从 java 调用 soap 网络服务,安全随机数 headers

Calling a soap webservice from java with nonce in security headers

我正在尝试从 java 调用网络服务。这基本上没有那么难,除了 web 服务需要用户名和密码以及随机数形式的一些安全性。 当我尝试从 SoapUi 调用网络服务时,我看到原始消息如下所示:

<soapenv:Envelope xmlns:sch="http://somedomain.com/pe/ws/schema"
    xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
    <soapenv:Header>
        <wsse:Security soapenv:mustUnderstand="1"
            xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
            xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
            <wsse:UsernameToken wsu:Id="UsernameToken-E70691ACBDEFEC750814238295617871">
                <wsse:Username>usr</wsse:Username>
                <wsse:Password
                    Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText"
                    >pw</wsse:Password>
                <wsse:Nonce
                    EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"
                    >4smQZF5KMSktEXrQc0v5yw==</wsse:Nonce>
                <wsu:Created>2015-02-13T12:12:41.784Z</wsu:Created>
            </wsse:UsernameToken>
        </wsse:Security>
    </soapenv:Header>
    <soapenv:Body>
        <sch:EventSubmitRequest>
            <sch:Event>
                <sch:EventId>392</sch:EventId>
                <sch:Recoverable>false</sch:Recoverable>
            </sch:Event>
        </sch:EventSubmitRequest>
    </soapenv:Body>
</soapenv:Envelope>

消息中最明显的元素是用户名、密码和创建时间,但令我困惑的是随机数。在示例中,此字段的值为 4smQZF5KMSktEXrQc0v5yw==,但每次请求时此值都不同(这是有道理的,因为根据维基百科,随机数是只使用一次的任意数字)。四处搜索时,我找不到任何有关如何在 java 中生成随机数的可用示例(虽然我确实在堆栈溢出上找到了一些 php 示例,但我无法轻易验证它们的天气情况工作) 。虽然我不介意自己构建这个 nonce,但我想知道这是否真的有必要,我希望这是 java.

中的标准功能

下面是我使用的代码:

import java.text.SimpleDateFormat;
import java.util.Calendar;
import javax.xml.namespace.QName;
import javax.xml.soap.*;
import javax.xml.transform.*;
import javax.xml.transform.stream.*;

public class soaptest {

    public static void main(String args[]) {
        try {
            // Create SOAP Connection
            SOAPConnectionFactory soapConnectionFactory = SOAPConnectionFactory.newInstance();
            SOAPConnection soapConnection = soapConnectionFactory.createConnection();

            // Send SOAP Message to SOAP Server
            String url = "http://142.10.10.52:8080/pe/ws/pe/";
            SOAPMessage soapResponse = soapConnection.call(createSOAPRequest(), url);

            // Process the SOAP Response
            printSOAPResponse(soapResponse);

            soapConnection.close();
        } catch (Exception e) {
            System.err.println("Error occurred while sending SOAP Request to Server");
            e.printStackTrace();
        }
    }

    private static SOAPMessage createSOAPRequest() throws Exception {
        MessageFactory messageFactory = MessageFactory.newInstance();
        SOAPMessage soapMessage = messageFactory.createMessage();
        SOAPPart soapPart = soapMessage.getSOAPPart();

        SOAPEnvelope envelope = soapPart.getEnvelope();
        SOAPHeader header = soapMessage.getSOAPHeader();

        SOAPElement security = header.addChildElement("Security", "wsse", "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd");

        SOAPElement usernameToken = security.addChildElement("UsernameToken", "wsse");
        usernameToken.addAttribute(new QName("xmlns:wsu"), "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd");

        SOAPElement username = usernameToken.addChildElement("Username", "wsse");
        username.addTextNode("usr");

        SOAPElement password = usernameToken.addChildElement("Password", "wsse");
        password.setAttribute("Type", "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText");
        password.addTextNode("pw");

        SOAPElement nonce = usernameToken.addChildElement("Nonce", "wsse");
        nonce.setAttribute("EncodingType", "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary");
        nonce.addTextNode("???");

        SOAPElement created = usernameToken.addChildElement("Created", "wsse");
        SimpleDateFormat sdf = new SimpleDateFormat("yyyy-MM-dd'T'HH:mm:ss'Z'");
        Calendar c1 = Calendar.getInstance();
        created.addTextNode(sdf.format(c1.getTime()));

        String serverURI = "http://somedomain.com/pe/ws/schema";

        envelope.addNamespaceDeclaration("sch", serverURI);

        // SOAP Body
        SOAPBody soapBody = envelope.getBody();
        SOAPElement soapBodyElem = soapBody.addChildElement("EventSubmitRequest", "sch");
        SOAPElement soapBodyElem1 = soapBody.addChildElement("Event", "sch");
        soapBodyElem.addChildElement(soapBodyElem1);

        SOAPElement soapBodyElem2 = soapBodyElem1.addChildElement("EventId", "sch");
        soapBodyElem2.addTextNode("392");
        SOAPElement soapBodyElem3 = soapBodyElem1.addChildElement("Recoverable", "sch");
        soapBodyElem3.addTextNode("false");

        MimeHeaders headers = soapMessage.getMimeHeaders();
        headers.addHeader("SOAPAction", serverURI  + "EventSubmitRequest");

        soapMessage.saveChanges();

        /* Print the request message */
        System.out.print("Request SOAP Message = ");
        soapMessage.writeTo(System.out);
        System.out.println();

        return soapMessage;
    }

    /**
     * Method used to print the SOAP Response
     */
    private static void printSOAPResponse(SOAPMessage soapResponse) throws Exception {
        TransformerFactory transformerFactory = TransformerFactory.newInstance();
        Transformer transformer = transformerFactory.newTransformer();
        Source sourceContent = soapResponse.getSOAPPart().getContent();
        System.out.print("\nResponse SOAP Message = ");
        StreamResult result = new StreamResult(System.out);
        transformer.transform(sourceContent, result);
    }

}

UsernameToken 的 Oasis reference 帮助我填补了一些空白。第 7、8、9 页最适合这种情况。特别是这些部分

/wsse:UsernameToken/wsse:Nonce

This optional element specifies a cryptographically random nonce. Each message including a element MUST use a new nonce value in order for web service producers to detect replay attacks.

/wsse:UsernameToken/wsse:Nonce/@EncodingType

This optional attribute URI specifies the encoding type of the nonce (see the definition of <wsse:BinarySecurityToken> for valid values). If this attribute isn't specified then the default of Base64 encoding is used.

关于生成 'cryptographically random' 随机数,建议您使用 this answer 然后从中创建一个编码字符串。在您的情况下是 Base64 编码,因为这是您在上面的 XML 请求中使用的编码类型。