403 禁止将 wss4jOutInterceptor 与 camel 和 cxf 一起使用
403 forbidden using wss4jOutInterceptor with camel and cxf
要事第一:
- War 使用 camel 和 cxf(尝试了最新版本,实际上分别尝试了 2.12.0 和 2.7.6)。
- 一个简单的骆驼路线,没有过程,只是从-log-到。
- 最终目标是将 WS-Security 添加到 SOAP 消息中。
配置:
application-context.xml
<!-- Import for camel config and beans -->
<import resource="./cxf-beans-testws.xml" />
<import resource="./camel-testws.xml" />
camel-testws.xml
<!-- CAMEL CONTEXT -->
<camelContext id="camelContextTest" xmlns="http://camel.apache.org/schema/spring">
<!-- CAMEL ROUTE -->
<route id="TestWSRoute">
<description>
Camel route for testws
</description>
<from uri="cxf:bean:serviceTestProvider" />
<log message="Process" loggingLevel="DEBUG" />
<to uri="cxf:bean:serviceTestClient" />
</route>
</camelContext>
cxf-beans-testws.xml(仅相关部分)
<bean id="wss4JOutInterceptorRea" class="org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor">
<constructor-arg>
<map>
<entry key="action" value="Encrypt Signature"/>
<entry key="useSingleCertificate" value="true" />
<entry key="user" value="xxxx" />
<entry key="signaturePropRefId" value="signaturePropertiesBean" />
<entry key="signaturePropertiesBean" value-ref="signaturePropertiesTest" />
<entry key="signatureUser" value="${test.signature.certificate.alias}" />
<entry key="passwordCallbackRef" value-ref="clientCallbackTest" />
<entry key="signatureAlgorithm" value="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<entry key="signatureKeyIdentifier" value="DirectReference" />
<entry key="signatureParts" value="{Element}{http://schemas.xmlsoap.org/soap/envelope/}Body" />
<entry key="encryptionUser" value="${test.encryption.certificate.alias}" />
<entry key="encryptionPropRefId" value="encryptionPropertiesBean" />
<entry key="encryptionPropertiesBean" value-ref="encryptionPropertiesTest" />
</map>
</constructor-arg>
</bean>
当我调用公开的Web服务(serviceTestProvider)时,SOAP消息进来,出现日志并放置WSS配置。然后消息被发送到端点...并且总是returns:
HTTP response '403: Forbidden' when communicating with http://...
如果我删除 wss4jOutInterceptor,则响应是没有 wss 安全性(预期响应)。
但是如果我将日志级别设置为 DEBUG,在所有拦截器链处理之后从日志中获取出站消息并从 REST 控制台或 SoapUI 手动发送它......然后工作正常,没有 403。所以看起来消息格式正确。这两个调用都是从同一台计算机发出的,没有代理或类似的。
2016-06-17 08:59:12 INFO WSTestCXFService:234 - Outbound Message
---------------------------
ID: 4
Address: http://correct-ws-url
Http-Method: POST
Content-Type: text/xml;charset=UTF-8
Headers: {Accept=[text/xml;charset=UTF-8], accept-encoding=[gzip,deflate], breadcrumbId=[ID-MACHINENAME-55387-1466145154908-1-4], Cache-Control=[No-Cache], Connection=[Keep-Alive], host=[correct-host], SOAPAction=[method], User-Agent=[Apache-HttpClient/4.1.1 (java 1.5)]}
Payload: <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><SOAP-ENV:Header xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"><wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" soap:mustUnderstand="1">...</wsse:Security></SOAP-ENV:Header><soap:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="id-5"><xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Id="ED-4" Type="http://www.w3.org/2001/04/xmlenc#Content">...</xenc:EncryptedData></soap:Body></soap:Envelope>
没有 https,只有 http 端点。尝试使用管道添加 headers 只是为了匹配 REST 控制台或 SoapUI 原始消息,但没有成功。猜猜看?
