Apache CXF - 如何通过 HTTPS 使用 ws-securitypolicy 和 ws-secureconversation
Apache CXF - how to use ws-securitypolicy with ws-secureconversation over HTTPS
我正在为外部方提供的 SOAP Web 服务构建客户端。 WSDL 使用策略断言来指定安全性。这包括使用 X509 证书、SecureConversationToken 和通过 HTTPS 传输。
如果我注释掉策略的 HTTPS 部分,我就可以从我的客户端生成一个请求。然而,当我取消注释这些时,我得到一个异常,说无法检测到安全配置:
Caused by: org.apache.cxf.ws.policy.PolicyException: Security configuration could not be detected. Potential cause: Make sure jaxws:client element with name attribute value matching endpoint port is defined as well as a ws-security.signature.properties element within it.
at org.apache.cxf.ws.security.wss4j.policyhandlers.AbstractBindingBuilder.policyNotAsserted(AbstractBindingBuilder.java:315)
at org.apache.cxf.ws.security.wss4j.policyhandlers.AbstractBindingBuilder.getSignatureBuilder(AbstractBindingBuilder.java:1851)
at org.apache.cxf.ws.security.wss4j.policyhandlers.AbstractBindingBuilder.getSignatureBuilder(AbstractBindingBuilder.java:1748)
at org.apache.cxf.ws.security.wss4j.policyhandlers.TransportBindingHandler.doX509TokenSignature(TransportBindingHandler.java:359)
at org.apache.cxf.ws.security.wss4j.policyhandlers.TransportBindingHandler.handleEndorsingToken(TransportBindingHandler.java:297)
at org.apache.cxf.ws.security.wss4j.policyhandlers.TransportBindingHandler.handleEndorsingSupportingTokens(TransportBindingHandler.java:252)
at org.apache.cxf.ws.security.wss4j.policyhandlers.TransportBindingHandler.handleBinding(TransportBindingHandler.java:153)
如果我在抛出异常的地方放置一个断点,我会看到它试图满足的断言是 X509Token。
政策是:
<wsp:Policy wsu:Id="WSHttpBinding_IFeederService_policy">
<wsp:ExactlyOne>
<wsp:All>
<sp:TransportBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:TransportToken>
<wsp:Policy>
<sp:HttpsToken RequireClientCertificate="false" />
</wsp:Policy>
</sp:TransportToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic256 />
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Strict />
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp />
</wsp:Policy>
</sp:TransportBinding>
<sp:EndorsingSupportingTokens xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:SecureConversationToken sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:BootstrapPolicy>
<wsp:Policy>
<sp:SignedParts>
<sp:Body />
<sp:Header Name="To" Namespace="http://www.w3.org/2005/08/addressing" />
<sp:Header Name="From" Namespace="http://www.w3.org/2005/08/addressing" />
<sp:Header Name="FaultTo" Namespace="http://www.w3.org/2005/08/addressing" />
<sp:Header Name="ReplyTo" Namespace="http://www.w3.org/2005/08/addressing" />
<sp:Header Name="MessageID" Namespace="http://www.w3.org/2005/08/addressing" />
<sp:Header Name="RelatesTo" Namespace="http://www.w3.org/2005/08/addressing" />
<sp:Header Name="Action" Namespace="http://www.w3.org/2005/08/addressing" />
</sp:SignedParts>
<sp:EncryptedParts>
<sp:Body />
</sp:EncryptedParts>
<sp:TransportBinding>
<wsp:Policy>
<sp:TransportToken>
<wsp:Policy>
<sp:HttpsToken RequireClientCertificate="false" />
</wsp:Policy>
</sp:TransportToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic256 />
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Strict />
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp />
</wsp:Policy>
</sp:TransportBinding>
<sp:EndorsingSupportingTokens>
<wsp:Policy>
<sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:RequireThumbprintReference />
<sp:WssX509V3Token10 />
</wsp:Policy>
</sp:X509Token>
<sp:SignedParts>
<sp:Header Name="To" Namespace="http://www.w3.org/2005/08/addressing" />
</sp:SignedParts>
</wsp:Policy>
</sp:EndorsingSupportingTokens>
<sp:Wss11>
<wsp:Policy>
<sp:MustSupportRefThumbprint />
</wsp:Policy>
</sp:Wss11>
<sp:Trust10>
<wsp:Policy>
<sp:MustSupportIssuedTokens />
<sp:RequireClientEntropy />
<sp:RequireServerEntropy />
</wsp:Policy>
</sp:Trust10>
</wsp:Policy>
</sp:BootstrapPolicy>
</wsp:Policy>
</sp:SecureConversationToken>
</wsp:Policy>
</sp:EndorsingSupportingTokens>
<sp:Wss11 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy />
</sp:Wss11>
