WSO2 ESB 使用带有证书的 WCF 安全方法
WSO2 ESB consuming WCF Secured Method with certificate
我是 WSO2 ESB 的新手。
我已经使用自证书保护的 wsHttpBinding 构建了一个 wcf 服务。而且我找不到将该服务与 ESB 集成的方法。
有什么建议吗?
我使用 makecert 命令创建了一个自签名证书,但我无法将 rampart 配置为使用创建的证书。我怎样才能做到这一点?我迷路了。我的 wsHttpBinding 看起来像这样:
<wsHttpBinding>
<binding name="BasicHttpAuthentication_Config">
<security mode="Message">
<message clientCredentialType="UserName" algorithmSuite="Basic256" establishSecurityContext="false"/>
</security>
</binding>
</wsHttpBinding>
城墙配置如下所示:
<ramp:RampartConfig xmlns:ramp="http://ws.apache.org/rampart/policy">
<ramp:user>acc1</ramp:user>
<ramp:userCertAlias>acc1</ramp:userCertAlias>
<ramp:encryptionUser>acc1</ramp:encryptionUser>
<ramp:passwordCallbackClass>org.wso2.samples.pwcb.PWCBHandler</ramp:passwordCallbackClass>
<ramp:TimeToLive>360</ramp:TimeToLive>
<ramp:signatureCrypto>
<ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin">
<ramp:property name="org.apache.ws.security.crypto.merlin.keystore.type">pkcs12</ramp:property>
<ramp:property name="org.apache.ws.security.crypto.merlin.file">C:\ESB_HOME\repository\resources\security\cert1.pfx</ramp:property>
<ramp:property name="org.apache.ws.security.crypto.merlin.keystore.password">123</ramp:property>
</ramp:crypto>
</ramp:signatureCrypto>
<ramp:encryptionCypto>
<ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin">
<ramp:property name="org.apache.ws.security.crypto.merlin.keystore.type">pkcs12</ramp:property>
<ramp:property name="org.apache.ws.security.crypto.merlin.file">C:\ESB_HOME\repository\resources\security\cert1.pfx</ramp:property>
<ramp:property name="org.apache.ws.security.crypto.merlin.keystore.password">123</ramp:property>
</ramp:crypto>
</ramp:encryptionCypto>
</ramp:RampartConfig>
创建代理服务后出现以下错误:
org.apache.synapse.SynapseException: Unexpected error during sending message out at org.apache.synapse.core.axis2.Axis2Sender.handleException(Axis2Sender.java:257) at org.apache.synapse.core.axis2.Axis2Sender.sendOn(Axis2Sender.java:84) at org.apache.synapse.core.axis2.Axis2SynapseEnvironment.send(Axis2SynapseEnvironment.java:548) at org.apache.synapse.endpoints.AbstractEndpoint.send(AbstractEndpoint.java:382) at org.apache.synapse.endpoints.AddressEndpoint.send(AddressEndpoint.java:65) at org.apache.synapse.core.axis2.ProxyServiceMessageReceiver.receive(ProxyServiceMessageReceiver.java:231) at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:180) at org.apache.synapse.transport.passthru.ServerWorker.processEntityEnclosingRequest(ServerWorker.java:403) at org.apache.synapse.transport.passthru.ServerWorker.run(ServerWorker.java:151) at org.apache.axis2.transport.base.threads.NativeWorkerPool.run(NativeWorkerPool.java:172) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at java.lang.Thread.run(Thread.java:748) Caused by: org.apache.axis2.AxisFault: Signature token missing at org.apache.rampart.handler.RampartSender.invoke(RampartSender.java:76) at org.apache.axis2.engine.Phase.invokeHandler(Phase.java:340) at org.apache.axis2.engine.Phase.invoke(Phase.java:313) at org.apache.axis2.engine.AxisEngine.invoke(AxisEngine.java:261) at org.apache.axis2.engine.AxisEngine.send(AxisEngine.java:426) at org.apache.synapse.core.axis2.DynamicAxisOperation$DynamicOperationClient.send(DynamicAxisOperation.java:185) at org.apache.synapse.core.axis2.DynamicAxisOperation$DynamicOperationClient.executeImpl(DynamicAxisOperation.java:167) at org.apache.axis2.client.OperationClient.execute(OperationClient.java:149) at org.apache.synapse.core.axis2.Axis2FlexibleMEPClient.send(Axis2FlexibleMEPClient.java:581) at org.apache.synapse.core.axis2.Axis2Sender.sendOn(Axis2Sender.java:78) ... 11 more Caused by: org.apache.rampart.RampartException: Signature token missing at org.apache.rampart.builder.SymmetricBindingBuilder.doSignBeforeEncrypt(SymmetricBindingBuilder.java:434) at org.apache.rampart.builder.SymmetricBindingBuilder.build(SymmetricBindingBuilder.java:86) at org.apache.rampart.MessageBuilder.build(MessageBuilder.java:144) at org.apache.rampart.handler.RampartSender.invoke(RampartSender.java:65) ... 20 more
我应该怎么做才能让它发挥作用?
