1. 首頁
  2. 問答
  3. 驗證SOAP響應xml時間戳和簽名X509 spring-ws-security

驗證SOAP響應xml時間戳和簽名X509 spring-ws-security

2017-10-09 175 views
0

我是spring-ws-security的新手,已經閱讀了幾乎所有關於google和stacktrace的文章,但無法正常工作。
我有要求驗證響應XML簽名,時間戳,然後檢索數據。當我跳過驗證,然後沒有任何問題,但一會兒我添加驗證代碼,我收到錯誤:驗證SOAP響應xml時間戳和簽名X509 spring-ws-security

警告:無法驗證請求:簽名或解密無效;嵌套的例外是org.apache.ws.security.WSSecurityException:簽名或解密是無效的

@Configuration 
public class SoapClientConfig { 

final String generatedResource = "packageName"; 

@Bean 
public KeyStoreCallbackHandler securityCallbackHandler() { 
    KeyStoreCallbackHandler callbackHandler = new KeyStoreCallbackHandler(); 
    callbackHandler.setPrivateKeyPassword("serverkeystorepassword"); 
    return callbackHandler; 
} 

@Bean 
public Wss4jSecurityInterceptor securityInterceptor() throws Exception { 
    Wss4jSecurityInterceptor securityInterceptor = new Wss4jSecurityInterceptor(); 

    // set security actions 
    securityInterceptor.setSecurementActions("Timestamp Signature"); 
    securityInterceptor.setSecurementUsername("clientkeystoreusername"); 
    securityInterceptor.setSecurementPassword("clientkeystorepassword"); 

    //sign both body and timestamp - default body will be signed 
    securityInterceptor.setSecurementSignatureParts("{}{http://schemas.xmlsoap.org/soap/envelope/}Body;{}{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd}Timestamp"); 

    //This will generate binarySecurityToken in header 
    securityInterceptor.setSecurementSignatureKeyIdentifier("DirectReference"); 
    securityInterceptor.setSecurementSignatureCrypto(getRequestCryptoBean().getObject()); 

    //This is validation code, which is not validating response. 
    securityInterceptor.setValidationActions("Timestamp Signature"); 
    securityInterceptor.setValidationSignatureCrypto(getResponseCryptoBean().getObject()); 
    securityInterceptor.setValidationCallbackHandler(securityCallbackHandler()); 

    return securityInterceptor; 
} 

@Bean 
public CryptoFactoryBean getRequestCryptoBean() throws IOException, URISyntaxException { 

    CryptoFactoryBean cryptoFactoryBean = new CryptoFactoryBean(); 
    cryptoFactoryBean.setKeyStorePassword("clientkeystorepassword"); 
    cryptoFactoryBean.setKeyStoreLocation("client.jks"); 
    return cryptoFactoryBean; 
} 

@Bean 
public CryptoFactoryBean getResponseCryptoBean() throws Exception { 

    CryptoFactoryBean cryptoFactoryBean = new CryptoFactoryBean(); 
    cryptoFactoryBean.setDefaultX509Alias("1"); 
    cryptoFactoryBean.setKeyStorePassword("serverkeystorepassword"); 
    cryptoFactoryBean.setKeyStoreLocation("server.jks"); 
    cryptoFactoryBean.afterPropertiesSet(); 
    return cryptoFactoryBean; 
} 

@Bean 
public Jaxb2Marshaller getMarshaller() { 
    Jaxb2Marshaller marshaller = new Jaxb2Marshaller(); 
    marshaller.setContextPath(generatedResource); 
    return marshaller; 
} 

@Bean 
public Card getAvailableCardsClient() throws Exception { 
    Card memberCard = new Card(); 
    memberCard.setMarshaller(getMarshaller()); 
    memberCard.setUnmarshaller(getMarshaller()); 

    //Set timeout for soap service 
    HttpComponentsMessageSender sender = new HttpComponentsMessageSender(); 
    sender.setConnectionTimeout(2000); 
    sender.setReadTimeout(2000); 
    memberCard.setMessageSender(sender); 
    //end timeout 

    memberCard.setDefaultUri("url"); 

    //add interceptor for adding and validating signature 
    ClientInterceptor[] interceptors = new ClientInterceptor[]{securityInterceptor()}; 
    memberCard.setInterceptors(interceptors); 

    return memberCard; 
}

}

** server.jks包含服務器的公鑰。此外,此身份驗證是X509證書。 請幫我弄清楚,如何驗證回覆。

來源

2017-10-09 Shikha A

回答

0

我找到了我的解決方案,併發布給其他在同一條船上的人。

在我的方案中,因爲我必須使用兩個不同的證書(server.jks,client.jks)進行請求和響應驗證;我無法爲此使用相同的攔截器。我最終創建了兩個不同的攔截器,一個用於請求,另一個用於響應。

