有一个用Metro框架编写的Websercice,我们能够使用Metro编写客户端。但是,我们无法使用Sprint-ws安全性编写客户端。在工作中的地铁政策中给出如下。
<wsp:Policy wsu:Id="ServiceComPortBindingPolicy">
<wsp:ExactlyOne>
<wsp:All>
<sc:TrustStore wspp:visibility="private" storepass="changeit" type="JKS" location="path to to .jks" peeralias="myservicekey"/>
<sc:CallbackHandlerConfiguration wspp:visibility="private">
<sc:CallbackHandler default="TESTSTBU18" name="usernameHandler"/>
<sc:CallbackHandler default="AAAAAAAA" name="passwordHandler"/>
</sc:CallbackHandlerConfiguration>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
这里的特殊情况是该服务也使用相同的公钥进行加密和签名。
以下是服务政策
<wsp:Policy xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702" xmlns:ssp="http://schemas.sun.com/2006/03/wss/server" xmlns:sunwsp="http://java.sun.com/xml/ns/wsit/policy" wsu:Id="ServiceComPortBindingPolicy">
<sp:SignedEncryptedSupportingTokens>
<wsp:Policy>
<sp:UsernameToken sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:WssUsernameToken10/>
</wsp:Policy>
</sp:UsernameToken>
</wsp:Policy>
</sp:SignedEncryptedSupportingTokens>
<sp:SymmetricBinding>
<wsp:Policy>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic128/>
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:IncludeTimestamp/>
<sp:Layout>
<wsp:Policy>
<sp:Strict/>
</wsp:Policy>
</sp:Layout>
<sp:OnlySignEntireHeadersAndBody/>
<sp:ProtectionToken>
<wsp:Policy>
<sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never">
<wsp:Policy>
<sp:RequireIssuerSerialReference/>
<sp:WssX509V3Token10/>
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:ProtectionToken>
</wsp:Policy>
</sp:SymmetricBinding>
<sp:Wss11>
<wsp:Policy>
<sp:MustSupportRefEncryptedKey/>
<sp:MustSupportRefIssuerSerial/>
<sp:MustSupportRefThumbprint/>
</wsp:Policy>
</sp:Wss11>
以下是预期的肥皂请求。
<?xml version='1.0' encoding='UTF-8'?><soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
<soapenv:Header xmlns:wsa="http://www.w3.org/2005/08/addressing">
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" soapenv:mustUnderstand="1">
<wsu:Timestamp xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="Timestamp-1">
<wsu:Created>2018-10-09T09:12:56.367Z</wsu:Created>
<wsu:Expires>2018-10-09T09:17:56.367Z</wsu:Expires>
</wsu:Timestamp>
<xenc:EncryptedKey Id="EncKeyId-DF1EC4D376CF01FCF115390763787712">
<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p" />
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<wsse:SecurityTokenReference>
<ds:X509Data>
<ds:X509IssuerSerial>
<ds:X509IssuerName>CN=xxx,OU=xx,O=xxxx,L=xxxx,ST=xx,C=xx</ds:X509IssuerName>
<ds:X509SerialNumber>2060954807</ds:X509SerialNumber>
</ds:X509IssuerSerial>
</ds:X509Data>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
<xenc:CipherData>
<xenc:CipherValue>vvxL0Z623o9wdojzBbfS3k14M8QhCa56s87O1xWm29Gcpuo/tK9hOR0DBhaq23w5mxJXlO5JMKTdZReXm4ZWvNklwv4xKu09zCgcow00B/SadjFw2klqPwMhV1HzvQauP7GoANKG02blxK5tv3XbXIBLXgq1YJCtzb1YbZL2ZddpE+1ZEml3Hudoq7VLlsvuCTbfXOG/wzlNHmC8v/Nc5qWDKOuLpyPkclxgciYsGqrA/MSo6gEhyBffpk7QJ4TUrnWUbCfmAe0AcKz2DYVjMojBO0VxXxwSOykyUX23QzQcsW5EEcFUFvJYRbt1J2hRvUqLj7L2tf0GdJM48lZ9Eg==</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedKey>
<xenc:ReferenceList>
<xenc:DataReference URI="#EncDataId-7" />
<xenc:DataReference URI="#EncDataId-8" />
</xenc:ReferenceList>
<xenc:EncryptedData Id="EncDataId-8" Type="http://www.w3.org/2001/04/xmlenc#Element">
<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc" />
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<wsse:SecurityTokenReference>
<wsse:Reference URI="#EncKeyId-DF1EC4D376CF01FCF115390763787712" />
</wsse:SecurityTokenReference>
</ds:KeyInfo>
<xenc:CipherData>
<xenc:CipherValue>NMUIYflbn22h0IHyFW4fK+rxdEufg4ntZ47zNqRtA/DNZ9kty765Ix+UbzJs7lSoIgPQpz8Nqzpl