整个策略文件如下:
<wsp:Policy wsu:Id="WSHttpBinding_IBasicHttpService_policy" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy" xmlns:wsaw="http://www.w3.org/2006/05/addressing/wsdl">
<wsp:ExactlyOne>
<wsp:All>
<sp:SymmetricBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:ProtectionToken>
<wsp:Policy>
<mssp:SslContextToken sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient" xmlns:mssp="http://schemas.microsoft.com/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:RequireDerivedKeys/>
</wsp:Policy>
</mssp:SslContextToken>
</wsp:Policy>
</sp:ProtectionToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic256/>
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Strict/>
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp/>
<sp:EncryptSignature/>
<sp:OnlySignEntireHeadersAndBody/>
</wsp:Policy>
</sp:SymmetricBinding>
<sp:SignedSupportingTokens xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:UsernameToken sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:WssUsernameToken10/>
</wsp:Policy>
</sp:UsernameToken>
</wsp:Policy>
</sp:SignedSupportingTokens>
<sp:Wss11 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy/>
</sp:Wss11>
<sp:Trust10 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:MustSupportIssuedTokens/>
<sp:RequireClientEntropy/>
<sp:RequireServerEntropy/>
</wsp:Policy>
</sp:Trust10>
<sp:SignedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<sp:Body />
<sp:Header Name="To" Namespace="http://www.w3.org/2005/08/addressing" />
<sp:Header Name="From" Namespace="http://www.w3.org/2005/08/addressing" />
<sp:Header Name="FaultTo" Namespace="http://www.w3.org/2005/08/addressing" />
<sp:Header Name="ReplyTo" Namespace="http://www.w3.org/2005/08/addressing" />
<sp:Header Name="MessageID" Namespace="http://www.w3.org/2005/08/addressing" />
<sp:Header Name="RelatesTo" Namespace="http://www.w3.org/2005/08/addressing" />
<sp:Header Name="Action" Namespace="http://www.w3.org/2005/08/addressing" />
</sp:SignedParts>
<sp:EncryptedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<sp:Body />
</sp:EncryptedParts>
<wsaw:UsingAddressing/>
<ramp:RampartConfig xmlns:ramp="http://ws.apache.org/rampart/policy">
<ramp:user>acc1</ramp:user>
<ramp:userCertAlias>BasicHttpAuthentication</ramp:userCertAlias>
<ramp:encryptionUser>acc1</ramp:encryptionUser>
<ramp:passwordCallbackClass>org.wso2.samples.pwcb.PWCBHandler</ramp:passwordCallbackClass>
<ramp:TimeToLive>360</ramp:TimeToLive>
<ramp:signatureCrypto>
<ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin">
<ramp:property name="org.apache.ws.security.crypto.merlin.keystore.type">pkcs12</ramp:property>
<ramp:property name="org.apache.ws.security.crypto.merlin.file">C:\ESB_HOME\repository\resources\security\cert1.pfx</ramp:property>
<ramp:property name="org.apache.ws.security.crypto.merlin.keystore.password">123456</ramp:property>
</ramp:crypto>
</ramp:signatureCrypto>
<ramp:encryptionCypto>
<ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin">
<ramp:property name="org.apache.ws.security.crypto.merlin.keystore.type">pkcs12</ramp:property>
<ramp:property name="org.apache.ws.security.crypto.merlin.file">C:\ESB_HOME\repository\resources\security\cert1.pfx</ramp:property>
<ramp:property name="org.apache.ws.security.crypto.merlin.keystore.password">123456</ramp:property>
</ramp:crypto>
</ramp:encryptionCypto>
</ramp:RampartConfig>
</wsp:All>
</wsp:ExactlyOne>
我想通了,似乎问题是使用 SSLContextToken 时出现问题,因为 axis2 不理解那个,所以我像这样更改了 wsHttpBinding:
<security mode="Message">
<message clientCredentialType="None"
negotiateServiceCredential="false"
establishSecurityContext="false"/>
</security>
然后一切正常。
所以现在我必须找到一种新的身份验证方法,但至少消息是用我们的证书保护的。
我是 WSO2 ESB 的新手。 我已经使用自证书保护的 wsHttpBinding 构建了一个 wcf 服务。而且我找不到将该服务与 ESB 集成的方法。 有什么建议吗?
