我正在连接到安全服务。
我有一个配置为使用jks文件提供证书的SOAP UI项目,以及适当的安全设置,以允许我获得有效的响应。
我已经使用AXIS 2和Rampart从JAVA项目创建SOAP请求。使用TCPMon,我已经设法获取SOAP请求。
当请求在JAVA项目中运行时,我只得到响应:
org.apache.axis2.AxisFault:缺少wsse:请求中的安全标头
但是如果我接受相同的请求,并在TCPMon中捕获并将其放入SOAP UI项目中,则将成功获得响应。
任何人有任何想法吗?
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header>
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
soapenv:mustUnderstand="1">
<wsu:Timestamp xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
wsu:Id="Timestamp-1">
<wsu:Created>2012-06-01T15:09:12.520Z</wsu:Created>
<wsu:Expires>2012-06-01T15:14:12.520Z</wsu:Expires>
</wsu:Timestamp>
<wsse:BinarySecurityToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"
wsu:Id="CertId-ECDB0E....01">
MIID4DCCA0mgAwIBAgIBFjAN....</wsse:BinarySecurityToken>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
Id="Signature-2">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<ds:Reference URI="#Id-15..93">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<ds:DigestValue>
3wgvhJ8SI2soC..IA=</ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#Timestamp-1">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<ds:DigestValue>
VlzDT69YEl..qTlbj0=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
ZCRypw/..=</ds:SignatureValue>
<ds:KeyInfo Id="KeyId-ECD..2">
<wsse:SecurityTokenReference xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
wsu:Id="STRId-ECDB0E6..6193">
<wsse:Reference URI="#CertId-ECDB0E..01"
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" />
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
</wsse:Security></soapenv:Header><soapenv:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="Id-15..3"><ns2:ProductSearchV2Request xmlns:ns2="http://product.webservice.sxc.com">
<ns2:Strength>900</ns2:Strength>
<ns2:MaximumResultSetInd>true</ns2:MaximumResultSetInd>
<ns2:MaximumResultSet>100</ns2:MaximumResultSet>
</ns2:ProductSearchV2Request>
这是我正在使用的WS-POLICY文档:
<?xml version="1.0" encoding="UTF-8"?>
<!--
!
! Copyright 2006 The Apache Software Foundation.
!
! Licensed under the Apache License, Version 2.0 (the "License");
! you may not use this file except in compliance with the License.
! You may obtain a copy of the License at
!
! http://www.apache.org/licenses/LICENSE-2.0
!
! Unless required by applicable law or agreed to in writing, software
! distributed under the License is distributed on an "AS IS" BASIS,
! WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
! See the License for the specific language governing permissions and
! limitations under the License.
!-->
<wsp:Policy wsu:Id="SigOnly"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
<wsp:ExactlyOne>
<wsp:All>
<sp:AsymmetricBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:InitiatorToken>
<wsp:Policy>
<sp:X509Token
sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:RequireThumbprintReference/>
<sp:WssX509V3Token10/>
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:InitiatorToken>
<sp:RecipientToken>
<wsp:Policy>
<sp:X509Token
sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never">
<wsp:Policy>
<sp:RequireThumbprintReference/>
<sp:WssX509V3Token10/>
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:RecipientToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:TripleDesRsa15/>
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Strict/>
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp/>
<sp:OnlySignEntireHeadersAndBody/>
</wsp:Policy>
</sp:AsymmetricBinding>
<sp:Wss10 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:MustSupportRefKeyIdentifier/>
<sp:MustSupportRefIssuerSerial/>
</wsp:Policy>
</sp:Wss10>
<sp:SignedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<sp:Body/>
</sp:SignedParts>
<ramp:RampartConfig xmlns:ramp="http://ws.apache.org/rampart/policy">
<ramp:user>ctr</ramp:user>
<ramp:encryptionUser>ctr</ramp:encryptionUser>
<ramp:passwordCallbackClass>com.gtnet.rampart.PWCBHandler
</ramp:passwordCallbackClass>
<ramp:signatureCrypto>
<ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin">
<ramp:property name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property>
<ramp:property name="org.apache.ws.security.crypto.merlin.file">build\resources\qa.jks</ramp:property>
<ramp:property name="org.apache.ws.security.crypto.merlin.keystore.password">123123</ramp:property>
</ramp:crypto>
</ramp:signatureCrypto>
</ramp:RampartConfig>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
谢谢艾伦
似乎错误不是出站请求,而是处理响应。该响应没有安全标头,当我们尝试对其进行解密时,会发生异常。
我需要以某种方式将我的Rampart配置更改为仅进行出站安全,而不进行入站安全>
我会回报:)
好吧,一旦Rampart被使用,它期望响应具有相同的安全头。我解决问题的方法是通过删除Rampart.mar文件中的Inflow安全处理程序。
我不确定这是否是最佳解决方案,但对我们有用。
要删除流入处理程序:解压rampart.mar文件
注释流入部分
压缩META_INF文件夹。然后将.zip文件重命名为.mar
现在当您使用它时,因为没有为流入定义处理程序,它将仅使用标准的Axis2响应处理程序。
我想如果您有多个使用Rampart的项目,其中一些在响应中具有安全性标头,而有些则没有,您将需要一种不同的方法。
这里详细介绍了另一种方法。这可能是一种更好的方法:
http://blog.rampartfaq.com/2009/11/how-to-generate-non-secure-response-to.html
例外:
org.apache.axis2.AxisFault:请求中缺少wsse:Security标头在org.apache.rampart.handler.RampartReceiver.setFaultCodeAndThrowAxisFault(RampartReceiver.java:180)在org.apache.rampart.handler.RampartReceiver.invoke(RampartReceiver.java:99)在org.apache.axis2.engine.Phase.invoke(Phase.java:318)处org.apache.axis2.engine.AxisEngine.invoke(AxisEngine.java:251)在org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:160)在org.apache.axis2.description.OutInAxisOperationClient.handleResponse(OutInAxisOperation.java:364)在org.apache.axis2.description.OutInAxisOperationClient.send(OutInAxisOperation.java:417)在org.apache.axis2.description.OutInAxisOperationClient.executeImpl(OutInAxisOperation.java:229)
经过大量导航并多次阅读相同的页面,终于得到了令我满意的解决方案。
在我同样的问题中,但我通过更改存根中的soap请求版本名称空间uri获得了成功响应。我已将名称空间uri从“ http://www.w3.org/2003/05/soap-envelope”更改为“ http://schemas.xmlsoap.org/soap/envelope/”。