/P1w1cAIiEI5x1Nfws5t9jWllh/yrljWtZecxzuV8Wdn5xGG8C5a3z85x2y309tAO3rHWq6PH2Qi
uOVUzzZEk/1kdXjGWYOshstl5IWkmW17YAzBXDbxPLn53evFst/jELlmFv3KIYE+GvXeDj3N1/az
YfUJKZznTWJ7LDrKbB3oR8psMBVIQyq3S2Jg3D+KvvMovu2RQlJQn1yUKaCkgBdAUw9o7Q/1Aftj
odon9xOvcIBTOZNWwDDawGCv2RqbBsW2kvy1lmm3E5VzgYH5b8kvhO9jzV31HveE31AZPr2/xNki
1O4kso3MtsB97FiTzaBURo8KtkjqjaPH9IIIcwuHSt0TyoHdwu2kIK4ZD0OYmLvczzMiIyzjj6m1
HfSMjjW0oQU6zUZL8FjfByOqWOZ1idgXb0WXRTSPqKlnKhNU4/hCU/t9SQ9uMcmuGVnNQoMDsFi/
tCHar+hnjwDIsEmHGVx73Xw3+0jmrjtycFw+SnjrI6HKqbtVW7KqhIGsdSQDy5dHkwUqHD7Euco3
gYuZWSllZ44=</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedData>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="Signature-3">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1" />
<ds:Reference URI="#Id-509806761">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<ds:DigestValue>P9bDhqwmlBlhD62qHU/XVZj+uXw=</ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#id-4">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<ds:DigestValue>xPiS2OAJeG/keg2LFJOtSsNojV8=</ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#id-5">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<ds:DigestValue>YjYDB+WMp+qhHIdT677Ppm0MsIw=</ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#id-6">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<ds:DigestValue>U6ggHh6DL3tqSof3yx1TcFzV4WY=</ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#Timestamp-1">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<ds:DigestValue>n+6RQ+rsmOu95ELs/Xvq6faxfjM=</ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#UsernameToken-2">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<ds:DigestValue>+CdYorpdB9qe8ZcfydyzgDs/TgE=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>TC4aJTcKrnVN8kPs+duZlJ8+M8Y=</ds:SignatureValue>
<ds:KeyInfo Id="KeyId-DF1EC4D376CF01FCF115390763788043">
<wsse:SecurityTokenReference xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="STRId-DF1EC4D376CF01FCF115390763788044">
<wsse:Reference URI="#EncKeyId-DF1EC4D376CF01FCF115390763787712" ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey" />
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
</wsse:Security>
<wsa:To xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="id-4">http://192.168.55.37:7001/ServiceCom/ServiceCom</wsa:To>
<wsa:MessageID xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="id-5">urn:uuid:96f82b9b-e511-4c59-9011-1bd258173450</wsa:MessageID>
<wsa:Action xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="id-6">http://Service/ComService/GetBanksSLRequest</wsa:Action>
</soapenv:Header>
<soapenv:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="Id-509806761">
<xenc:EncryptedData Id="EncDataId-7" Type="http://www.w3.org/2001/04/xmlenc#Content">
<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc" />
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<wsse:SecurityTokenReference xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<wsse:Reference URI="#EncKeyId-DF1EC4D376CF01FCF115390763787712" />
</wsse:SecurityTokenReference>
</ds:KeyInfo>
<xenc:CipherData>
<xenc:CipherValue>3Dy03f8i6eRHYmkIyoR8w35p6qFYoGalZPaQyghG6NMPWndDdkAYijS6j0+b3TDdVD8tcoEJ096R
vasVTUR34bu5xk5Q74Ywf1wNFoeEZXol7MNlDh5u3eFvSqzBsZ79rI9CQ5eEtLdWMt1JsNq8C79B
9+OjmMG12CVBIUFJwo8pmURT3OZ87GFAooOWgk1wuc50zgQBzK95MjH96LLm6YzjBv0zw+uVkW3J
JdjrGERKmkATa7JGE+pRFCriNbASYXyuo38yjJbVV0GqSFywT8Dbb49edExFTRrm+FU4LHv6fpuM
24HbmyCgB5p6njpuUyN4oWg9ztweBsvIfLNfIE4MidFzJR8htvmkuLCRS+Gwz9dqbT9Nj/EwQLCk
nQ8G</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedData>
</soapenv:Body>
我们可以看到EncKeyId-DF1EC4D376CF01FCF115390763787712位于soap标头中,并且也用于签名和加密。
请分享有关此类问题的任何经验。我们尝试同时使用Wss4jSecurityInterceptor和xwss,但是它们都无法正常工作。