2016-08-14 97 views
0

這張照片顯示的soapUI我簡單的WS-Security配置:驗證引發錯誤故障

enter image description here

而且我將此配置SOAP請求:

enter image description here

然後<arg0>肥皂請求的內容被加密。這是加密的soap消息。

<soapenv:Envelope xmlns:soap="http://soap.aaa.com/" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> 
    <soapenv:Header><wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"><wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="9C55238F5BB25B8A7214711332555022">MIICxzCCAa+gAwIBAgIECZhGTzANBgkqhkiG9w0BAQsFADAUMRIwEAYDVQQDEwlsb2NhbGhvc3QwHhcNMTYwODEyMDgzMDI5WhcNMTYxMTEwMDgzMDI5WjAUMRIwEAYDVQQDEwlsb2NhbGhvc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCbufayp7O8wye5q8tPKPWRJPzAIHbtFBkepltFAji7U2fWU5ihSP2TRygym6B/UHvvPZ5QsaTog0oMw+vRLxWAemVganoSvTJWRidTYmvm3kqhBLC7+GEM895k/yU7nduKqSFJr3qa4R5eSO/JLGwIvcb3OkhNHTu1/8EEJDcxbGMPwn08W4gn2qnGDkSEsanfXhCaNtS4mZHWvs5vr+C4gYR4is6Z3wSIFQZGkKtPj7Z3wg3E9l9GAAdg+6JegDKRzzSQtSjgUySipYqbHYOBol78Wf7+dqNiHvohiQTRHB3b2AebEdUcQTu65ELUhWGC28eWWaCv5ksL5eL2bJc/AgMBAAGjITAfMB0GA1UdDgQWBBTcHE/ieHAarvD2RC7DiMdPZ6O66TANBgkqhkiG9w0BAQsFAAOCAQEAja62f/8GeKm0XMMMoUo3ayk/WluF89PC71jB28r3M3+1bqkfK7KJaO7yF7DG9zpm6BztKi9Ykz6izg2IktuUnTG4dbg0CY8ZuL8NEmvirCgfJXXur3goEOIfItb8dR9Mi6i4ZV46oJTgX8XliwEoZQVloi3JcTbPeZ3DrSmOyaUppGk//kryx4bhwdazxPQ3H7PcRQjMq+l3e7q9sTJRyYm7PcsvyZt34CgZkhal28p35jQk7U1MKibL8a5FlQejDP4p/6/8qv/3TzHK467zlXr/oFGQGCXFc96j12Cj5Eiv+22C+8ZRMCtMig42uXNamE5YGuQMHDLrsQd9VThkUQ==</wsse:BinarySecurityToken><xenc:EncryptedKey Id="EK-9C55238F5BB25B8A7214711332555001" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"><xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><wsse:SecurityTokenReference><wsse:Reference URI="#9C55238F5BB25B8A7214711332555022" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/></wsse:SecurityTokenReference></ds:KeyInfo><xenc:CipherData><xenc:CipherValue>GudjGW52R0Iu+KnTZARE7nHFwPGvmXRZCuIQqnhz8it9WJs+2Jai7W0dAmhtkNxi2k0/g8IhL1v1EpA6JuJUEzkOnyuCoUttyR5ROLxpbHzD1DtEZT8AEgiOwFmmov7t6UsKDSn2jxL8ftraf44ISxrMCbJ10cuN6gJT9ghT9USdvvT/1vKhuBqm251bn9kgPkqNTDcYntQpwSkRCTZz+yf+pv77DVE5MPMk8FLHE4TeROsqLyNC8YzH8ncITGqOrDM4PY+1/H2XUkWaAeMz9ZcqqseD97Mr86ZpOgwP/V0Z6v9iRSrBYTpnDqPd8TIJ1wJs88sJ6+QIOMA6kySMtQ==</xenc:CipherValue></xenc:CipherData><xenc:ReferenceList><xenc:DataReference URI="#ED-9C55238F5BB25B8A7214711332555093"/></xenc:ReferenceList></xenc:EncryptedKey></wsse:Security></soapenv:Header> 
    <soapenv:Body> 
     <soap:sayHello> 
     <!--Optional:--> 
     <arg0><xenc:EncryptedData Id="ED-9C55238F5BB25B8A7214711332555093" Type="http://www.w3.org/2001/04/xmlenc#Content" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"><xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><wsse:SecurityTokenReference wsse11:TokenType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd"><wsse:Reference URI="#EK-9C55238F5BB25B8A7214711332555001"/></wsse:SecurityTokenReference></ds:KeyInfo><xenc:CipherData><xenc:CipherValue>CKtrCSg+Q1HqzLQulEi0YmGxGNlrjlANGsgbSirlbXE=</xenc:CipherValue></xenc:CipherData></xenc:EncryptedData></arg0> 
     </soap:sayHello> 
    </soapenv:Body> 
</soapenv:Envelope> 

