适用于Metro Webservice的Spring WS客户端,具有用户名令牌和对称密钥(ws-security)

时间:2018-12-02 10:09:12

标签: spring-ws ws-security wss4j usernametoken

有一个用Metro框架编写的Websercice,我们能够使用Metro编写客户端。但是,我们无法使用Sprint-ws安全性编写客户端。在工作中的地铁政策中给出如下。

 <wsp:Policy wsu:Id="ServiceComPortBindingPolicy">
    <wsp:ExactlyOne>
        <wsp:All>
            <sc:TrustStore wspp:visibility="private" storepass="changeit" type="JKS" location="path to to .jks" peeralias="myservicekey"/>
            <sc:CallbackHandlerConfiguration wspp:visibility="private">
                <sc:CallbackHandler default="TESTSTBU18" name="usernameHandler"/>
                <sc:CallbackHandler default="AAAAAAAA" name="passwordHandler"/>
            </sc:CallbackHandlerConfiguration>
        </wsp:All>
    </wsp:ExactlyOne>
</wsp:Policy>

这里的特殊情况是该服务也使用相同的公钥进行加密和签名。

以下是服务政策

 <wsp:Policy xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702" xmlns:ssp="http://schemas.sun.com/2006/03/wss/server" xmlns:sunwsp="http://java.sun.com/xml/ns/wsit/policy" wsu:Id="ServiceComPortBindingPolicy">
    <sp:SignedEncryptedSupportingTokens>
        <wsp:Policy>
            <sp:UsernameToken sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
                <wsp:Policy>
                    <sp:WssUsernameToken10/>
                </wsp:Policy>
            </sp:UsernameToken>
        </wsp:Policy>
    </sp:SignedEncryptedSupportingTokens>
    <sp:SymmetricBinding>
        <wsp:Policy>
            <sp:AlgorithmSuite>
                <wsp:Policy>
                    <sp:Basic128/>
                </wsp:Policy>
            </sp:AlgorithmSuite>
            <sp:IncludeTimestamp/>
            <sp:Layout>
                <wsp:Policy>
                    <sp:Strict/>
                </wsp:Policy>
            </sp:Layout>
            <sp:OnlySignEntireHeadersAndBody/>
            <sp:ProtectionToken>
                <wsp:Policy>
                    <sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never">
                        <wsp:Policy>
                            <sp:RequireIssuerSerialReference/>
                            <sp:WssX509V3Token10/>
                        </wsp:Policy>
                    </sp:X509Token>
                </wsp:Policy>
            </sp:ProtectionToken>
        </wsp:Policy>
    </sp:SymmetricBinding>
    <sp:Wss11>
        <wsp:Policy>
            <sp:MustSupportRefEncryptedKey/>
            <sp:MustSupportRefIssuerSerial/>
            <sp:MustSupportRefThumbprint/>
        </wsp:Policy>
    </sp:Wss11>

