0
我用WSO2進行數字簽名和加密郵件:SAML令牌數字簽名問題(WSO2版VS XML簽名的獨立罐)
Web服務部署在WebLogic和期待一個SAML令牌,而且身體和標題,並簽署和ecrypted。方案1:使用沿軸api's(1.6.2 +)的站點爲期望SAML令牌的策略生成wsdl的Web服務客戶端。該代碼生成一個數字簽名和加密的SOAP信封,命中端點併成功返回結果。
<ds:Reference URI="#c4243cf4c8b6b8d6bc6570af5c0573e6">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="wsse wsu soapenv" />
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<ds:DigestValue>lWQgTrlIVeFKWqT1ktPs0/kK3tQ=</ds:DigestValue>
</ds:Reference>
方案2:從WSO2 ESB 4.7內使用從方案1相同的代碼,上述客戶端轉到作爲一類介體和用於WSO2 ESB罐子。除了XML語法的改變之外,請求SOAP信封是完全簽名和隱藏的。
<ds:Reference URI="#Id-2003921168">
<ds:Transforms>
<ds:Transform
Algorithm="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform">
<wsse:TransformationParameters>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</wsse:TransformationParameters>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<ds:DigestValue>mfNA+3ZPnCMzS2Y0TJ1GsYcdHNE=</ds:DigestValue>
</ds:Reference>
這兩種情況下生成的簽名似乎有所不同。 XML安全性的WSO2 ESB實現與獨立apache XML安全性實現的實現不同?
從場景中產生的SOAP信封未能得到驗證在weblogic的web服務器這個簽名並拋出SOAP錯誤與下面的堆棧跟蹤:
<?xml version="1.0" encoding="utf-8"?><env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/"><env:Body><env:Fault><faultcode>env:Server</faultcode><faultstring>Failed to validate signature.</faultstring><detail><bea_fault:stacktrace xmlns:bea_fault="http://www.bea.com/servers/wls70/webservice/fault/1.0.0">weblogic.xml.crypto.wss.WSSecurityException: Failed to validate signature.
at weblogic.xml.crypto.wss.SecurityImpl.unmarshalAndProcessSignature(SecurityImpl.java:740)
at weblogic.xml.crypto.wss.SecurityImpl.unmarshalAndProcessSignature(SecurityImpl.java:689)
at weblogic.xml.crypto.wss.SecurityImpl.unmarshalChildren(SecurityImpl.java:544)
at weblogic.xml.crypto.wss.SecurityImpl.unmarshalInternal(SecurityImpl.java:450)
Caused by: weblogic.xml.crypto.dsig.api.XMLSignatureException
at weblogic.xml.crypto.wss.STRTransform.transform(STRTransform.java:303)
at weblogic.xml.crypto.dsig.ReferenceUtils.applyTransforms(ReferenceUtils.java:49)
at weblogic.xml.crypto.dsig.ReferenceImpl.createDigest(ReferenceImpl.java:161)
Caused by: weblogic.xml.crypto.wss.WSSecurityException: No token handler found for null
at weblogic.xml.crypto.wss.WSSecurityContext.getRequiredTokenHandler(WSSecurityContext.java:410)
at weblogic.xml.crypto.wss.STRTransform.transform(STRTransform.java:193)
Caused by: weblogic.xml.crypto.dsig.api.XMLSignatureException
at weblogic.xml.crypto.wss.STRTransform.transform(STRTransform.java:303)
at weblogic.xml.crypto.dsig.ReferenceUtils.applyTransforms(ReferenceUtils.java:49)
at weblogic.xml.crypto.dsig.ReferenceImpl.createDigest(ReferenceImpl.java:161)
at weblogic.xml.crypto.dsig.ReferenceImpl.validate(ReferenceImpl.java:116)
at weblogic.xml.crypto.dsig.XMLSignatureImpl.validate(XMLSignatureImpl.java:256)
使用的Web服務策略文件是:
<wsp:Policy xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsp:All>
<ns1:AsymmetricBinding
xmlns:ns1="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
<wsp:Policy>
<ns1:InitiatorToken>
<wsp:Policy>
<ns1:X509Token
ns1:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<ns1:WssX509V3Token10 />
</wsp:Policy>
</ns1:X509Token>
</wsp:Policy>
</ns1:InitiatorToken>
<ns1:RecipientToken>
<wsp:Policy>
<ns1:X509Token
ns1:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never">
<wsp:Policy>
<ns1:WssX509V3Token10 />
</wsp:Policy>
</ns1:X509Token>
</wsp:Policy>
</ns1:RecipientToken>
<ns1:AlgorithmSuite>
<wsp:Policy>
<ns1:Basic256 />
</wsp:Policy>
</ns1:AlgorithmSuite>
<ns1:Layout>
<wsp:Policy>
<ns1:Lax />
</wsp:Policy>
</ns1:Layout>
<ns1:IncludeTimestamp />
<ns1:ProtectTokens />
<ns1:OnlySignEntireHeadersAndBody />
</wsp:Policy>
</ns1:AsymmetricBinding>
<ns2:SignedSupportingTokens
xmlns:ns2="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
<wsp:Policy>
<ns2:IssuedToken
ns2:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
<ns2:Issuer>
<Address xmlns="http://www.w3.org/2005/08/addressing">https://HYD-69ZRV01-L:6002/standalonests/SamlSTS
</Address>
</ns2:Issuer>
<ns2:RequestSecurityTokenTemplate>
<t:TokenType xmlns:t="http://docs.oasis-open.org/ws-sx/ws-trust/200512">urn:oasis:names:tc:SAML:1.0:assertion
</t:TokenType>
</ns2:RequestSecurityTokenTemplate>
<wsp:Policy>
<ns2:RequireInternalReference />
</wsp:Policy>
</ns2:IssuedToken>
</wsp:Policy>
<wsp:Policy>
<ns2:SamlToken
ns2:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<ns2:WssSamlV11Token10 />
</wsp:Policy>
</ns2:SamlToken>
</wsp:Policy>
</ns2:SignedSupportingTokens>
<!--
<ns2:SignedSupportingTokens
xmlns:ns2="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
<wsp:Policy>
<ns2:SamlToken
ns2:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<ns2:WssSamlV11Token10 />
</wsp:Policy>
</ns2:SamlToken>
</wsp:Policy>
</ns2:SignedSupportingTokens>
-->
<ns3:Wss10 xmlns:ns3="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
<wsp:Policy>
<ns3:MustSupportRefKeyIdentifier />
<ns3:MustSupportRefIssuerSerial />
</wsp:Policy>
</ns3:Wss10>
<ns4:EncryptedParts
xmlns:ns4="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
<ns4:Body />
</ns4:EncryptedParts>
<ns5:SignedParts
xmlns:ns5="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
<ns5:Body />
</ns5:SignedParts>
</wsp:All>
</wsp:Policy>
謝謝。
Pushpalanka,我可以從差異中解脫出來。有沒有一種方法可以在使用Apache Rampart時指定用於數字簽名的轉換算法? – Abdul