最后是Windows/network个问题。几天后 (2-3),完全没有变化......它开始工作了。
要事第一:
- War 使用 camel 和 cxf(尝试了最新版本,实际上分别尝试了 2.12.0 和 2.7.6)。
- 一个简单的骆驼路线,没有过程,只是从-log-到。
- 最终目标是将 WS-Security 添加到 SOAP 消息中。
配置:
application-context.xml
<!-- Import for camel config and beans -->
<import resource="./cxf-beans-testws.xml" />
<import resource="./camel-testws.xml" />
camel-testws.xml
<!-- CAMEL CONTEXT -->
<camelContext id="camelContextTest" xmlns="http://camel.apache.org/schema/spring">
<!-- CAMEL ROUTE -->
<route id="TestWSRoute">
<description>
Camel route for testws
</description>
<from uri="cxf:bean:serviceTestProvider" />
<log message="Process" loggingLevel="DEBUG" />
<to uri="cxf:bean:serviceTestClient" />
</route>
</camelContext>
cxf-beans-testws.xml(仅相关部分)
<bean id="wss4JOutInterceptorRea" class="org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor">
<constructor-arg>
<map>
<entry key="action" value="Encrypt Signature"/>
<entry key="useSingleCertificate" value="true" />
<entry key="user" value="xxxx" />
<entry key="signaturePropRefId" value="signaturePropertiesBean" />
<entry key="signaturePropertiesBean" value-ref="signaturePropertiesTest" />
<entry key="signatureUser" value="${test.signature.certificate.alias}" />
<entry key="passwordCallbackRef" value-ref="clientCallbackTest" />
<entry key="signatureAlgorithm" value="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<entry key="signatureKeyIdentifier" value="DirectReference" />
<entry key="signatureParts" value="{Element}{http://schemas.xmlsoap.org/soap/envelope/}Body" />
<entry key="encryptionUser" value="${test.encryption.certificate.alias}" />
<entry key="encryptionPropRefId" value="encryptionPropertiesBean" />
<entry key="encryptionPropertiesBean" value-ref="encryptionPropertiesTest" />
</map>
</constructor-arg>
</bean>
当我调用公开的Web服务(serviceTestProvider)时,SOAP消息进来,出现日志并放置WSS配置。然后消息被发送到端点...并且总是returns:
HTTP response '403: Forbidden' when communicating with http://...
如果我删除 wss4jOutInterceptor,则响应是没有 wss 安全性(预期响应)。
但是如果我将日志级别设置为 DEBUG,在所有拦截器链处理之后从日志中获取出站消息并从 REST 控制台或 SoapUI 手动发送它......然后工作正常,没有 403。所以看起来消息格式正确。这两个调用都是从同一台计算机发出的,没有代理或类似的。
2016-06-17 08:59:12 INFO WSTestCXFService:234 - Outbound Message
---------------------------
ID: 4
Address: http://correct-ws-url
Http-Method: POST
Content-Type: text/xml;charset=UTF-8
Headers: {Accept=[text/xml;charset=UTF-8], accept-encoding=[gzip,deflate], breadcrumbId=[ID-MACHINENAME-55387-1466145154908-1-4], Cache-Control=[No-Cache], Connection=[Keep-Alive], host=[correct-host], SOAPAction=[method], User-Agent=[Apache-HttpClient/4.1.1 (java 1.5)]}
Payload: <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><SOAP-ENV:Header xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"><wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" soap:mustUnderstand="1">...</wsse:Security></SOAP-ENV:Header><soap:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="id-5"><xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Id="ED-4" Type="http://www.w3.org/2001/04/xmlenc#Content">...</xenc:EncryptedData></soap:Body></soap:Envelope>
没有 https,只有 http 端点。尝试使用管道添加 headers 只是为了匹配 REST 控制台或 SoapUI 原始消息,但没有成功。猜猜看?
最后是Windows/network个问题。几天后 (2-3),完全没有变化......它开始工作了。