以下是预期的肥皂请求。

<?xml version='1.0' encoding='UTF-8'?><soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
<soapenv:Header xmlns:wsa="http://www.w3.org/2005/08/addressing">
    <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" soapenv:mustUnderstand="1">
        <wsu:Timestamp xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="Timestamp-1">
            <wsu:Created>2018-10-09T09:12:56.367Z</wsu:Created>
            <wsu:Expires>2018-10-09T09:17:56.367Z</wsu:Expires>
        </wsu:Timestamp>
        <xenc:EncryptedKey Id="EncKeyId-DF1EC4D376CF01FCF115390763787712">
            <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p" />
            <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                <wsse:SecurityTokenReference>
                    <ds:X509Data>
                        <ds:X509IssuerSerial>
                            <ds:X509IssuerName>CN=xxx,OU=xx,O=xxxx,L=xxxx,ST=xx,C=xx</ds:X509IssuerName>
                            <ds:X509SerialNumber>2060954807</ds:X509SerialNumber>
                        </ds:X509IssuerSerial>
                    </ds:X509Data>
                </wsse:SecurityTokenReference>
            </ds:KeyInfo>
            <xenc:CipherData>
                <xenc:CipherValue>vvxL0Z623o9wdojzBbfS3k14M8QhCa56s87O1xWm29Gcpuo/tK9hOR0DBhaq23w5mxJXlO5JMKTdZReXm4ZWvNklwv4xKu09zCgcow00B/SadjFw2klqPwMhV1HzvQauP7GoANKG02blxK5tv3XbXIBLXgq1YJCtzb1YbZL2ZddpE+1ZEml3Hudoq7VLlsvuCTbfXOG/wzlNHmC8v/Nc5qWDKOuLpyPkclxgciYsGqrA/MSo6gEhyBffpk7QJ4TUrnWUbCfmAe0AcKz2DYVjMojBO0VxXxwSOykyUX23QzQcsW5EEcFUFvJYRbt1J2hRvUqLj7L2tf0GdJM48lZ9Eg==</xenc:CipherValue>
            </xenc:CipherData>
        </xenc:EncryptedKey>
        <xenc:ReferenceList>
            <xenc:DataReference URI="#EncDataId-7" />
            <xenc:DataReference URI="#EncDataId-8" />
        </xenc:ReferenceList>
        <xenc:EncryptedData Id="EncDataId-8" Type="http://www.w3.org/2001/04/xmlenc#Element">
            <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc" />
            <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                <wsse:SecurityTokenReference>
                    <wsse:Reference URI="#EncKeyId-DF1EC4D376CF01FCF115390763787712" />
                </wsse:SecurityTokenReference>
            </ds:KeyInfo>
            <xenc:CipherData>
                <xenc:CipherValue>NMUIYflbn22h0IHyFW4fK+rxdEufg4ntZ47zNqRtA/DNZ9kty765Ix+UbzJs7lSoIgPQpz8Nqzpl
                    /P1w1cAIiEI5x1Nfws5t9jWllh/yrljWtZecxzuV8Wdn5xGG8C5a3z85x2y309tAO3rHWq6PH2Qi
                    uOVUzzZEk/1kdXjGWYOshstl5IWkmW17YAzBXDbxPLn53evFst/jELlmFv3KIYE+GvXeDj3N1/az
                    YfUJKZznTWJ7LDrKbB3oR8psMBVIQyq3S2Jg3D+KvvMovu2RQlJQn1yUKaCkgBdAUw9o7Q/1Aftj
                    odon9xOvcIBTOZNWwDDawGCv2RqbBsW2kvy1lmm3E5VzgYH5b8kvhO9jzV31HveE31AZPr2/xNki
                    1O4kso3MtsB97FiTzaBURo8KtkjqjaPH9IIIcwuHSt0TyoHdwu2kIK4ZD0OYmLvczzMiIyzjj6m1
                    HfSMjjW0oQU6zUZL8FjfByOqWOZ1idgXb0WXRTSPqKlnKhNU4/hCU/t9SQ9uMcmuGVnNQoMDsFi/
                    tCHar+hnjwDIsEmHGVx73Xw3+0jmrjtycFw+SnjrI6HKqbtVW7KqhIGsdSQDy5dHkwUqHD7Euco3
                    gYuZWSllZ44=</xenc:CipherValue>
            </xenc:CipherData>
        </xenc:EncryptedData>
        <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="Signature-3">
            <ds:SignedInfo>
                <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1" />
                <ds:Reference URI="#Id-509806761">
                    <ds:Transforms>
                        <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                    </ds:Transforms>
                    <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
                    <ds:DigestValue>P9bDhqwmlBlhD62qHU/XVZj+uXw=</ds:DigestValue>
                </ds:Reference>
                <ds:Reference URI="#id-4">
                    <ds:Transforms>
                        <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                    </ds:Transforms>
                    <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
                    <ds:DigestValue>xPiS2OAJeG/keg2LFJOtSsNojV8=</ds:DigestValue>
                </ds:Reference>
                <ds:Reference URI="#id-5">
                    <ds:Transforms>
                        <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                    </ds:Transforms>
                    <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
                    <ds:DigestValue>YjYDB+WMp+qhHIdT677Ppm0MsIw=</ds:DigestValue>
                </ds:Reference>
                <ds:Reference URI="#id-6">
                    <ds:Transforms>
                        <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />

