CXF:入站策略验证失败:无法满足以下策略备选:

时间:2017-05-18 19:44:31

标签: soap wsdl cxf wildfly

Wildfly10 CXF 3.1.6 SOAP Webservices

安全策略的WSDL配置是:

<wsp:Policy wsu:Id="UsernameTransportPolicy">
    <wsp:ExactlyOne>
        <wsp:All>
            <sp:SupportingTokens
                xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
                <wsp:Policy>
                    <sp:UsernameToken
                        sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
                        <wsp:Policy>
                            <sp:TextPassword />
                        </wsp:Policy>
                    </sp:UsernameToken>
                </wsp:Policy>
            </sp:SupportingTokens>
        </wsp:All>
    </wsp:ExactlyOne>
</wsp:Policy>

处理程序配置是:

<jaxws-config xmlns="urn:jboss:jbossws-jaxws-config:4.0"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:javaee="http://java.sun.com/xml/ns/javaee"
    xsi:schemaLocation="urn:jboss:jbossws-jaxws-config:4.0 schema/jbossws-jaxws-config_4_0.xsd">
    <endpoint-config>
        <config-name>Custom-JAXWS-WS-SecurityEndpoint</config-name>
        <property>
            <property-name>ws-security.validate.token</property-name>
            <property-value>true</property-value>
        </property>
        <property>
            <property-name>ws-security.callback-handler</property-name>
            <property-value>com.xxx.xxxx.security.ServerPasswordHandler
            </property-value>
        </property>
   </endpoint-config>
</jaxws-config>

处理程序代码:

public class ServerPasswordHandler implements CallbackHandler 
{
    private static final Logger logger = Logger.getInstance(ServerPasswordHandler.class);

    public void handle(Callback[] callbacks) throws IOException, 
            UnsupportedCallbackException 
    {
        logger.debug("begin handle");
        WSPasswordCallback pc = (WSPasswordCallback) callbacks[0];

        String userId = "wsuser";
        String password = "wspassword";

        logger.debug("userId is["+userId+"]");

        if (userId.equals(pc.getIdentifier())) 
        {
            pc.setPassword(password);
            logger.info("User ["+userId+"] is familiar.");
        }
        else
            logger.error("Unknown user ["+userId+"]");

        logger.debug("end handle");
   }
}

将xml请求发送为:

<soapenv:Envelope 
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" 
xmlns:ser="http://service.dms.ctl.com/" 
xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
    <wsse:Security soap:mustUnderstand='true' 
                xmlns:wsse='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd' 
            xmlns:wsu='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd'>
    <wsse:UsernameToken wsu:Id='UsernameToken-3DAJDJSKJDHFJASDKJFKJ234JL2K3H2K3J42'>
            <wsse:Username>wsuser</wsse:Username>
            <wsse:Password Type='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText'>wspassword</wsse:Password>
    </wsse:UsernameToken>
    </wsse:Security>
</soapenv:Header>
   <soapenv:Body>
   .....
   </soapenv:Body>

我收到以下错误:

    15:22:54,541 DEBUG [c.c.i.s.MessageInterceptor] handleMessage
    15:22:56,684 DEBUG [c.c.i.s.ServerPasswordHandler] begin handle
    15:22:56,685 DEBUG [c.c.i.s.ServerPasswordHandler] userId is[wsuser]
    15:22:56,685 INFO  [c.c.i.s.ServerPasswordHandler] User [wsuser] is familiar.
    15:22:56,685 DEBUG [c.c.i.s.ServerPasswordHandler] end handle
    15:23:18,609 SEVERE [o.a.c.w.p.PolicyVerificationInInterceptor] Inbound policy verification failed: These policy alternatives can not be satisfied: 
    {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}TextPassword
    15:23:18,609 WARNING [o.a.c.p.PhaseInterceptorChain] Interceptor for {http://service.xxx.xxx.com/}Adapter#{http://service.dms.ctl.com/}findAvailableCustomers has thrown exception, unwinding now: org.apache.cxf.ws.policy.PolicyException: These policy alternatives can not be satisfied: 
    {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}TextPassword
        at org.apache.cxf.ws.policy.AssertionInfoMap.checkEffectivePolicy(AssertionInfoMap.java:179)
        at org.apache.cxf.ws.policy.PolicyVerificationInInterceptor.handle(PolicyVerificationInInterceptor.java:102)
        at org.apache.cxf.ws.policy.AbstractPolicyInterceptor.handleMessage(AbstractPolicyInterceptor.java:44)
        at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:308)
        at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121)
        at org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:254)
        at org.jboss.wsf.stack.cxf.RequestHandlerImpl.handleHttpRequest(RequestHandlerImpl.java:108)
        at org.jboss.wsf.stack.cxf.transport.ServletHelper.callRequestHandler(ServletHelper.java:134)
        at org.jboss.wsf.stack.cxf.CXFServletExt.invoke(CXFServletExt.java:88)
        at org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:299)
        at org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:218)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:707)
        at org.jboss.wsf.stack.cxf.CXFServletExt.service(CXFServletExt.java:136)
        at org.jboss.wsf.spi.deployment.WSFServlet.service(WSFServlet.java:140)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
        at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
        at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
        at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
        at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
        at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
        at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
        at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
        at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
        at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)

查看源代码,我看到以下内容抛出异常:

    try {
        //Exception here
        List<List<Assertion>> usedAlternatives = aim.checkEffectivePolicy(effectivePolicy.getPolicy());
        if (usedAlternatives != null && !usedAlternatives.isEmpty() && message.getExchange() != null) {
            message.getExchange().put("ws-policy.validated.alternatives", usedAlternatives);
        }
    } catch (PolicyException ex) {
        LOG.log(Level.SEVERE, "Inbound policy verification failed: " + ex.getMessage());
        //To check if there is ws addressing policy violation and throw WSA specific 
        //exception to pass jaxws2.2 tests
        if (ex.getMessage().indexOf("Addressing") > -1) {
            throw new Fault("A required header representing a Message Addressing Property " 
                                + "is not present", LOG)
                .setFaultCode(new QName("http://www.w3.org/2005/08/addressing", 
                                          "MessageAddressingHeaderRequired"));
        }
        throw ex;

编辑:修复了小调试信息

2 个答案:

答案 0 :(得分:2)

我能够通过各种网站的信息解决这个问题。首先,如oasis-open中所述,我删除了以下元素,因为密码是必需的。

 <wsp:Policy>
    <sp:TextPassword />
 </wsp:Policy>

但由于提到的cxf issue错误,UsernameToken需要一个策略元素,因此解决方法是在usernametoken下保留一个空策略

                <wsp:Policy>
                    <sp:UsernameToken
                        sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
                        <wsp:Policy>
                        </wsp:Policy>
                    </sp:UsernameToken>
                </wsp:Policy>

修正了它。

答案 1 :(得分:1)

&#34; SP:TextPassword&#34;不是有效的政策。