這裏是工作的代碼副本:

@Configuration 
public class SoapClientConfig { 

    @Bean 
    public KeyStoreCallbackHandler securityCallbackHandler() throws Exception { 
     KeyStoreCallbackHandler callbackHandler = new KeyStoreCallbackHandler(); 
     callbackHandler.setSymmetricKeyPassword("serverPassword"); 
     return callbackHandler; 
    } 

    @Bean 
    public Wss4jSecurityInterceptor securityInterceptor() throws IOException, Exception { 

     Wss4jSecurityInterceptor securityInterceptor = new Wss4jSecurityInterceptor(); 

     // set security actions 
     securityInterceptor.setSecurementActions("Timestamp Signature"); 
     securityInterceptor.setSecurementUsername("clientAias"); 
     securityInterceptor.setSecurementPassword("clientPassword"); 

     //sign both body and timestamp - default body will be signed 
     securityInterceptor.setSecurementSignatureParts("{}{http://schemas.xmlsoap.org/soap/envelope/}Body;{}{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd}Timestamp"); 

     //This will generate binarySecurityToken in header 
     securityInterceptor.setSecurementSignatureKeyIdentifier("DirectReference"); 
     securityInterceptor.setSecurementSignatureCrypto(getRequestCryptoBean().getObject()); 

     return securityInterceptor; 
    } 

    @Bean 
    public CryptoFactoryBean getRequestCryptoBean() throws IOException { 

     CryptoFactoryBean cryptoFactoryBean = new CryptoFactoryBean(); 
     cryptoFactoryBean.setKeyStorePassword("clientPassword"); 
     cryptoFactoryBean.setKeyStoreLocation("clientCertLoc"); 
     return cryptoFactoryBean; 
    } 

    @Bean 
    public Wss4jSecurityInterceptor responseSecurityInterceptor() throws IOException, Exception { 

     Wss4jSecurityInterceptor securityInterceptor = new Wss4jSecurityInterceptor(); 
     securityInterceptor.setValidationActions("Timestamp Signature"); 
     securityInterceptor.setValidationSignatureCrypto(getResponseCryptoBean().getObject()); 
     securityInterceptor.setValidationCallbackHandler(securityCallbackHandler()); 

     return securityInterceptor; 
    } 

    @Bean 
    public CryptoFactoryBean getResponseCryptoBean() throws Exception { 

     CryptoFactoryBean cryptoFactoryBean = new CryptoFactoryBean(); 
     cryptoFactoryBean.setKeyStoreLocation("serverCertLoc"); 
     cryptoFactoryBean.setDefaultX509Alias("serverAlias"); 
     cryptoFactoryBean.setKeyStorePassword("serverPassword"); 
     cryptoFactoryBean.afterPropertiesSet(); 
     return cryptoFactoryBean; 
    } 

    @Bean 
    public Jaxb2Marshaller getMarshaller() { 
     Jaxb2Marshaller marshaller = new Jaxb2Marshaller(); 
     marshaller.setContextPath(generatedResource); 
     return marshaller; 
    } 

    @Bean 
    public WebServiceClass getPojoClassMethod() throws ConnectException, Exception { 

     WebServiceClass pClass= new WebServiceClass(); 
     pClass.setMarshaller(getMarshaller()); 
     pClass.setUnmarshaller(getMarshaller()); 

     //Set timeout for soap service 
     HttpComponentsMessageSender sender = new HttpComponentsMessageSender(); 
     int timeout; 
     if (null == stringFromEnvironmentOrIllegalStateException(env, timeoutInMs)) { 
      timeout = 10000; 
     } else { 
      timeout = Integer.parseInt(stringFromEnvironmentOrIllegalStateException(env, timeoutInMs)); 
     } 
     sender.setConnectionTimeout(timeout); 
     sender.setReadTimeout(timeout); 
     pClass.setMessageSender(sender); 
     //end timeout config 

     pClass.setDefaultUri("actionURL"); 
     ClientInterceptor[] interceptors = new ClientInterceptor[]{securityInterceptor(), responseSecurityInterceptor()}; 
     pClass.setInterceptors(interceptors); 

     return pClass; 
    } 

}

來源

2017-12-20 18:59:17

相關問題

 相關問題