WSO2 ESB EntitlementMediator無法將消息發送至標識服務器

Question

我在將WSO2標識服務器與ESB集成時遇到問題。

當我按照指南"Using XACML Fine Grained Authorization with the WSO2 Product Platform"，我發現ESB已收到來自客戶端的消息，但我沒有發現ESB已將消息發送到Identity Server。

我試着用wso2esb-4.7.0和wso2is-4.1.0

以下是我所採取的步驟：

1. 配置WSO2身份Server作爲XACML引擎和啓動標識服務器;

2. 配置WSO2 ESB中的授權調解器並啓動ESB;

3. 在IDE中運行客戶端代碼。

在ESB和IS中，沒有消息輸出。

在客戶端IDE，發生在控制檯下面的消息：

...... 

13/08/05 15:24:15 INFO deployment.ModuleDeployer: Deploying module: rahas - file:/D:/project/wso2/test/wso2esb-4.7.0/repository/components/plugins/rampart-trust_1.6.1.wso2v8.jar 
13/08/05 15:24:15 ERROR sandesha2.SandeshaModule: Could not load module policies. Using default values. 
13/08/05 15:24:15 INFO tcp.TCPTransportSender: TCP Sender started 
13/08/05 15:24:17 ERROR engine.AxisEngine: Missing wsse:Security header in request 
org.apache.axis2.AxisFault: Missing wsse:Security header in request 
    at org.apache.rampart.handler.RampartReceiver.setFaultCodeAndThrowAxisFault(RampartReceiver.java:180) 
    at org.apache.rampart.handler.RampartReceiver.invoke(RampartReceiver.java:99) 
    at org.apache.axis2.engine.Phase.invokeHandler(Phase.java:340) 
    at org.apache.axis2.engine.Phase.invoke(Phase.java:313) 
    at org.apache.axis2.engine.AxisEngine.invoke(AxisEngine.java:261) 
    at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:167) 
    at org.apache.axis2.description.OutInAxisOperationClient.handleResponse(OutInAxisOperation.java:356) 
    at org.apache.axis2.description.OutInAxisOperationClient.send(OutInAxisOperation.java:413) 
    at org.apache.axis2.description.OutInAxisOperationClient.executeImpl(OutInAxisOperation.java:224) 
    at org.apache.axis2.client.OperationClient.execute(OperationClient.java:149) 
    at org.apache.axis2.client.ServiceClient.sendReceive(ServiceClient.java:554) 
    at org.apache.axis2.client.ServiceClient.sendReceive(ServiceClient.java:530) 
    at org.wso2.entitlement.sample.WSEntitlementTestClient.main(WSEntitlementTestClient.java:59) 
Caused by: org.apache.rampart.RampartException: Missing wsse:Security header in request 
    at org.apache.rampart.RampartEngine.process(RampartEngine.java:141) 
    at org.apache.rampart.handler.RampartReceiver.invoke(RampartReceiver.java:92) 
    ... 11 more 
Exception in thread "main" org.apache.axis2.AxisFault: Missing wsse:Security header in request 
    at org.apache.rampart.handler.RampartReceiver.setFaultCodeAndThrowAxisFault(RampartReceiver.java:180) 
    at org.apache.rampart.handler.RampartReceiver.invoke(RampartReceiver.java:99) 
    at org.apache.axis2.engine.Phase.invokeHandler(Phase.java:340) 
    at org.apache.axis2.engine.Phase.invoke(Phase.java:313) 
    at org.apache.axis2.engine.AxisEngine.invoke(AxisEngine.java:261) 
    at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:167) 
    at org.apache.axis2.description.OutInAxisOperationClient.handleResponse(OutInAxisOperation.java:356) 
    at org.apache.axis2.description.OutInAxisOperationClient.send(OutInAxisOperation.java:413) 
    at org.apache.axis2.description.OutInAxisOperationClient.executeImpl(OutInAxisOperation.java:224) 
    at org.apache.axis2.client.OperationClient.execute(OperationClient.java:149) 
    at org.apache.axis2.client.ServiceClient.sendReceive(ServiceClient.java:554) 
    at org.apache.axis2.client.ServiceClient.sendReceive(ServiceClient.java:530) 
    at org.wso2.entitlement.sample.WSEntitlementTestClient.main(WSEntitlementTestClient.java:59) 
Caused by: org.apache.rampart.RampartException: Missing wsse:Security header in request 
    at org.apache.rampart.RampartEngine.process(RampartEngine.java:141) 
    at org.apache.rampart.handler.RampartReceiver.invoke(RampartReceiver.java:92) 
    ... 11 more 

