我在將WSO2標識服務器與ESB集成時遇到問題。WSO2 ESB EntitlementMediator無法將消息發送至標識服務器
當我按照指南"Using XACML Fine Grained Authorization with the WSO2 Product Platform",我發現ESB已收到來自客戶端的消息,但我沒有發現ESB已將消息發送到Identity Server。
我試着用wso2esb-4.7.0
和wso2is-4.1.0
以下是我所採取的步驟:
配置WSO2身份Server作爲XACML引擎和啓動標識服務器;
配置WSO2 ESB中的授權調解器並啓動ESB;
在IDE中運行客戶端代碼。
在ESB和IS中,沒有消息輸出。
在客戶端IDE,發生在控制檯下面的消息:
......
13/08/05 15:24:15 INFO deployment.ModuleDeployer: Deploying module: rahas - file:/D:/project/wso2/test/wso2esb-4.7.0/repository/components/plugins/rampart-trust_1.6.1.wso2v8.jar
13/08/05 15:24:15 ERROR sandesha2.SandeshaModule: Could not load module policies. Using default values.
13/08/05 15:24:15 INFO tcp.TCPTransportSender: TCP Sender started
13/08/05 15:24:17 ERROR engine.AxisEngine: Missing wsse:Security header in request
org.apache.axis2.AxisFault: Missing wsse:Security header in request
at org.apache.rampart.handler.RampartReceiver.setFaultCodeAndThrowAxisFault(RampartReceiver.java:180)
at org.apache.rampart.handler.RampartReceiver.invoke(RampartReceiver.java:99)
at org.apache.axis2.engine.Phase.invokeHandler(Phase.java:340)
at org.apache.axis2.engine.Phase.invoke(Phase.java:313)
at org.apache.axis2.engine.AxisEngine.invoke(AxisEngine.java:261)
at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:167)
at org.apache.axis2.description.OutInAxisOperationClient.handleResponse(OutInAxisOperation.java:356)
at org.apache.axis2.description.OutInAxisOperationClient.send(OutInAxisOperation.java:413)
at org.apache.axis2.description.OutInAxisOperationClient.executeImpl(OutInAxisOperation.java:224)
at org.apache.axis2.client.OperationClient.execute(OperationClient.java:149)
at org.apache.axis2.client.ServiceClient.sendReceive(ServiceClient.java:554)
at org.apache.axis2.client.ServiceClient.sendReceive(ServiceClient.java:530)
at org.wso2.entitlement.sample.WSEntitlementTestClient.main(WSEntitlementTestClient.java:59)
Caused by: org.apache.rampart.RampartException: Missing wsse:Security header in request
at org.apache.rampart.RampartEngine.process(RampartEngine.java:141)
at org.apache.rampart.handler.RampartReceiver.invoke(RampartReceiver.java:92)
... 11 more
Exception in thread "main" org.apache.axis2.AxisFault: Missing wsse:Security header in request
at org.apache.rampart.handler.RampartReceiver.setFaultCodeAndThrowAxisFault(RampartReceiver.java:180)
at org.apache.rampart.handler.RampartReceiver.invoke(RampartReceiver.java:99)
at org.apache.axis2.engine.Phase.invokeHandler(Phase.java:340)
at org.apache.axis2.engine.Phase.invoke(Phase.java:313)
at org.apache.axis2.engine.AxisEngine.invoke(AxisEngine.java:261)
at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:167)
at org.apache.axis2.description.OutInAxisOperationClient.handleResponse(OutInAxisOperation.java:356)
at org.apache.axis2.description.OutInAxisOperationClient.send(OutInAxisOperation.java:413)
at org.apache.axis2.description.OutInAxisOperationClient.executeImpl(OutInAxisOperation.java:224)
at org.apache.axis2.client.OperationClient.execute(OperationClient.java:149)
at org.apache.axis2.client.ServiceClient.sendReceive(ServiceClient.java:554)
at org.apache.axis2.client.ServiceClient.sendReceive(ServiceClient.java:530)
at org.wso2.entitlement.sample.WSEntitlementTestClient.main(WSEntitlementTestClient.java:59)
Caused by: org.apache.rampart.RampartException: Missing wsse:Security header in request
at org.apache.rampart.RampartEngine.process(RampartEngine.java:141)
