验证加密的SOAP请求会引发错误错误

问题描述 投票:0回答:2

这张照片显示了我对soapui的简单ws-security配置:

enter image description here

我将此配置应用于soap请求:

enter image description here

然后qazxsw poi内容的soap请求被加密。这是加密的肥皂消息。

<arg0>

但是,此加密soap消息的验证会引发错误错误:

<soapenv:Envelope xmlns:soap="http://soap.aaa.com/" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header><wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"><wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="9C55238F5BB25B8A7214711332555022">MIICxzCCAa+gAwIBAgIECZhGTzANBgkqhkiG9w0BAQsFADAUMRIwEAYDVQQDEwlsb2NhbGhvc3QwHhcNMTYwODEyMDgzMDI5WhcNMTYxMTEwMDgzMDI5WjAUMRIwEAYDVQQDEwlsb2NhbGhvc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCbufayp7O8wye5q8tPKPWRJPzAIHbtFBkepltFAji7U2fWU5ihSP2TRygym6B/UHvvPZ5QsaTog0oMw+vRLxWAemVganoSvTJWRidTYmvm3kqhBLC7+GEM895k/yU7nduKqSFJr3qa4R5eSO/JLGwIvcb3OkhNHTu1/8EEJDcxbGMPwn08W4gn2qnGDkSEsanfXhCaNtS4mZHWvs5vr+C4gYR4is6Z3wSIFQZGkKtPj7Z3wg3E9l9GAAdg+6JegDKRzzSQtSjgUySipYqbHYOBol78Wf7+dqNiHvohiQTRHB3b2AebEdUcQTu65ELUhWGC28eWWaCv5ksL5eL2bJc/AgMBAAGjITAfMB0GA1UdDgQWBBTcHE/ieHAarvD2RC7DiMdPZ6O66TANBgkqhkiG9w0BAQsFAAOCAQEAja62f/8GeKm0XMMMoUo3ayk/WluF89PC71jB28r3M3+1bqkfK7KJaO7yF7DG9zpm6BztKi9Ykz6izg2IktuUnTG4dbg0CY8ZuL8NEmvirCgfJXXur3goEOIfItb8dR9Mi6i4ZV46oJTgX8XliwEoZQVloi3JcTbPeZ3DrSmOyaUppGk//kryx4bhwdazxPQ3H7PcRQjMq+l3e7q9sTJRyYm7PcsvyZt34CgZkhal28p35jQk7U1MKibL8a5FlQejDP4p/6/8qv/3TzHK467zlXr/oFGQGCXFc96j12Cj5Eiv+22C+8ZRMCtMig42uXNamE5YGuQMHDLrsQd9VThkUQ==</wsse:BinarySecurityToken><xenc:EncryptedKey Id="EK-9C55238F5BB25B8A7214711332555001" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"><xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><wsse:SecurityTokenReference><wsse:Reference URI="#9C55238F5BB25B8A7214711332555022" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/></wsse:SecurityTokenReference></ds:KeyInfo><xenc:CipherData><xenc:CipherValue>GudjGW52R0Iu+KnTZARE7nHFwPGvmXRZCuIQqnhz8it9WJs+2Jai7W0dAmhtkNxi2k0/g8IhL1v1EpA6JuJUEzkOnyuCoUttyR5ROLxpbHzD1DtEZT8AEgiOwFmmov7t6UsKDSn2jxL8ftraf44ISxrMCbJ10cuN6gJT9ghT9USdvvT/1vKhuBqm251bn9kgPkqNTDcYntQpwSkRCTZz+yf+pv77DVE5MPMk8FLHE4TeROsqLyNC8YzH8ncITGqOrDM4PY+1/H2XUkWaAeMz9ZcqqseD97Mr86ZpOgwP/V0Z6v9iRSrBYTpnDqPd8TIJ1wJs88sJ6+QIOMA6kySMtQ==</xenc:CipherValue></xenc:CipherData><xenc:ReferenceList><xenc:DataReference URI="#ED-9C55238F5BB25B8A7214711332555093"/></xenc:ReferenceList></xenc:EncryptedKey></wsse:Security></soapenv:Header> <soapenv:Body> <soap:sayHello> <!--Optional:--> <arg0><xenc:EncryptedData Id="ED-9C55238F5BB25B8A7214711332555093" Type="http://www.w3.org/2001/04/xmlenc#Content" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"><xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><wsse:SecurityTokenReference wsse11:TokenType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd"><wsse:Reference URI="#EK-9C55238F5BB25B8A7214711332555001"/></wsse:SecurityTokenReference></ds:KeyInfo><xenc:CipherData><xenc:CipherValue>CKtrCSg+Q1HqzLQulEi0YmGxGNlrjlANGsgbSirlbXE=</xenc:CipherValue></xenc:CipherData></xenc:EncryptedData></arg0> </soap:sayHello> </soapenv:Body> </soapenv:Envelope>

故障信息是

enter image description here

我根本找不到任何参考。

更新1

SoapUI仍然会抛出相同的异常。为简单起见,我使用keytool命令-genkeypair选项创建了单个jks文件。

line 6:Element not allowed: EncryptedData@http://www.w3.org/2001/04/xmlenc# in element arg0

我修改了ws客户端和服务,如下所示,

== index.jsp

keytool –genkeypair -keyalg RSA -alias servicekey –keypass password123  -storepass password123 –validity 365 –keystore serviceKeystore.jks -dname "cn=localhost"

==服务器端配置

<body>
<% 
String SERVICE_URL = "http://localhost:8080/SOAPEncryptWeb/HelloWorld";

try {
    QName serviceName = new QName("http://soap.aaa.com/", "HelloWorldService");

    URL wsdlURL;
    wsdlURL = new URL(SERVICE_URL + "?wsdl");
    Service service = Service.create(wsdlURL, serviceName);