我使用 makecert 命令创建了一个自签名证书,但我无法将 rampart 配置为使用创建的证书。我怎样才能做到这一点?我迷路了。我的 wsHttpBinding 看起来像这样:
<wsHttpBinding>
<binding name="BasicHttpAuthentication_Config">
<security mode="Message">
<message clientCredentialType="UserName" algorithmSuite="Basic256" establishSecurityContext="false"/>
</security>
</binding>
</wsHttpBinding>
城墙配置如下所示:
<ramp:RampartConfig xmlns:ramp="http://ws.apache.org/rampart/policy">
<ramp:user>acc1</ramp:user>
<ramp:userCertAlias>acc1</ramp:userCertAlias>
<ramp:encryptionUser>acc1</ramp:encryptionUser>
<ramp:passwordCallbackClass>org.wso2.samples.pwcb.PWCBHandler</ramp:passwordCallbackClass>
<ramp:TimeToLive>360</ramp:TimeToLive>
<ramp:signatureCrypto>
<ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin">
<ramp:property name="org.apache.ws.security.crypto.merlin.keystore.type">pkcs12</ramp:property>
<ramp:property name="org.apache.ws.security.crypto.merlin.file">C:\ESB_HOME\repository\resources\security\cert1.pfx</ramp:property>
<ramp:property name="org.apache.ws.security.crypto.merlin.keystore.password">123</ramp:property>
</ramp:crypto>
</ramp:signatureCrypto>
<ramp:encryptionCypto>
<ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin">
<ramp:property name="org.apache.ws.security.crypto.merlin.keystore.type">pkcs12</ramp:property>
<ramp:property name="org.apache.ws.security.crypto.merlin.file">C:\ESB_HOME\repository\resources\security\cert1.pfx</ramp:property>
<ramp:property name="org.apache.ws.security.crypto.merlin.keystore.password">123</ramp:property>
</ramp:crypto>
</ramp:encryptionCypto>
</ramp:RampartConfig>
创建代理服务后出现以下错误:
org.apache.synapse.SynapseException: Unexpected error during sending message out at org.apache.synapse.core.axis2.Axis2Sender.handleException(Axis2Sender.java:257) at org.apache.synapse.core.axis2.Axis2Sender.sendOn(Axis2Sender.java:84) at org.apache.synapse.core.axis2.Axis2SynapseEnvironment.send(Axis2SynapseEnvironment.java:548) at org.apache.synapse.endpoints.AbstractEndpoint.send(AbstractEndpoint.java:382) at org.apache.synapse.endpoints.AddressEndpoint.send(AddressEndpoint.java:65) at org.apache.synapse.core.axis2.ProxyServiceMessageReceiver.receive(ProxyServiceMessageReceiver.java:231) at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:180) at org.apache.synapse.transport.passthru.ServerWorker.processEntityEnclosingRequest(ServerWorker.java:403) at org.apache.synapse.transport.passthru.ServerWorker.run(ServerWorker.java:151) at org.apache.axis2.transport.base.threads.NativeWorkerPool.run(NativeWorkerPool.java:172) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at java.lang.Thread.run(Thread.java:748) Caused by: org.apache.axis2.AxisFault: Signature token missing at org.apache.rampart.handler.RampartSender.invoke(RampartSender.java:76) at org.apache.axis2.engine.Phase.invokeHandler(Phase.java:340) at org.apache.axis2.engine.Phase.invoke(Phase.java:313) at org.apache.axis2.engine.AxisEngine.invoke(AxisEngine.java:261) at org.apache.axis2.engine.AxisEngine.send(AxisEngine.java:426) at org.apache.synapse.core.axis2.DynamicAxisOperation$DynamicOperationClient.send(DynamicAxisOperation.java:185) at org.apache.synapse.core.axis2.DynamicAxisOperation$DynamicOperationClient.executeImpl(DynamicAxisOperation.java:167) at org.apache.axis2.client.OperationClient.execute(OperationClient.java:149) at org.apache.synapse.core.axis2.Axis2FlexibleMEPClient.send(Axis2FlexibleMEPClient.java:581) at org.apache.synapse.core.axis2.Axis2Sender.sendOn(Axis2Sender.java:78) ... 11 more Caused by: org.apache.rampart.RampartException: Signature token missing at org.apache.rampart.builder.SymmetricBindingBuilder.doSignBeforeEncrypt(SymmetricBindingBuilder.java:434) at org.apache.rampart.builder.SymmetricBindingBuilder.build(SymmetricBindingBuilder.java:86) at org.apache.rampart.MessageBuilder.build(MessageBuilder.java:144) at org.apache.rampart.handler.RampartSender.invoke(RampartSender.java:65) ... 20 more