at org.apache.rampart.handler.RampartReceiver.invoke(RampartReceiver.java:92)
... 11 more
以下是客戶端源代碼:
package org.wso2.entitlement.sample;
import org.apache.axiom.om.OMAbstractFactory;
import org.apache.axiom.om.OMElement;
import org.apache.axiom.om.OMFactory;
import org.apache.axiom.om.OMNamespace;
import org.apache.axiom.om.impl.builder.StAXOMBuilder;
import org.apache.axis2.Constants;
import org.apache.axis2.addressing.EndpointReference;
import org.apache.axis2.client.Options;
import org.apache.axis2.client.ServiceClient;
import org.apache.axis2.context.ConfigurationContext;
import org.apache.axis2.context.ConfigurationContextFactory;
import org.apache.neethi.Policy;
import org.apache.neethi.PolicyEngine;
import org.apache.rampart.RampartMessageData;
public class WSEntitlementTestClient {
final static String ADDR_URL = "http://localhost:8280/services/echo"; //"http://localhost:8280/services/MarketDataService";
final static String TRANS_URL = "https://localhost:8243/services/EntitlementService"; // "https://localhost:8243/services/EntitlementProxy";
public static void main(String[] args) throws Exception {
ServiceClient client = null;
Options options = null;
OMElement response = null;
ConfigurationContext context = null;
String trustStore = null;
// You need to import the ESBs public certificate to this key store.
trustStore = "wso2carbon.jks";
// We are accessing ESB over HTTPS - so need to set trustStore parameters.
System.setProperty("javax.net.ssl.trustStore", trustStore);
// Password of mykeystore.jks
System.setProperty("javax.net.ssl.trustStorePassword", "wso2carbon");
// Create configuration context - you will have Rampart module engaged in the client.axis2.xml
context = ConfigurationContextFactory.createConfigurationContextFromFileSystem("repo","repo/conf/axis2_client.xml");
// This is the security policy of the proxy service applied UT.
StAXOMBuilder builder = new StAXOMBuilder("policy.xml");
Policy policy = PolicyEngine.getPolicy(builder.getDocumentElement());
// context = ConfigurationContextFactory.createConfigurationContextFromFileSystem("repo","repo/conf/client.axis2.xml");
client = new ServiceClient(context, null);
options = new Options();
options.setAction("urn:echoString");
// This is the addressing URL pointing to the echo service deployed in ESB
options.setTo(new EndpointReference(ADDR_URL));
// To the ESB, the proxy service
options.setUserName("admin");
options.setPassword("admin");
// TRANS_URL points to proxy service
options.setProperty(Constants.Configuration.TRANSPORT_URL, TRANS_URL);
options.setProperty(RampartMessageData.KEY_RAMPART_POLICY, policy);
client.setOptions(options);
client.engageModule("addressing");
client.engageModule("rampart");
response = client.sendReceive(getPayload("Hello world"));
System.out.println(response);
}
private static OMElement getPayload(String value) {
OMFactory factory = null;
OMNamespace ns = null;
OMElement elem = null;
OMElement childElem = null;
factory = OMAbstractFactory.getOMFactory();
ns = factory.createOMNamespace("http://echo.services.core.carbon.wso2.org", "ns1");
elem = factory.createOMElement("echoString", ns);
childElem = factory.createOMElement("in", null);
childElem.setText(value);
elem.addChild(childElem);
return elem;
}
}
以下是標識服務器在權利策略:
<Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicyId="Note" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable" Version="1.0">
<Description>Note description </Description>
