值,但我可以在另一个实例中。为什么它适用于一个细分市场而不适用于另一个细分市场?
- 是否有可能使 loadstring 不可能等于打印?卢阿
- java中的random.expovariate()
- Appscript 通过会议在 Google 日历中发送电子邮件和创建活动
- 为什么我的 Onclick 箭头功能在 React 中不起作用?
- 在此代码中是否有使用“this”的替代方法?
- 在 SQL Server 和 PostgreSQL 上查询,我如何从第一个表获得第二个表的可视化
- 每千个数字得到
- 更新了城市边界 KML 文件的来源?