我应该怎么做才能让它发挥作用? 整个策略文件如下:
<wsp:Policy wsu:Id="WSHttpBinding_IBasicHttpService_policy" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy" xmlns:wsaw="http://www.w3.org/2006/05/addressing/wsdl">
<wsp:ExactlyOne>
<wsp:All>
<sp:SymmetricBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:ProtectionToken>
<wsp:Policy>
<mssp:SslContextToken sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient" xmlns:mssp="http://schemas.microsoft.com/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:RequireDerivedKeys/>
</wsp:Policy>
</mssp:SslContextToken>
</wsp:Policy>
</sp:ProtectionToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic256/>
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Strict/>
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp/>
<sp:EncryptSignature/>
<sp:OnlySignEntireHeadersAndBody/>
</wsp:Policy>
</sp:SymmetricBinding>
<sp:SignedSupportingTokens xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:UsernameToken sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:WssUsernameToken10/>
</wsp:Policy>
</sp:UsernameToken>
</wsp:Policy>
</sp:SignedSupportingTokens>
<sp:Wss11 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy/>
</sp:Wss11>
<sp:Trust10 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:MustSupportIssuedTokens/>
<sp:RequireClientEntropy/>
<sp:RequireServerEntropy/>
</wsp:Policy>
</sp:Trust10>
<sp:SignedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<sp:Body />
<sp:Header Name="To" Namespace="http://www.w3.org/2005/08/addressing" />
<sp:Header Name="From" Namespace="http://www.w3.org/2005/08/addressing" />
<sp:Header Name="FaultTo" Namespace="http://www.w3.org/2005/08/addressing" />
<sp:Header Name="ReplyTo" Namespace="http://www.w3.org/2005/08/addressing" />
<sp:Header Name="MessageID" Namespace="http://www.w3.org/2005/08/addressing" />
<sp:Header Name="RelatesTo" Namespace="http://www.w3.org/2005/08/addressing" />
<sp:Header Name="Action" Namespace="http://www.w3.org/2005/08/addressing" />
</sp:SignedParts>
<sp:EncryptedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<sp:Body />
</sp:EncryptedParts>
<wsaw:UsingAddressing/>
<ramp:RampartConfig xmlns:ramp="http://ws.apache.org/rampart/policy">
<ramp:user>acc1</ramp:user>
<ramp:userCertAlias>BasicHttpAuthentication</ramp:userCertAlias>
<ramp:encryptionUser>acc1</ramp:encryptionUser>
<ramp:passwordCallbackClass>org.wso2.samples.pwcb.PWCBHandler</ramp:passwordCallbackClass>
<ramp:TimeToLive>360</ramp:TimeToLive>
<ramp:signatureCrypto>
<ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin">
<ramp:property name="org.apache.ws.security.crypto.merlin.keystore.type">pkcs12</ramp:property>
<ramp:property name="org.apache.ws.security.crypto.merlin.file">C:\ESB_HOME\repository\resources\security\cert1.pfx</ramp:property>
<ramp:property name="org.apache.ws.security.crypto.merlin.keystore.password">123456</ramp:property>
</ramp:crypto>
</ramp:signatureCrypto>
<ramp:encryptionCypto>
<ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin">
<ramp:property name="org.apache.ws.security.crypto.merlin.keystore.type">pkcs12</ramp:property>
<ramp:property name="org.apache.ws.security.crypto.merlin.file">C:\ESB_HOME\repository\resources\security\cert1.pfx</ramp:property>
<ramp:property name="org.apache.ws.security.crypto.merlin.keystore.password">123456</ramp:property>
</ramp:crypto>
</ramp:encryptionCypto>
</ramp:RampartConfig>
</wsp:All>
</wsp:ExactlyOne>
我想通了,似乎问题是使用 SSLContextToken 时出现问题,因为 axis2 不理解那个,所以我像这样更改了 wsHttpBinding:
<security mode="Message">
<message clientCredentialType="None"
negotiateServiceCredential="false"
establishSecurityContext="false"/>
</security>
然后一切正常。 所以现在我必须找到一种新的身份验证方法,但至少消息是用我们的证书保护的。