wso2 ei 调用带有签名的端点
wso2 ei invoking endpoint with signature
我开始在我的公司使用 wso2EI。
我们需要调用一个服务来公开我们的提供者。此服务是一个 SOAP Web 服务,通过密钥库在正文中签名(他们向我发送了一个 pfx),其想法是使用 wso2EI 调用该服务以通过此应用程序在内部使用。
因此,我创建了代理服务和 Policy.xml。当我尝试在没有 Policy.xml 的情况下调用代理服务时,我提出了一个硬编码请求,它工作正常。但是当我将政策置于以下错误时:
[-1234] [] [PassThroughMessageProcessor-351] ERROR {org.apache.synapse.core.axis2.Axis2Sender} - Unexpected error during sending message out
java.lang.NullPointerException
at sun.security.provider.JavaKeyStore$JKS.convertAlias(JavaKeyStore.java:58)
at sun.security.provider.JavaKeyStore.engineGetCertificateChain(JavaKeyStore.java:163)
at sun.security.provider.JavaKeyStore$JKS.engineGetCertificateChain(JavaKeyStore.java:56)
at sun.security.provider.KeyStoreDelegator.engineGetCertificateChain(KeyStoreDelegator.java:101)
at sun.security.provider.JavaKeyStore$DualFormatJKS.engineGetCertificateChain(JavaKeyStore.java:70)
at java.security.KeyStore.getCertificateChain(KeyStore.java:1048)
at org.apache.ws.security.components.crypto.CryptoBase.getCertificates(CryptoBase.java:468)
at org.apache.ws.security.message.WSSecSignature.prepare(WSSecSignature.java:313)
at org.apache.rampart.builder.BindingBuilder.getSignatureBuilder(BindingBuilder.java:351)
at org.apache.rampart.builder.BindingBuilder.getSignatureBuilder(BindingBuilder.java:266)
at org.apache.rampart.builder.AsymmetricBindingBuilder.doSignature(AsymmetricBindingBuilder.java:762)
at org.apache.rampart.builder.AsymmetricBindingBuilder.doSignBeforeEncrypt(AsymmetricBindingBuilder.java:457)
at org.apache.rampart.builder.AsymmetricBindingBuilder.build(AsymmetricBindingBuilder.java:97)
at org.apache.rampart.MessageBuilder.build(MessageBuilder.java:147)
at org.apache.rampart.handler.RampartSender.invoke(RampartSender.java:65)
at org.apache.axis2.engine.Phase.invokeHandler(Phase.java:340)
at org.apache.axis2.engine.Phase.invoke(Phase.java:313)
at org.apache.axis2.engine.AxisEngine.invoke(AxisEngine.java:261)
at org.apache.axis2.engine.AxisEngine.send(AxisEngine.java:426)
at org.apache.synapse.core.axis2.DynamicAxisOperation$DynamicOperationClient.send(DynamicAxisOperation.java:185)
at org.apache.synapse.core.axis2.DynamicAxisOperation$DynamicOperationClient.executeImpl(DynamicAxisOperation.java:167)
at org.apache.axis2.client.OperationClient.execute(OperationClient.java:149)
at org.apache.synapse.core.axis2.Axis2FlexibleMEPClient.send(Axis2FlexibleMEPClient.java:603)
at org.apache.synapse.core.axis2.Axis2Sender.sendOn(Axis2Sender.java:85)
at org.apache.synapse.core.axis2.Axis2SynapseEnvironment.send(Axis2SynapseEnvironment.java:547)
at org.apache.synapse.endpoints.AbstractEndpoint.send(AbstractEndpoint.java:384)
at org.apache.synapse.endpoints.AddressEndpoint.send(AddressEndpoint.java:65)
at org.apache.synapse.mediators.builtin.SendMediator.mediate(SendMediator.java:123)
at org.apache.synapse.mediators.AbstractListMediator.mediate(AbstractListMediator.java:108)
at org.apache.synapse.mediators.AbstractListMediator.mediate(AbstractListMediator.java:70)
at org.apache.synapse.mediators.base.SequenceMediator.mediate(SequenceMediator.java:158)
at org.apache.synapse.core.axis2.ProxyServiceMessageReceiver.receive(ProxyServiceMessageReceiver.java:224)
at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:180)
at org.apache.synapse.transport.passthru.ServerWorker.processEntityEnclosingRequest(ServerWorker.java:415)
at org.apache.synapse.transport.passthru.ServerWorker.run(ServerWorker.java:151)
at org.apache.axis2.transport.base.threads.NativeWorkerPool.run(NativeWorkerPool.java:172)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)
代理是:
<in><header>
<sec:OriginPoint xmlns:sec="http://esb.xxx.com/sec/">cd</sec:OriginPoint>