<sp:Trust10 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:MustSupportIssuedTokens />
<sp:RequireClientEntropy />
<sp:RequireServerEntropy />
</wsp:Policy>
</sp:Trust10>
<wsaw:UsingAddressing />
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
我删除的部分是第一个 sp:TransportBinding 和第二个 sp:TransportToken。
我的配置是:
<jaxws:client name="{http://tempuri.org/}IFeederService" createdFromAPI="true">
<jaxws:properties>
<entry key="ws-security.callback-handler.sct">
<bean class="nz.govt.moh.common.security.FixedWSPasswordCallbackHandler">
<property name="password" value="password" />
</bean>
</entry>
<entry key="ws-security.signature.properties.sct" value="spring/eps-test-client-keystore.properties" />
</jaxws:properties>
</jaxws:client>
属性文件定义:
org.apache.ws.security.crypto.merlin.keystore.file
org.apache.ws.security.crypto.merlin.keystore.password
org.apache.ws.security.crypto.merlin.keystore.type
org.apache.ws.security.crypto.merlin.keystore.alias
我也尝试添加 ws-security.callback-handler 和 ws-security.signature.properties(与 sct 的值相同)。还尝试添加 ws-security.username 和 ws-security.username.sct。尽管关闭了 HTTPS 位,但它可以在没有任何这些的情况下工作。
另外,当我启用 HTTPS 时,我添加:
<http:conduit name="{http://tempuri.org/}IFeederService.http-conduit">
<http:tlsClientParameters>
<sec:trustManagers>
<sec:keyStore file="${jetty.eps.ssl.keystore.file}" password="${jetty.eps.ssl.keystore.password}" type="${jetty.eps.ssl.keystore.type}" />
</sec:trustManagers>
<sec:cipherSuitesFilter>
<sec:include>.*_EXPORT_.*</sec:include>
<sec:include>.*_EXPORT1024_.*</sec:include>
<sec:include>.*_WITH_DES_.*</sec:include>
<sec:include>.*_WITH_AES_.*</sec:include>
<sec:include>.*_WITH_NULL_.*</sec:include>
<sec:exclude>.*_DH_anon_.*</sec:exclude>
</sec:cipherSuitesFilter>
</http:tlsClientParameters>
</http:conduit>
我正在使用带有 Java 6 的 CXF 版本 2.7.17。(我尝试升级到 3。0.x 但遇到了其他问题,尽管我现在可以再试一次,因为我有一个更好的了解 CXF。)
关于我做错了什么有什么想法吗?为了使用 HTTPS,我还需要指定其他内容吗?是否有同时使用 securitypolicy、secureconversation 和 HTTPS 的工作示例?
谢谢你的帮助,达蒙
原来我用错了 jaxws:client 的名称。我从 wsdl:portType 而不是 wsdl:port 中获取了名称的末尾部分。当我注释掉 WSDL 中的 HTTPS 位时,它实际上发送了一个请求,即使名称是错误的,但是对于完整的 WSDL,它会抱怨因为找不到安全配置。
我正在为外部方提供的 SOAP Web 服务构建客户端。 WSDL 使用策略断言来指定安全性。这包括使用 X509 证书、SecureConversationToken 和通过 HTTPS 传输。
如果我注释掉策略的 HTTPS 部分,我就可以从我的客户端生成一个请求。然而,当我取消注释这些时,我得到一个异常,说无法检测到安全配置:
Caused by: org.apache.cxf.ws.policy.PolicyException: Security configuration could not be detected. Potential cause: Make sure jaxws:client element with name attribute value matching endpoint port is defined as well as a ws-security.signature.properties element within it.
at org.apache.cxf.ws.security.wss4j.policyhandlers.AbstractBindingBuilder.policyNotAsserted(AbstractBindingBuilder.java:315)
at org.apache.cxf.ws.security.wss4j.policyhandlers.AbstractBindingBuilder.getSignatureBuilder(AbstractBindingBuilder.java:1851)
at org.apache.cxf.ws.security.wss4j.policyhandlers.AbstractBindingBuilder.getSignatureBuilder(AbstractBindingBuilder.java:1748)
at org.apache.cxf.ws.security.wss4j.policyhandlers.TransportBindingHandler.doX509TokenSignature(TransportBindingHandler.java:359)
at org.apache.cxf.ws.security.wss4j.policyhandlers.TransportBindingHandler.handleEndorsingToken(TransportBindingHandler.java:297)
at org.apache.cxf.ws.security.wss4j.policyhandlers.TransportBindingHandler.handleEndorsingSupportingTokens(TransportBindingHandler.java:252)
at org.apache.cxf.ws.security.wss4j.policyhandlers.TransportBindingHandler.handleBinding(TransportBindingHandler.java:153)
如果我在抛出异常的地方放置一个断点,我会看到它试图满足的断言是 X509Token。
政策是:
<wsp:Policy wsu:Id="WSHttpBinding_IFeederService_policy">
<wsp:ExactlyOne>
<wsp:All>
<sp:TransportBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:TransportToken>
<wsp:Policy>
<sp:HttpsToken RequireClientCertificate="false" />
</wsp:Policy>
</sp:TransportToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic256 />
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Strict />
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp />
</wsp:Policy>
</sp:TransportBinding>
