迁移到CXF 3.2.7->如何解决SOAP RQ处理期间与密码相关的安全错误？

Question

上下文：我正在尝试将Web服务从CXF 2.2.2迁移到CXF 3.2.7

问题： 每当我尝试通过诸如SOAP UI之类的软件针对我的Web服务触发以下基于HTTP-POST SOAP的请求时，都进行迁移后迁移：

<SOAP-ENV:Header>
      <wsse:Security SOAP-ENV:mustUnderstand="1">
        <wsse:UsernameToken wsu:Id="">
        <wsse:Username>sampleUser</wsse:Username>
        <wsse:Password>12345</wsse:Password>
        <wsse:PartnerID>samplePartner</wsse:PartnerID>
</wsse:UsernameToken>
</wsse:Security>
    <wsa:To>http://localhost:8080/sampleWs</wsa:To>
    <wsa:Action>http://localhost:8080/sampleWs/sampleAction</wsa:Action>
      <wsa:From>
      <wsa:Address>http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</wsa:Address>
</wsa:From>
</SOAP-ENV:Header>

我从CXF安全模块收到以下安全异常：

18:11:29,250 WARNING [org.apache.cxf.phase.PhaseInterceptorChain] (http-127.0.0.1:8080-1) Interceptor for {http://ws.sampleWs.varun/}SampleWebService has thrown exception, unwinding now: org.apache.cxf.binding.soap.SoapFault: A security error was encountered when verifying the message
        at org.apache.cxf.ws.security.wss4j.WSS4JUtils.createSoapFault(WSS4JUtils.java:234) [cxf-rt-ws-security-3.2.7.jar:3.2.7]
        at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessageInternal(WSS4JInInterceptor.java:341) [cxf-rt-ws-security-3.2.7.jar:3.2.7]
        at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:176) [cxf-rt-ws-security-3.2.7.jar:3.2.7]
        at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:87) [cxf-rt-ws-security-3.2.7.jar:3.2.7]
        at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:308) [cxf-core-3.2.7.jar:3.2.7]
        at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121) [cxf-core-3.2.7.jar:3.2.7]
        .
        .
        .
Caused by: org.apache.wss4j.common.ext.WSSecurityException: BSP:R4201: Any PASSWORD MUST specify a Type attribute
        at org.apache.wss4j.common.bsp.BSPEnforcer.handleBSPRule(BSPEnforcer.java:57) [wss4j-ws-security-common-2.2.2.jar:2.2.2]
        at org.apache.wss4j.dom.message.token.UsernameToken.checkBSPCompliance(UsernameToken.java:834) [wss4j-ws-security-dom-2.2.2.jar:2.2.2]
        at org.apache.wss4j.dom.message.token.UsernameToken.<init>(UsernameToken.java:143) [wss4j-ws-security-dom-2.2.2.jar:2.2.2]
        at org.apache.wss4j.dom.processor.UsernameTokenProcessor.handleUsernameToken(UsernameTokenProcessor.java:137) [wss4j-ws-security-dom-2.2.2.jar:2.2.2]
        at org.apache.wss4j.dom.processor.UsernameTokenProcessor.handleToken(UsernameTokenProcessor.java:62) [wss4j-ws-security-dom-2.2.2.jar:2.2.2]
        at org.apache.wss4j.dom.engine.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:340) [wss4j-ws-security-dom-2.2.2.jar:2.2.2]
        at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessageInternal(WSS4JInInterceptor.java:285) [cxf-rt-ws-security-3.2.7.jar:3.2.7]
        ... 28 more

根本原因似乎是wsse:password标记中缺少属性。

我检查了安全性WS规范： http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd

在最新的CXF中，我找不到wsse:password的强制类型属性。

注意 ：CXF 2.2.2版可以很好地处理相同的请求

问题： 有没有一种方法可以防止CXF放弃上述请求并允许它通过。 我四处张望，但找不到任何答案？有什么建议么 ？ 或修改SOAP请求是唯一的解决方案？

Answer 1

由于@GPI先前已声明，CXF试图强制执行基本安全规范（http://www.ws-i.org/profiles/basicsecurityprofile-1.1.html）的R4201，因此放弃了上述请求。

为防止CXF强制执行此操作，我们可以使用ws-security和wss4j提供的配置常量，这些常量将指示CXF停止执行。

解决方案1（使用WSS4J拦截器）

在您的spring配置文件中，您可以将isBspCompliant设置为false：

    <jaxws:inInterceptors>
        <bean class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
            <constructor-arg>
                <map>
                    <entry key="action" value="UsernameToken" />
                    <entry key="passwordType" value="PasswordText" />
                    <entry key="passwordCallbackRef">
                        <ref bean="passwordCallback" />
                    </entry>
                    <entry key="isBSPCompliant" value="false"/>
                </map>
            </constructor-arg>
        </bean>
    </jaxws:inInterceptors>

解决方案2（使用JAX-WS）

在您的spring配置文件中，您可以将ws-security.is-bsp-compliant设置为false：

    <jaxws:endpoint id="sample" implementor="sample.ws.SampleWebService" address="/SampleWebService">
    <jaxws:properties> 
    <entry key="ws-security.is-bsp-compliant" value="false"/> 
    </jaxws:properties> 
</jaxws:endpoint>

有关其他配置选项，您可以参考以下页面：

http://ws.apache.org/wss4j/config.html

http://cxf.apache.org/docs/ws-securitypolicy.html

Answer 2

我遇到了同样的问题，发现肥皂请求中存在问题。

我能够通过添加来解决它：

• soap中的以下属性：信封xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
• wsse中的以下属性：密码Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText"

我的请求的标题看起来像这样

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:tic="http://ticket.degroupage.atos.ma/"  xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
   <soapenv:Header>
      <wsse:Security soapenv:mustUnderstand="1">
         <wsse:UsernameToken><wsse:Username>XXXX</wsse:Username>
         <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">XXXX</wsse:Password>
         </wsse:UsernameToken>
     </wsse:Security></soapenv:Header>
   <soapenv:Body>
...