</header>
<send buildmessage="true">
<endpoint>
<address uri="https://xxx.xxx.xxx.xxx:4443/ESB-Host-secure-services/http/host-secure-services/serviceSecureRouter">
<enableSec policy="gov:ws-policy/Policy.xml"/>
</address>
</endpoint>
</send>
</in>
<out>
<log level="full"/>
<send/>
</out>
和政策:
<wsp:Policy wsu:Id="signingpolicy" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
<wsp:ExactlyOne>
<wsp:All>
<sp:AsymmetricBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:InitiatorToken>
<wsp:Policy>
<sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:WssX509V3Token10/>
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:InitiatorToken>
<sp:RecipientToken>
<wsp:Policy>
<sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never">
<wsp:Policy>
<sp:WssX509V3Token10/>
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:RecipientToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic256Rsa15/>
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Strict/>
</wsp:Policy>
</sp:Layout>
</wsp:Policy>
</sp:AsymmetricBinding>
<sp:Wss10 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:MustSupportRefKeyIdentifier/>
<sp:MustSupportRefEmbeddedToken/>
<sp:MustSupportRefIssuerSerial/>
</wsp:Policy>
</sp:Wss10>
<sp:SignedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<sp:Body/>
</sp:SignedParts>
<ramp:RampartConfig xmlns:ramp="http://ws.apache.org/rampart/policy">
<ramp:signatureCrypto>
<ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin">
<ramp:property name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property>
<ramp:property name="org.apache.ws.security.crypto.merlin.file">xx/xx/xx/certificado.jks</ramp:property>
<ramp:property name="org.apache.ws.security.crypto.merlin.keystore.password">xxx</ramp:property>
</ramp:crypto>
</ramp:signatureCrypto>
</ramp:RampartConfig><br>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
更新
使用 DEBUG 选项设置 org.apache.synapse.transport.http.wire 后,我开始在日志中查看响应,但服务仍然失败。
错误是这样的:
[2019-03-19 16:29:29,620] [-1] [] [PassThroughMessageProcessor-2] ERROR {org.apache.axis2.transport.base.threads.NativeWorkerPool} - Uncaught exception
java.lang.NullPointerException
at org.apache.ws.security.processor.SignatureProcessor.verifyXMLSignature(SignatureProcessor.java:265)
at org.apache.ws.security.processor.SignatureProcessor.handleToken(SignatureProcessor.java:124)
at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:332)
at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:249)
at org.apache.rampart.RampartEngine.process(RampartEngine.java:221)
at org.apache.rampart.handler.RampartReceiver.invoke(RampartReceiver.java:93)
at org.apache.axis2.engine.Phase.invokeHandler(Phase.java:340)
at org.apache.axis2.engine.Phase.invoke(Phase.java:313)
at org.apache.axis2.engine.AxisEngine.invoke(AxisEngine.java:261)
at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:167)
at org.apache.synapse.transport.passthru.ClientWorker.run(ClientWorker.java:263)
at org.apache.axis2.transport.base.threads.NativeWorkerPool.run(NativeWorkerPool.java:172)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)
代理服务器还是老样子
更新 2
终于我做到了!问题出在代理服务和安全中介中。这是最终的代理服务。感谢大家!!:
<inSequence>
<header>
<sec:OriginPoint xmlns:sec="http://esb.firstdata.com/sec/">cencosud</sec:OriginPoint>
</header>
<send>
<endpoint>
<address uri="https://172.24.4.215:4443/ESB-Host-secure-services/http/host-secure-services/serviceSecureRouter">
<enableAddressing/>
<enableSec outboundPolicy="gov:ws-policy/Policy.xml"/>
</address>
</endpoint>
</send>
</inSequence>
</target>
<description/>
</proxy>
有两件事对我来说很突出:根据错误,您似乎遇到了一些密钥库或证书别名问题。一些尝试:
- 一个常见的错误是导入没有别名的证书。
检查密钥库以查看名称是否正确。
- 我没有看到提到回调处理程序?你实现了吗?