    IHelloWorld port = (IHelloWorld) service.getPort(IHelloWorld.class); 

    ((BindingProvider) port).getRequestContext().put(SecurityConstants.CALLBACK_HANDLER, new KeystorePasswordCallback());
    ((BindingProvider) port).getRequestContext().put(SecurityConstants.ENCRYPT_PROPERTIES, 
            Thread.currentThread().getContextClassLoader().getResource("META-INF/client.properties"));
    ((BindingProvider) port).getRequestContext().put(SecurityConstants.ENCRYPT_USERNAME, "servicekey");

    ((BindingProvider) port).getRequestContext().put(SecurityConstants.RETURN_SECURITY_ERROR, "true");

    out.println(port.sayHello("jina"));
} catch (Exception e) {
    // TODO Auto-generated catch block
    e.printStackTrace();
}
%>
</body>

但是,此配置会抛出异常,但在wildfly 10.0中没有异常

<jaxws-config xmlns="urn:jboss:jbossws-jaxws-config:4.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"  
            xmlns:javaee="http://java.sun.com/xml/ns/javaee" 
            xsi:schemaLocation="urn:jboss:jbossws-jaxws-config:4.0 schema/jbossws-jaxws-config_4_0.xsd">   

   <endpoint-config>     
      <config-name>Custom WS-Security Endpoint</config-name>     
      <property>       
         <property-name>ws-security.encryption.properties</property-name>      
         <property-value>META-INF/server.properties</property-value>     
      </property>     
      <property>       
         <property-name>ws-security.encryption.username</property-name>
         <property-value>servicekey</property-value>     
      </property>
      <property>       
         <property-name>ws-security.return.security.error</property-name>
         <property-value>true</property-value>     
      </property>     
      <property>       
         <property-name>ws-security.callback-handler</property-name>       
         <property-value>
         com.aaa.soap.KeystorePasswordCallback
         </property-value>         
      </property>   
   </endpoint-config> 
</jaxws-config>
soap soapui ws-security
2个回答
1
投票

不要犹豫testStep请求中的17:25:22,588 WARNING [org.apache.cxf.phase.PhaseInterceptorChain] (default task-12) Interceptor for {http://soap.aaa.com/}HelloWorldService has thrown exception, unwinding now: org.apache.cxf.binding.soap.SoapFault: An error was discovered processing the <wsse:Security> header at org.apache.cxf.ws.security.wss4j.WSS4JUtils.createSoapFault(WSS4JUtils.java:216) at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessageInternal(WSS4JInInterceptor.java:329) at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:184) at org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JInInterceptor.handleMessage(PolicyBasedWSS4JInInterceptor.java:79) at org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JInInterceptor.handleMessage(PolicyBasedWSS4JInInterceptor.java:66) at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:308) at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121) at org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:251) at org.jboss.wsf.stack.cxf.RequestHandlerImpl.handleHttpRequest(RequestHandlerImpl.java:108) at org.jboss.wsf.stack.cxf.transport.ServletHelper.callRequestHandler(ServletHelper.java:134) at org.jboss.wsf.stack.cxf.CXFServletExt.invoke(CXFServletExt.java:88) at org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:293) at org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:212) at javax.servlet.http.HttpServlet.service(HttpServlet.java:707) at org.jboss.wsf.stack.cxf.CXFServletExt.service(CXFServletExt.java:136) at org.jboss.wsf.spi.deployment.WSFServlet.service(WSFServlet.java:140) at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85) at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284) at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263) at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174) at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202) at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) Caused by: org.apache.wss4j.common.ext.WSSecurityException: An error was discovered processing the <wsse:Security> header at org.apache.wss4j.common.crypto.AlgorithmSuiteValidator.checkSymmetricEncryptionAlgorithm(AlgorithmSuiteValidator.java:149) at org.apache.wss4j.dom.processor.EncryptedKeyProcessor.decryptDataRef(EncryptedKeyProcessor.java:550) at org.apache.wss4j.dom.processor.EncryptedKeyProcessor.decryptDataRefs(EncryptedKeyProcessor.java:481) at org.apache.wss4j.dom.processor.EncryptedKeyProcessor.handleToken(EncryptedKeyProcessor.java:199) at org.apache.wss4j.dom.processor.EncryptedKeyProcessor.handleToken(EncryptedKeyProcessor.java:76) at org.apache.wss4j.dom.engine.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:344) at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessageInternal(WSS4JInInterceptor.java:280) ... 42 more 选项。

此选项根据您用于在SOAPUI中加载项目的Validate中的请求的xsd模式验证请求

可能你的wsdl缺乏[ws安全策略]的定义,它告诉你在你的WS中实现的安全性requeriments。

对于您的情况,您的wsdl必须具有以下内容:

wsdl

因此,由于缺少该请求,因此不会对您的<wsdl:definitions xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/" xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" xmlns:wsp="http://www.w3.org/ns/ws-policy" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200802"> ... <wsp:Policy> ... <sp:EncryptedParts>...</sp:EncryptedParts> ... </wsp:Policy> </wsdl:definitions> 进行验证。

无论如何,你在SOAPUI上加载的wsdl可能与WS实现不同(因为它不是最新的或类似的东西)。所以只需尝试发送请求(虽然它不符合wsdl验证)并查看您的WS响应。

希望这可以帮助,

1
投票

您在SoapUI的xml-tab中有已加密的消息,并尝试根据xsd对其进行验证。这将无法工作,因为xsd对“xenc:EncryptedData”一无所知!

发送请求后,加密消息将显示在“Raw”选项卡中,因为SoapUI会在发送时执行加密。你不应该自己“申请离任”!

最新问题
© www.soinside.com 2019 - 2024. All rights reserved.