但是這個加密的SOAP消息的驗證拋出錯誤故障:

enter image description here

故障信息是

line 6:Element not allowed: [email protected]://www.w3.org/2001/04/xmlenc# in element arg0 

我找不到任何引用的。

更新1

了SoapUI仍然拋出同樣的異常。爲了簡單起見,我使用keytool命令-genkeypair選項製作了單個jks文件。

keytool –genkeypair -keyalg RSA -alias servicekey –keypass password123 -storepass password123 –validity 365 –keystore serviceKeystore.jks -dname "cn=localhost" 

而且我修改WS客戶端和服務有點像下面,

== index.jsp的

<body> 
<% 
String SERVICE_URL = "http://localhost:8080/SOAPEncryptWeb/HelloWorld"; 

try { 
    QName serviceName = new QName("http://soap.aaa.com/", "HelloWorldService"); 

    URL wsdlURL; 
    wsdlURL = new URL(SERVICE_URL + "?wsdl"); 
    Service service = Service.create(wsdlURL, serviceName); 

    IHelloWorld port = (IHelloWorld) service.getPort(IHelloWorld.class); 

    ((BindingProvider) port).getRequestContext().put(SecurityConstants.CALLBACK_HANDLER, new KeystorePasswordCallback()); 
    ((BindingProvider) port).getRequestContext().put(SecurityConstants.ENCRYPT_PROPERTIES, 
      Thread.currentThread().getContextClassLoader().getResource("META-INF/client.properties")); 
    ((BindingProvider) port).getRequestContext().put(SecurityConstants.ENCRYPT_USERNAME, "servicekey"); 

    ((BindingProvider) port).getRequestContext().put(SecurityConstants.RETURN_SECURITY_ERROR, "true"); 

    out.println(port.sayHello("jina")); 
} catch (Exception e) { 
    // TODO Auto-generated catch block 
    e.printStackTrace(); 
} 
%> 
</body> 

==服務器端配置

<jaxws-config xmlns="urn:jboss:jbossws-jaxws-config:4.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
      xmlns:javaee="http://java.sun.com/xml/ns/javaee" 
      xsi:schemaLocation="urn:jboss:jbossws-jaxws-config:4.0 schema/jbossws-jaxws-config_4_0.xsd"> 

    <endpoint-config>  
     <config-name>Custom WS-Security Endpoint</config-name>  
     <property>  
     <property-name>ws-security.encryption.properties</property-name>  
     <property-value>META-INF/server.properties</property-value>  
     </property>  
     <property>  
     <property-name>ws-security.encryption.username</property-name> 
     <property-value>servicekey</property-value>  
     </property> 
     <property>  
     <property-name>ws-security.return.security.error</property-name> 
     <property-value>true</property-value>  
     </property>  
     <property>  
     <property-name>ws-security.callback-handler</property-name>  
     <property-value> 
     com.aaa.soap.KeystorePasswordCallback 
     </property-value>   
     </property> 
    </endpoint-config> 
</jaxws-config> 