更多信息here including an examplepolicy and callbackhandler project
我开始在我的公司使用 wso2EI。 我们需要调用一个服务来公开我们的提供者。此服务是一个 SOAP Web 服务,通过密钥库在正文中签名(他们向我发送了一个 pfx),其想法是使用 wso2EI 调用该服务以通过此应用程序在内部使用。
因此,我创建了代理服务和 Policy.xml。当我尝试在没有 Policy.xml 的情况下调用代理服务时,我提出了一个硬编码请求,它工作正常。但是当我将政策置于以下错误时:
[-1234] [] [PassThroughMessageProcessor-351] ERROR {org.apache.synapse.core.axis2.Axis2Sender} - Unexpected error during sending message out java.lang.NullPointerException at sun.security.provider.JavaKeyStore$JKS.convertAlias(JavaKeyStore.java:58) at sun.security.provider.JavaKeyStore.engineGetCertificateChain(JavaKeyStore.java:163) at sun.security.provider.JavaKeyStore$JKS.engineGetCertificateChain(JavaKeyStore.java:56) at sun.security.provider.KeyStoreDelegator.engineGetCertificateChain(KeyStoreDelegator.java:101) at sun.security.provider.JavaKeyStore$DualFormatJKS.engineGetCertificateChain(JavaKeyStore.java:70) at java.security.KeyStore.getCertificateChain(KeyStore.java:1048) at org.apache.ws.security.components.crypto.CryptoBase.getCertificates(CryptoBase.java:468) at org.apache.ws.security.message.WSSecSignature.prepare(WSSecSignature.java:313) at org.apache.rampart.builder.BindingBuilder.getSignatureBuilder(BindingBuilder.java:351) at org.apache.rampart.builder.BindingBuilder.getSignatureBuilder(BindingBuilder.java:266) at org.apache.rampart.builder.AsymmetricBindingBuilder.doSignature(AsymmetricBindingBuilder.java:762) at org.apache.rampart.builder.AsymmetricBindingBuilder.doSignBeforeEncrypt(AsymmetricBindingBuilder.java:457) at org.apache.rampart.builder.AsymmetricBindingBuilder.build(AsymmetricBindingBuilder.java:97) at org.apache.rampart.MessageBuilder.build(MessageBuilder.java:147) at org.apache.rampart.handler.RampartSender.invoke(RampartSender.java:65) at org.apache.axis2.engine.Phase.invokeHandler(Phase.java:340) at org.apache.axis2.engine.Phase.invoke(Phase.java:313) at org.apache.axis2.engine.AxisEngine.invoke(AxisEngine.java:261) at org.apache.axis2.engine.AxisEngine.send(AxisEngine.java:426) at org.apache.synapse.core.axis2.DynamicAxisOperation$DynamicOperationClient.send(DynamicAxisOperation.java:185) at org.apache.synapse.core.axis2.DynamicAxisOperation$DynamicOperationClient.executeImpl(DynamicAxisOperation.java:167) at org.apache.axis2.client.OperationClient.execute(OperationClient.java:149) at org.apache.synapse.core.axis2.Axis2FlexibleMEPClient.send(Axis2FlexibleMEPClient.java:603) at org.apache.synapse.core.axis2.Axis2Sender.sendOn(Axis2Sender.java:85) at org.apache.synapse.core.axis2.Axis2SynapseEnvironment.send(Axis2SynapseEnvironment.java:547) at org.apache.synapse.endpoints.AbstractEndpoint.send(AbstractEndpoint.java:384) at org.apache.synapse.endpoints.AddressEndpoint.send(AddressEndpoint.java:65) at org.apache.synapse.mediators.builtin.SendMediator.mediate(SendMediator.java:123) at org.apache.synapse.mediators.AbstractListMediator.mediate(AbstractListMediator.java:108) at org.apache.synapse.mediators.AbstractListMediator.mediate(AbstractListMediator.java:70) at org.apache.synapse.mediators.base.SequenceMediator.mediate(SequenceMediator.java:158) at org.apache.synapse.core.axis2.ProxyServiceMessageReceiver.receive(ProxyServiceMessageReceiver.java:224) at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:180) at org.apache.synapse.transport.passthru.ServerWorker.processEntityEnclosingRequest(ServerWorker.java:415) at org.apache.synapse.transport.passthru.ServerWorker.run(ServerWorker.java:151) at org.apache.axis2.transport.base.threads.NativeWorkerPool.run(NativeWorkerPool.java:172) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at java.lang.Thread.run(Thread.java:748)
代理是:
<in><header> <sec:OriginPoint xmlns:sec="http://esb.xxx.com/sec/">cd</sec:OriginPoint> </header> <send buildmessage="true"> <endpoint> <address uri="https://xxx.xxx.xxx.xxx:4443/ESB-Host-secure-services/http/host-secure-services/serviceSecureRouter"> <enableSec policy="gov:ws-policy/Policy.xml"/> </address> </endpoint> </send> </in> <out> <log level="full"/> <send/> </out>
和政策:
<wsp:Policy wsu:Id="signingpolicy" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"> <wsp:ExactlyOne> <wsp:All> <sp:AsymmetricBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"> <wsp:Policy> <sp:InitiatorToken> <wsp:Policy> <sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient"> <wsp:Policy> <sp:WssX509V3Token10/> </wsp:Policy> </sp:X509Token> </wsp:Policy> </sp:InitiatorToken> <sp:RecipientToken> <wsp:Policy> <sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never"> <wsp:Policy> <sp:WssX509V3Token10/> </wsp:Policy> </sp:X509Token> </wsp:Policy> </sp:RecipientToken> <sp:AlgorithmSuite> <wsp:Policy> <sp:Basic256Rsa15/> </wsp:Policy> </sp:AlgorithmSuite> <sp:Layout> <wsp:Policy> <sp:Strict/> </wsp:Policy> </sp:Layout> </wsp:Policy> </sp:AsymmetricBinding> <sp:Wss10 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"> <wsp:Policy> <sp:MustSupportRefKeyIdentifier/> <sp:MustSupportRefEmbeddedToken/> <sp:MustSupportRefIssuerSerial/> </wsp:Policy> </sp:Wss10> <sp:SignedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"> <sp:Body/> </sp:SignedParts> <ramp:RampartConfig xmlns:ramp="http://ws.apache.org/rampart/policy"> <ramp:signatureCrypto> <ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin"> <ramp:property name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property> <ramp:property name="org.apache.ws.security.crypto.merlin.file">xx/xx/xx/certificado.jks</ramp:property> <ramp:property name="org.apache.ws.security.crypto.merlin.keystore.password">xxx</ramp:property> </ramp:crypto> </ramp:signatureCrypto> </ramp:RampartConfig><br> </wsp:All> </wsp:ExactlyOne> </wsp:Policy>
更新
使用 DEBUG 选项设置 org.apache.synapse.transport.http.wire 后,我开始在日志中查看响应,但服务仍然失败。 错误是这样的:
[2019-03-19 16:29:29,620] [-1] [] [PassThroughMessageProcessor-2] ERROR {org.apache.axis2.transport.base.threads.NativeWorkerPool} - Uncaught exception java.lang.NullPointerException at org.apache.ws.security.processor.SignatureProcessor.verifyXMLSignature(SignatureProcessor.java:265) at org.apache.ws.security.processor.SignatureProcessor.handleToken(SignatureProcessor.java:124) at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:332) at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:249) at org.apache.rampart.RampartEngine.process(RampartEngine.java:221) at org.apache.rampart.handler.RampartReceiver.invoke(RampartReceiver.java:93) at org.apache.axis2.engine.Phase.invokeHandler(Phase.java:340) at org.apache.axis2.engine.Phase.invoke(Phase.java:313) at org.apache.axis2.engine.AxisEngine.invoke(AxisEngine.java:261) at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:167) at org.apache.synapse.transport.passthru.ClientWorker.run(ClientWorker.java:263) at org.apache.axis2.transport.base.threads.NativeWorkerPool.run(NativeWorkerPool.java:172) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at java.lang.Thread.run(Thread.java:748)
代理服务器还是老样子
更新 2 终于我做到了!问题出在代理服务和安全中介中。这是最终的代理服务。感谢大家!!:
<inSequence> <header> <sec:OriginPoint xmlns:sec="http://esb.firstdata.com/sec/">cencosud</sec:OriginPoint> </header> <send> <endpoint> <address uri="https://172.24.4.215:4443/ESB-Host-secure-services/http/host-secure-services/serviceSecureRouter"> <enableAddressing/> <enableSec outboundPolicy="gov:ws-policy/Policy.xml"/> </address> </endpoint> </send> </inSequence> </target> <description/> </proxy>
有两件事对我来说很突出:根据错误,您似乎遇到了一些密钥库或证书别名问题。一些尝试:
- 一个常见的错误是导入没有别名的证书。 检查密钥库以查看名称是否正确。
- 我没有看到提到回调处理程序?你实现了吗?
更多信息here including an examplepolicy and callbackhandler project