以下是客戶端源代碼：

package org.wso2.entitlement.sample; 

import org.apache.axiom.om.OMAbstractFactory; 
import org.apache.axiom.om.OMElement; 
import org.apache.axiom.om.OMFactory; 
import org.apache.axiom.om.OMNamespace; 
import org.apache.axiom.om.impl.builder.StAXOMBuilder; 
import org.apache.axis2.Constants; 
import org.apache.axis2.addressing.EndpointReference; 
import org.apache.axis2.client.Options; 
import org.apache.axis2.client.ServiceClient; 
import org.apache.axis2.context.ConfigurationContext; 
import org.apache.axis2.context.ConfigurationContextFactory; 
import org.apache.neethi.Policy; 
import org.apache.neethi.PolicyEngine; 
import org.apache.rampart.RampartMessageData; 

public class WSEntitlementTestClient { 

final static String ADDR_URL = "http://localhost:8280/services/echo"; //"http://localhost:8280/services/MarketDataService"; 
final static String TRANS_URL = "https://localhost:8243/services/EntitlementService"; // "https://localhost:8243/services/EntitlementProxy"; 

public static void main(String[] args) throws Exception { 
    ServiceClient client = null; 
    Options options = null; 
    OMElement response = null; 
    ConfigurationContext context = null; 
    String trustStore = null; 

    // You need to import the ESBs public certificate to this key store. 
    trustStore = "wso2carbon.jks"; 
    // We are accessing ESB over HTTPS - so need to set trustStore parameters. 
    System.setProperty("javax.net.ssl.trustStore", trustStore); 
    // Password of mykeystore.jks 
    System.setProperty("javax.net.ssl.trustStorePassword", "wso2carbon"); 

    // Create configuration context - you will have Rampart module engaged in the client.axis2.xml 
    context = ConfigurationContextFactory.createConfigurationContextFromFileSystem("repo","repo/conf/axis2_client.xml"); 

    // This is the security policy of the proxy service applied UT. 
    StAXOMBuilder builder = new StAXOMBuilder("policy.xml"); 
    Policy policy = PolicyEngine.getPolicy(builder.getDocumentElement()); 

// context = ConfigurationContextFactory.createConfigurationContextFromFileSystem("repo","repo/conf/client.axis2.xml"); 
    client = new ServiceClient(context, null); 
    options = new Options(); 
    options.setAction("urn:echoString"); 
    // This is the addressing URL pointing to the echo service deployed in ESB 
    options.setTo(new EndpointReference(ADDR_URL)); 
    // To the ESB, the proxy service 
    options.setUserName("admin"); 
    options.setPassword("admin"); 
    // TRANS_URL points to proxy service 
    options.setProperty(Constants.Configuration.TRANSPORT_URL, TRANS_URL); 
    options.setProperty(RampartMessageData.KEY_RAMPART_POLICY, policy); 
    client.setOptions(options); 
    client.engageModule("addressing"); 
    client.engageModule("rampart"); 
    response = client.sendReceive(getPayload("Hello world")); 
    System.out.println(response); 
} 

private static OMElement getPayload(String value) { 
    OMFactory factory = null; 
    OMNamespace ns = null; 
    OMElement elem = null; 
    OMElement childElem = null; 

    factory = OMAbstractFactory.getOMFactory(); 
    ns = factory.createOMNamespace("http://echo.services.core.carbon.wso2.org", "ns1"); 
    elem = factory.createOMElement("echoString", ns); 
    childElem = factory.createOMElement("in", null); 
    childElem.setText(value); 
    elem.addChild(childElem); 
    return elem; 
} 
} 

以下是標識服務器在權利策略：

<Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicyId="Note" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable" Version="1.0"> 
<Description>Note description </Description> 
<Target> 
    <AnyOf> 
    <AllOf> 
     <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match"> 
      <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">http://localhost:8280/services/echo</AttributeValue> 
      <AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/> 
     </Match> 
    </AllOf> 
    </AnyOf> 
</Target> 
<Rule Effect="Permit" RuleId="primary-group-rule"> 
    <Target> 
    <AnyOf> 
     <AllOf> 
      <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> 
       <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue> 
       <AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/> 
      </Match> 
     </AllOf> 
    </AnyOf> 
    </Target> 
    <Condition> 
    <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> 
     <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only"> 
      <AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/> 
     </Apply> 
     <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">admin</AttributeValue> 
    </Apply> 
    </Condition> 
</Rule> 
<Rule Effect="Deny" RuleId="deny-rule"/> 