然而,這配置拋出異常,但在野蠻10.0中沒有例外

17:25:22,588 WARNING [org.apache.cxf.phase.PhaseInterceptorChain] (default task-12) Interceptor for {http://soap.aaa.com/}HelloWorldService has thrown exception, unwinding now: org.apache.cxf.binding.soap.SoapFault: An error was discovered processing the <wsse:Security> header 
    at org.apache.cxf.ws.security.wss4j.WSS4JUtils.createSoapFault(WSS4JUtils.java:216) 
    at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessageInternal(WSS4JInInterceptor.java:329) 
    at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:184) 
    at org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JInInterceptor.handleMessage(PolicyBasedWSS4JInInterceptor.java:79) 
    at org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JInInterceptor.handleMessage(PolicyBasedWSS4JInInterceptor.java:66) 
    at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:308) 
    at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121) 
    at org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:251) 
    at org.jboss.wsf.stack.cxf.RequestHandlerImpl.handleHttpRequest(RequestHandlerImpl.java:108) 
    at org.jboss.wsf.stack.cxf.transport.ServletHelper.callRequestHandler(ServletHelper.java:134) 
    at org.jboss.wsf.stack.cxf.CXFServletExt.invoke(CXFServletExt.java:88) 
    at org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:293) 
    at org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:212) 
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:707) 
    at org.jboss.wsf.stack.cxf.CXFServletExt.service(CXFServletExt.java:136) 
    at org.jboss.wsf.spi.deployment.WSFServlet.service(WSFServlet.java:140) 
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) 
    at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85) 
    at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) 
    at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) 
    at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) 
    at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) 
    at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) 
    at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) 
    at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) 
    at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) 
    at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) 
    at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) 
    at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) 
    at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) 
    at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) 
    at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) 
    at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) 
    at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) 
    at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) 
    at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284) 
    at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263) 
    at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) 
    at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174) 
    at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202) 
    at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793) 
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) 
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) 
    at java.lang.Thread.run(Thread.java:745) 
Caused by: org.apache.wss4j.common.ext.WSSecurityException: An error was discovered processing the <wsse:Security> header 
    at org.apache.wss4j.common.crypto.AlgorithmSuiteValidator.checkSymmetricEncryptionAlgorithm(AlgorithmSuiteValidator.java:149) 
    at org.apache.wss4j.dom.processor.EncryptedKeyProcessor.decryptDataRef(EncryptedKeyProcessor.java:550) 
    at org.apache.wss4j.dom.processor.EncryptedKeyProcessor.decryptDataRefs(EncryptedKeyProcessor.java:481) 
    at org.apache.wss4j.dom.processor.EncryptedKeyProcessor.handleToken(EncryptedKeyProcessor.java:199) 
    at org.apache.wss4j.dom.processor.EncryptedKeyProcessor.handleToken(EncryptedKeyProcessor.java:76) 
    at org.apache.wss4j.dom.engine.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:344) 
    at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessageInternal(WSS4JInInterceptor.java:280) 
    ... 42 more 

回答

1

請不要猶豫測試步驟中的Validate選項。

此選項驗證對xsd架構您的要求坐落在wsdl您可以使用它加載的項目在SOAPUI

可能是你wsdl上的欠缺[WS安全策略定義的要求]它告訴你在你的WS中實現的安全性要求。

對於您的情況您wsdl必須是這樣的:

<wsdl:definitions xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/" 
        xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" 
        xmlns:wsp="http://www.w3.org/ns/ws-policy" 
        xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" 
        xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200802"> 
    ... 
    <wsp:Policy> 
     ... 
     <sp:EncryptedParts>...</sp:EncryptedParts> 
     ... 
    </wsp:Policy> 
</wsdl:definitions> 

所以,因爲這缺少請求不驗證對您的wsdl

無論如何,問題在於你加載的wsdl可能與WS實現不同(因爲它不是最新的或類似的)。因此,只需嘗試發送請求(儘管它不符合wsdl驗證)並查看您的WS響應。

希望這有助於

+0

我附上評論** UPDATE1 **。等待您的回覆 –

1

您在了SoapUI的XML標籤已經加密的消息,並嘗試驗證其對XSD。這將永遠不會工作,因爲xsd不知道任何關於「xenc:EncryptedData」!

發送請求後,加密的消息將顯示在「原始」選項卡中,因爲SoapUI將在發送時執行加密。你不應該自己「申請傳出」!

+0

抱歉,我遲到了,@albciff和Frank。我附上評論** UPDATE1 **。請看看。等待你的回覆。 –