我正在尝试创建一个跟随SOAP
的WS-SecurityPolicy
客户端。该服务除了Timestamp
请求中的加密外,还要求对UsernameToken
,Body
和SOAP
进行数字签名。
用于签署请求的密钥库不能作为文件(jks
/ pfx
)使用。我正在使用基于USB的令牌,可以通过该令牌以编程方式加载密钥库。 USB令牌不允许导出到pfx
文件。
是否有一种方法可以覆盖在使用基于策略的方法进行WS-Security时使用拦截器进行签名的密钥库?
WS-SecurityPolicy的Spring配置类似于以下内容:
<jaxws:client name="{http://cxf.apache.org}MyPortName"
createdFromAPI="true">
<jaxws:properties>
<entry key="security.callback-handler"
value="interop.client.KeystorePasswordCallback"/>
<entry key="security.signature.properties"
value="etc/client.properties"/>
<entry key="security.encryption.properties"
value="etc/service.properties"/>
<entry key="security.encryption.username"
value="servicekeyalias"/>
</jaxws:properties>
</jaxws:client>
可以将它与将覆盖签名部分的拦截器一起配置吗?与其在上面的配置中使用security.signature.properties
,不如使用下面的拦截器。注意:以下代码使用Spring-WS
中的库。我正在从apache cxf寻找类似的库/类,可用于这种情况。
@Bean
public Wss4jSecurityInterceptor securityInterceptor() throws Exception {
Wss4jSecurityInterceptor securityInterceptor = new Wss4jSecurityInterceptor();
String secAction = String.join(" ", WSHandlerConstants.USERNAME_TOKEN,WSHandlerConstants.TIMESTAMP,WSHandlerConstants.SIGNATURE);
// set security actions
securityInterceptor.setSecurementActions(secAction);
// sign the request
securityInterceptor.setSecurementUsername(config.getUsername());
securityInterceptor.setSecurementPassword(config.getPassword());
securityInterceptor.setSecurementPasswordType(WSConstants.PW_TEXT);
securityInterceptor.setSecurementUsernameTokenNonce(true);
securityInterceptor.setSecurementUsernameTokenCreated(false);
Properties properties = new Properties();
properties.setProperty("org.apache.ws.security.crypto.provider", "org.apache.wss4j.common.crypto.Merlin");
Merlin crypto = (Merlin)CryptoFactory.getInstance(properties);
crypto.setKeyStore(getKeyStore()); //This is my keystore fetched programmatically
securityInterceptor.setSecurementSignatureKeyIdentifier("DirectReference");
securityInterceptor.setSecurementSignatureCrypto(crypto);
securityInterceptor.setSecurementSignatureParts("{Element}{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd}Timestamp;" +
"{Element}{http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/ws-securitypolicy.xsd}UsernameToken;" +
"{Element}{http://schemas.xmlsoap.org/soap/envelope/}Body");
return securityInterceptor;
}
我已经尝试使用Spring-WS
来使用上面显示的Wss4jSecurityInterceptor
来实现肥皂客户端。这样,不需要首先显示的spring config。
CommVerRequest request = new CommVerRequest();
prepareRequest(pan, request);
SOAPClient client = soapClientConfig.getSoapClient();
CommVerResponse callResponse = client.call(request);
/*CommVerResponse callResponse = port.verifyDetails(request);*/
validationResponse = prepareResponse(callResponse);
@Bean
public SOAPClient getSoapClient() throws Exception {
SOAPClient soapClient = new SOAPClient();
soapClient.setDefaultUri("https://foo.bar/CommVerService");
ClientInterceptor[] interceptors = new ClientInterceptor[]{securityInterceptor()};
soapClient.setInterceptors(interceptors);
soapClient.setMarshaller(marshaller());
soapClient.setUnmarshaller(marshaller());
return soapClient;
}
@Bean
public Jaxb2Marshaller marshaller() {
Jaxb2Marshaller marshaller = new Jaxb2Marshaller();
marshaller.setContextPath("flatStub");
return marshaller;
}
但是在调用Web服务时出现此错误。
WRONG_DOCUMENT_ERR: A node is used in a different document than the one that created it.
org.w3c.dom.DOMException: WRONG_DOCUMENT_ERR: A node is used in a different document than the one that created it.
at com.sun.org.apache.xerces.internal.dom.ParentNode.internalInsertBefore(ParentNode.java:357) ~[na:1.8.0_191]
at com.sun.org.apache.xerces.internal.dom.ParentNode.insertBefore(ParentNode.java:288) ~[na:1.8.0_191]
at com.sun.org.apache.xerces.internal.dom.NodeImpl.appendChild(NodeImpl.java:237) ~[na:1.8.0_191]
at org.apache.wss4j.dom.util.WSSecurityUtil.prependChildElement(WSSecurityUtil.java:314) ~[wss4j-ws-security-dom-2.2.0.jar:2.2.0]
at org.apache.wss4j.dom.util.WSSecurityUtil.findWsseSecurityHeaderBlock(WSSecurityUtil.java:435) ~[wss4j-ws-security-dom-2.2.0.jar:2.2.0]
at org.apache.wss4j.dom.message.WSSecHeader.insertSecurityHeader(WSSecHeader.java:165) ~[wss4j-ws-security-dom-2.2.0.jar:2.2.0]
at org.apache.wss4j.dom.handler.WSHandler.doSenderAction(WSHandler.java:117) ~[wss4j-ws-security-dom-2.2.0.jar:2.2.0]
at org.springframework.ws.soap.security.wss4j2.Wss4jHandler.doSenderAction(Wss4jHandler.java:63) ~[spring-ws-security-3.0.6.RELEASE.jar:na]
at org.springframework.ws.soap.security.wss4j2.Wss4jSecurityInterceptor.secureMessage(Wss4jSecurityInterceptor.java:574) ~[spring-ws-security-3.0.6.RELEASE.jar:na]
at org.springframework.ws.soap.security.AbstractWsSecurityInterceptor.handleRequest(AbstractWsSecurityInterceptor.java:210) ~[spring-ws-security-3.0.6.RELEASE.jar:na]
at org.springframework.ws.client.core.WebServiceTemplate.doSendAndReceive(WebServiceTemplate.java:597) ~[spring-ws-core-3.0.7.RELEASE.jar:na]
at org.springframework.ws.client.core.WebServiceTemplate.sendAndReceive(WebServiceTemplate.java:555) ~[spring-ws-core-3.0.7.RELEASE.jar:na]
at org.springframework.ws.client.core.WebServiceTemplate.marshalSendAndReceive(WebServiceTemplate.java:390) ~[spring-ws-core-3.0.7.RELEASE.jar:na]
at org.springframework.ws.client.core.WebServiceTemplate.marshalSendAndReceive(WebServiceTemplate.java:383) ~[spring-ws-core-3.0.7.RELEASE.jar:na]
at org.springframework.ws.client.core.WebServiceTemplate.marshalSendAndReceive(WebServiceTemplate.java:373) ~[spring-ws-core-3.0.7.RELEASE.jar:na
我将检查我的依赖关系树以查看您是否遇到相同的问题:
mvn dependency:tree