以下是EntitlementService源在ESB：

<?xml version="1.0" encoding="UTF-8"?> 
<proxy xmlns="http://ws.apache.org/ns/synapse" 
    name="EntitlementService" 
    transports="https" 
    statistics="disable" 
    trace="disable" 
    startOnLoad="true"> 
<target> 
    <inSequence> 
    <entitlementService remoteServiceUrl="https://localhost:9445/services/" 
         remoteServiceUserName="admin" 
         remoteServicePassword="enc:kuv2MubUUveMyv6GeHrXr9il59ajJIqUI4eoYHcgGKf/BBFOWn96NTjJQI+wYbWjKW6r79S7L7ZzgYeWx7DlGbff5X3pBN2Gh9yV0BHP1E93QtFqR7uTWi141Tr7V7ZwScwNqJbiNoV+vyLbsqKJE7T3nP8Ih9Y6omygbcLcHzg="> 
     <onReject/> 
     <onAccept/> 
     <obligations/> 
     <advice/> 
    </entitlementService> 
    <header name="wsse:Security" scope="transport" action="remove"/> 
    <send/> 
    <drop/> 
    </inSequence> 
    <outSequence> 
    <send/> 
    <drop/> 
    </outSequence> 
</target> 
<enableSec/> 
<policy key="conf:/repository/axis2/service-groups/EntitlementService/services/EntitlementService/policies/UTOverTransport"/> 
<description/> 
</proxy> 

在ESB SOAP消息示蹤我可以看到以下請求消息：

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> 
    <soapenv:Header xmlns:wsa="http://www.w3.org/2005/08/addressing"> 
    <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" soapenv:mustUnderstand="1"> 
     <wsu:Timestamp xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="Timestamp-1"> 
      <wsu:Created>2013-08-05T06:10:20.503Z</wsu:Created> 
      <wsu:Expires>2013-08-05T06:15:20.503Z</wsu:Expires> 
     </wsu:Timestamp> 
     <wsse:UsernameToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="UsernameToken-2"> 
      <wsse:Username>aaa</wsse:Username> 
      <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">admin</wsse:Password> 
     </wsse:UsernameToken> 
    </wsse:Security> 
    <wsa:To>http://localhost:8280/services/echo</wsa:To> 
    <wsa:MessageID>urn:uuid:269da889-ce33-4138-b050-3f4913dbbc17</wsa:MessageID> 
    <wsa:Action>urn:echoString</wsa:Action> 
    </soapenv:Header> 
    <soapenv:Body> 
    <ns1:echoString xmlns:ns1="http://echo.services.core.carbon.wso2.org"> 
     <in>Hello world</in> 
    </ns1:echoString> 
    </soapenv:Body> 
</soapenv:Envelope> 

具有下列響應沿着：

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> 
<soapenv:Header xmlns:wsa="http://www.w3.org/2005/08/addressing"> 
    <wsa:Action>urn:echoStringResponse</wsa:Action> 
    <wsa:RelatesTo>urn:uuid:269da889-ce33-4138-b050-3f4913dbbc17</wsa:RelatesTo> 
</soapenv:Header> 
<soapenv:Body> 
    <ns:echoStringResponse xmlns:ns="http://echo.services.core.carbon.wso2.org"> 
    <return>Hello world</return> 
    </ns:echoStringResponse> 
</soapenv:Body> 
</soapenv:Envelope> 

但是在Identity Server SOAP消息跟蹤器中，請求消息和響應消息都是空的。看來ESB不會向Identity Server發送任何消息。

有誰知道什麼是錯的？

Answer 1

起初WSO2 ESB 4.7.0和WSO2 IS 4.1.0不是兼容版本。您可以在IS 4.1.0中使用ESB 4.6.0，或者使用當前的ESB使用WSO2 IS 4.5.0（即將發佈）。

您面臨的錯誤'Missing wsse：請求中的安全標頭'可能是由於BasicAuth方案，它首先發送沒有用戶名和密碼的請求，讓服務器提交挑戰。只有在接到挑戰之後，客戶端纔會發送basicAuth參數。

乾杯，

Pushpalanka