<sp:EndorsingSupportingTokens xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:SecureConversationToken sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:BootstrapPolicy>
<wsp:Policy>
<sp:SignedParts>
<sp:Body />
<sp:Header Name="To" Namespace="http://www.w3.org/2005/08/addressing" />
<sp:Header Name="From" Namespace="http://www.w3.org/2005/08/addressing" />
<sp:Header Name="FaultTo" Namespace="http://www.w3.org/2005/08/addressing" />
<sp:Header Name="ReplyTo" Namespace="http://www.w3.org/2005/08/addressing" />
<sp:Header Name="MessageID" Namespace="http://www.w3.org/2005/08/addressing" />
<sp:Header Name="RelatesTo" Namespace="http://www.w3.org/2005/08/addressing" />
<sp:Header Name="Action" Namespace="http://www.w3.org/2005/08/addressing" />
</sp:SignedParts>
<sp:EncryptedParts>
<sp:Body />
</sp:EncryptedParts>
<sp:TransportBinding>
<wsp:Policy>
<sp:TransportToken>
<wsp:Policy>
<sp:HttpsToken RequireClientCertificate="false" />
</wsp:Policy>
</sp:TransportToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic256 />
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Strict />
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp />
</wsp:Policy>
</sp:TransportBinding>
<sp:EndorsingSupportingTokens>
<wsp:Policy>
<sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:RequireThumbprintReference />
<sp:WssX509V3Token10 />
</wsp:Policy>
</sp:X509Token>
<sp:SignedParts>
<sp:Header Name="To" Namespace="http://www.w3.org/2005/08/addressing" />
</sp:SignedParts>
</wsp:Policy>
</sp:EndorsingSupportingTokens>
<sp:Wss11>
<wsp:Policy>
<sp:MustSupportRefThumbprint />
</wsp:Policy>
</sp:Wss11>
<sp:Trust10>
<wsp:Policy>
<sp:MustSupportIssuedTokens />
<sp:RequireClientEntropy />
<sp:RequireServerEntropy />
</wsp:Policy>
</sp:Trust10>
</wsp:Policy>
</sp:BootstrapPolicy>
</wsp:Policy>
</sp:SecureConversationToken>
</wsp:Policy>
</sp:EndorsingSupportingTokens>
<sp:Wss11 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy />
</sp:Wss11>
<sp:Trust10 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:MustSupportIssuedTokens />
<sp:RequireClientEntropy />
<sp:RequireServerEntropy />
</wsp:Policy>
</sp:Trust10>
<wsaw:UsingAddressing />
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
我删除的部分是第一个 sp:TransportBinding 和第二个 sp:TransportToken。
我的配置是:
<jaxws:client name="{http://tempuri.org/}IFeederService" createdFromAPI="true">
<jaxws:properties>
<entry key="ws-security.callback-handler.sct">
<bean class="nz.govt.moh.common.security.FixedWSPasswordCallbackHandler">
<property name="password" value="password" />
</bean>
</entry>
<entry key="ws-security.signature.properties.sct" value="spring/eps-test-client-keystore.properties" />
</jaxws:properties>
</jaxws:client>
属性文件定义:
org.apache.ws.security.crypto.merlin.keystore.file
org.apache.ws.security.crypto.merlin.keystore.password
org.apache.ws.security.crypto.merlin.keystore.type
org.apache.ws.security.crypto.merlin.keystore.alias
我也尝试添加 ws-security.callback-handler 和 ws-security.signature.properties(与 sct 的值相同)。还尝试添加 ws-security.username 和 ws-security.username.sct。尽管关闭了 HTTPS 位,但它可以在没有任何这些的情况下工作。
另外,当我启用 HTTPS 时,我添加:
<http:conduit name="{http://tempuri.org/}IFeederService.http-conduit">
<http:tlsClientParameters>
<sec:trustManagers>
<sec:keyStore file="${jetty.eps.ssl.keystore.file}" password="${jetty.eps.ssl.keystore.password}" type="${jetty.eps.ssl.keystore.type}" />
</sec:trustManagers>
<sec:cipherSuitesFilter>
<sec:include>.*_EXPORT_.*</sec:include>
<sec:include>.*_EXPORT1024_.*</sec:include>
<sec:include>.*_WITH_DES_.*</sec:include>
<sec:include>.*_WITH_AES_.*</sec:include>
<sec:include>.*_WITH_NULL_.*</sec:include>
<sec:exclude>.*_DH_anon_.*</sec:exclude>
</sec:cipherSuitesFilter>
</http:tlsClientParameters>
</http:conduit>
我正在使用带有 Java 6 的 CXF 版本 2.7.17。(我尝试升级到 3。0.x 但遇到了其他问题,尽管我现在可以再试一次,因为我有一个更好的了解 CXF。)
关于我做错了什么有什么想法吗?为了使用 HTTPS,我还需要指定其他内容吗?是否有同时使用 securitypolicy、secureconversation 和 HTTPS 的工作示例?
谢谢你的帮助,达蒙
原来我用错了 jaxws:client 的名称。我从 wsdl:portType 而不是 wsdl:port 中获取了名称的末尾部分。当我注释掉 WSDL 中的 HTTPS 位时,它实际上发送了一个请求,即使名称是错误的,但是对于完整的 WSDL,它会抱怨因为找不到安全配置。