                        <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
                        <ds:DigestValue>U6ggHh6DL3tqSof3yx1TcFzV4WY=</ds:DigestValue>
                </ds:Reference>
                <ds:Reference URI="#Timestamp-1">
                    <ds:Transforms>
                        <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                    </ds:Transforms>
                    <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
                    <ds:DigestValue>n+6RQ+rsmOu95ELs/Xvq6faxfjM=</ds:DigestValue>
                </ds:Reference>
                <ds:Reference URI="#UsernameToken-2">
                    <ds:Transforms>
                        <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                    </ds:Transforms>
                    <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
                    <ds:DigestValue>+CdYorpdB9qe8ZcfydyzgDs/TgE=</ds:DigestValue>
                </ds:Reference>
            </ds:SignedInfo>
            <ds:SignatureValue>TC4aJTcKrnVN8kPs+duZlJ8+M8Y=</ds:SignatureValue>
            <ds:KeyInfo Id="KeyId-DF1EC4D376CF01FCF115390763788043">
                <wsse:SecurityTokenReference xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="STRId-DF1EC4D376CF01FCF115390763788044">
                    <wsse:Reference URI="#EncKeyId-DF1EC4D376CF01FCF115390763787712" ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey" />
                </wsse:SecurityTokenReference>
            </ds:KeyInfo>
        </ds:Signature>
    </wsse:Security>
    <wsa:To xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="id-4">http://192.168.55.37:7001/ServiceCom/ServiceCom</wsa:To>
    <wsa:MessageID xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="id-5">urn:uuid:96f82b9b-e511-4c59-9011-1bd258173450</wsa:MessageID>
    <wsa:Action xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="id-6">http://Service/ComService/GetBanksSLRequest</wsa:Action>
</soapenv:Header>
<soapenv:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="Id-509806761">
    <xenc:EncryptedData Id="EncDataId-7" Type="http://www.w3.org/2001/04/xmlenc#Content">
        <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc" />
        <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
            <wsse:SecurityTokenReference xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
                <wsse:Reference URI="#EncKeyId-DF1EC4D376CF01FCF115390763787712" />
            </wsse:SecurityTokenReference>
        </ds:KeyInfo>
        <xenc:CipherData>
            <xenc:CipherValue>3Dy03f8i6eRHYmkIyoR8w35p6qFYoGalZPaQyghG6NMPWndDdkAYijS6j0+b3TDdVD8tcoEJ096R
                vasVTUR34bu5xk5Q74Ywf1wNFoeEZXol7MNlDh5u3eFvSqzBsZ79rI9CQ5eEtLdWMt1JsNq8C79B
                9+OjmMG12CVBIUFJwo8pmURT3OZ87GFAooOWgk1wuc50zgQBzK95MjH96LLm6YzjBv0zw+uVkW3J
                JdjrGERKmkATa7JGE+pRFCriNbASYXyuo38yjJbVV0GqSFywT8Dbb49edExFTRrm+FU4LHv6fpuM
                24HbmyCgB5p6njpuUyN4oWg9ztweBsvIfLNfIE4MidFzJR8htvmkuLCRS+Gwz9dqbT9Nj/EwQLCk
                nQ8G</xenc:CipherValue>
        </xenc:CipherData>
    </xenc:EncryptedData>
</soapenv:Body>

我们可以看到EncKeyId-DF1EC4D376CF01FCF115390763787712位于soap标头中,并且也用于签名和加密。

请分享有关此类问题的任何经验。我们尝试同时使用Wss4jSecurityInterceptor和xwss,但是它们都无法正常工作。

0 个答案:

没有答案