<Target>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">http://localhost:8280/services/echo</AttributeValue>
<AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
</Match>
</AllOf>
</AnyOf>
</Target>
<Rule Effect="Permit" RuleId="primary-group-rule">
<Target>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue>
<AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
</Match>
</AllOf>
</AnyOf>
</Target>
<Condition>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
<AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
</Apply>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">admin</AttributeValue>
</Apply>
</Condition>
</Rule>
<Rule Effect="Deny" RuleId="deny-rule"/>
以下是EntitlementService源在ESB:
<?xml version="1.0" encoding="UTF-8"?>
<proxy xmlns="http://ws.apache.org/ns/synapse"
name="EntitlementService"
transports="https"
statistics="disable"
trace="disable"
startOnLoad="true">
<target>
<inSequence>
<entitlementService remoteServiceUrl="https://localhost:9445/services/"
remoteServiceUserName="admin"
remoteServicePassword="enc:kuv2MubUUveMyv6GeHrXr9il59ajJIqUI4eoYHcgGKf/BBFOWn96NTjJQI+wYbWjKW6r79S7L7ZzgYeWx7DlGbff5X3pBN2Gh9yV0BHP1E93QtFqR7uTWi141Tr7V7ZwScwNqJbiNoV+vyLbsqKJE7T3nP8Ih9Y6omygbcLcHzg=">
<onReject/>
<onAccept/>
<obligations/>
<advice/>
</entitlementService>
<header name="wsse:Security" scope="transport" action="remove"/>
<send/>
<drop/>
</inSequence>
<outSequence>
<send/>
<drop/>
</outSequence>
</target>
<enableSec/>
<policy key="conf:/repository/axis2/service-groups/EntitlementService/services/EntitlementService/policies/UTOverTransport"/>
<description/>
</proxy>
在ESB SOAP消息示蹤我可以看到以下請求消息:
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header xmlns:wsa="http://www.w3.org/2005/08/addressing">
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" soapenv:mustUnderstand="1">
<wsu:Timestamp xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="Timestamp-1">
<wsu:Created>2013-08-05T06:10:20.503Z</wsu:Created>
<wsu:Expires>2013-08-05T06:15:20.503Z</wsu:Expires>
</wsu:Timestamp>
<wsse:UsernameToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="UsernameToken-2">
<wsse:Username>aaa</wsse:Username>
<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">admin</wsse:Password>
</wsse:UsernameToken>
</wsse:Security>
<wsa:To>http://localhost:8280/services/echo</wsa:To>
<wsa:MessageID>urn:uuid:269da889-ce33-4138-b050-3f4913dbbc17</wsa:MessageID>
<wsa:Action>urn:echoString</wsa:Action>
</soapenv:Header>
<soapenv:Body>
<ns1:echoString xmlns:ns1="http://echo.services.core.carbon.wso2.org">
<in>Hello world</in>
</ns1:echoString>
</soapenv:Body>
</soapenv:Envelope>
具有下列響應沿着:
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header xmlns:wsa="http://www.w3.org/2005/08/addressing">
<wsa:Action>urn:echoStringResponse</wsa:Action>
<wsa:RelatesTo>urn:uuid:269da889-ce33-4138-b050-3f4913dbbc17</wsa:RelatesTo>
</soapenv:Header>
<soapenv:Body>
<ns:echoStringResponse xmlns:ns="http://echo.services.core.carbon.wso2.org">
<return>Hello world</return>
</ns:echoStringResponse>
</soapenv:Body>
</soapenv:Envelope>
但是在Identity Server SOAP消息跟蹤器中,請求消息和響應消息都是空的。看來ESB不會向Identity Server發送任何消息。
有誰知道什麼是錯的?
能否請您解釋一下爲什麼以何種方式,他們是不兼容的?是因爲ESB 4.7.0基於Carbon 4.1.X,IS 4.1.0基於Carbon 4.0.X?還是有其他原因嗎?我們究竟能夠確定不同的WSO2產品之間的版本兼容性? – user8658912
這些場景將與最新的產品包配合使用。但是,當我們使用基於不同碳內核版本的不同產品時,功能安裝中可能會出現問題。 – Pushpalanka
你的意思是上面的場景可以通過wso2esb-4.7.0和wso2is-4.5.0成功工作嗎?(我用wso2es-4.6.0用wso2is-4.1.0試過了,它不行。) – iceguo