我正在構建Web服務並希望進行消息級加密。加密必須使用不對稱綁定。我是Apache CXF的新手,所以我使用了他們的一個示例,並努力將其轉換爲符合我的要求。然而,當我改變了對稱結合不對稱結合,我開始收到以下錯誤客戶端向服務器發送加密的消息後:「被發現的解密無證書(KEYID)」「沒有找到用於解密的證書」(Apache CXF,WS-Security)
我明白,這可能是一個證書錯誤,但它也可能是配置相關。
我很積極,我有客戶端和服務器的公鑰和私鑰。客戶端使用服務器的公鑰對消息進行加密,並使用客戶端的私鑰進行簽名。服務器配置爲使用客戶端的公鑰驗證簽名,然後使用服務器的私鑰解密。但是,我不知道在從對稱綁定切換到非對稱綁定時需要更改哪些代碼。任何投入將不勝感激。這裏是我的加密配置和ws安全策略。
ServiceConfig.xml:
<entry key="ws-security.encryption.properties" value="etc/Server_Decrypt.properties"/>
<entry key="ws-security.signature.properties" value="etc/Server_SignVerf.properties"/>
<entry key="ws-security.callback-handler" value="demo.hw.server.UTPasswordCallback"/>
Server_Decrypt.properties:
org.apache.ws.security.crypto.provider=org.apache.wss4j.common.crypto.Merlin
org.apache.ws.security.crypto.merlin.keystore.type=jks
org.apache.ws.security.crypto.merlin.keystore.password=******
org.apache.ws.security.crypto.merlin.keystore.alias=serverx509v1
org.apache.ws.security.crypto.merlin.keystore.file=keystore/server-keystore.jks
add_numbers.wsdl
<wsp:Policy xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="AddNumbersPolicy" xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
<wsp:ExactlyOne>
<wsp:All>
<sp:AsymmetricBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:RecipientToken>
<wsp:Policy>
<sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never">
<wsp:Policy>
<sp:RequireThumbprintReference/>
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:RecipientToken>
<sp:InitiatorToken>
<wsp:Policy>
<sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:RequireThumbprintReference/>
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:InitiatorToken>
<sp:Layout>
<wsp:Policy>
<sp:Strict/>
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp/>
<sp:OnlySignEntireHeadersAndBody/>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic128Sha256/>
</wsp:Policy>
</sp:AlgorithmSuite>
</wsp:Policy>
</sp:AsymmetricBinding>
<sp:Wss11 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:MustSupportRefKeyIdentifier/>
<sp:MustSupportRefIssuerSerial/>
<sp:MustSupportRefThumbprint/>
<sp:MustSupportRefEncryptedKey/>
</wsp:Policy>
</sp:Wss11>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
<wsp:Policy xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="AddNumbersPartsPolicy" xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
<wsp:ExactlyOne>
<wsp:All>
<sp:EncryptedParts xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
<sp:Body/>
</sp:EncryptedParts>
<sp:SignedParts xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
<sp:Body/>
</sp:SignedParts>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
你真是太棒了 - 那就是訣竅!我不得不在ws-security.signature.properties中引用我的Server_Decrypt.properties文件。這是常識還是忽略了一些重要的文檔? –