“wsse:InvalidSecurity”是什么意思? 意思是?

发布于 2024-07-10 22:12:03 字数 3017 浏览 11 评论 0原文

An error was discovered processing the <wsse:Security> header

顺便说一句,这是一个 WS 安全问题...

我看不出我的 WS 端点有任何问题(除了它在 TIBCO BW 引擎中运行这一事实!)。 有人对这种错误有任何“先验”吗? 我意识到 WS-Security 标头可能在任何地方被破坏,大概会出现此错误,但是,某种常见错误的百分位数必须达到 90%。

这是安全的 SOAP - 客户端是独立的 java (WSS4J 1.5.0),仅在此阶段执行签名。

<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
    <soapenv:Header>
        <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" soapenv:mustUnderstand="1">
            <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="Signature-20237898">
                <ds:SignedInfo>
                    <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                    <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
                    <ds:Reference URI="#id-18414151">
                        <ds:Transforms>
                            <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                        </ds:Transforms>
                        <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                        <ds:DigestValue>DvjhvAtEVxwntL/RjMCNhId57cg=</ds:DigestValue>
                    </ds:Reference>
                </ds:SignedInfo>
                <ds:SignatureValue>
YbOB3FRduCr5rutpIvch9sDZfZToy3pjm+Kyl/Oqz6cAPqMVKqvKBb4P7ebnzP/3SVjm+PfLqlE5
BGgcT3Vz93apyg+eY1rAIYUs7K1Zt9F5ejMmij6HQpQTGpyM9BUXJi1x5bt9GuMtD0SK939bIIE2
ZUyZ0jPJp/wUhMonskw=
</ds:SignatureValue>
                <ds:KeyInfo Id="KeyId-15734641">
                    <wsse:SecurityTokenReference xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="STRId-3852606">
                        <ds:X509Data>
                            <ds:X509IssuerSerial>
                                <ds:X509IssuerName>CN=Mark Hesketh,OU=asdf,O=DVA,L=Canberra,ST=ACT,C=AU</ds:X509IssuerName>
                                <ds:X509SerialNumber>1231310305</ds:X509SerialNumber>
                            </ds:X509IssuerSerial>
                        </ds:X509Data>
                    </wsse:SecurityTokenReference>
                </ds:KeyInfo>
            </ds:Signature>
        </wsse:Security>
    </soapenv:Header>
    <soapenv:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="id-18414151">
        <message xmlns="http://www.tibco.com/schemas/CertificateWork/Resources/Schema.xsd" text="Sample msg with SHA1 signature"/>
    </soapenv:Body>
</soapenv:Envelope>
An error was discovered processing the <wsse:Security> header

This is a WS-Security question btw...

I can't see anything wrong with my WS endpoint (apart from the fact that it's running in a TIBCO BW engine!). Does someone have any 'prior' with this kind of error? I realise that the WS-Security Header could be broken anywhere presumably to get this error but, there's GOT to be a 90% percentile on some kind of common error.

Here's the secured SOAP - the client is standalone java (WSS4J 1.5.0) performing signing only at this stage.

<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
    <soapenv:Header>
        <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" soapenv:mustUnderstand="1">
            <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="Signature-20237898">
                <ds:SignedInfo>
                    <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                    <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
                    <ds:Reference URI="#id-18414151">
                        <ds:Transforms>
                            <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                        </ds:Transforms>
                        <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                        <ds:DigestValue>DvjhvAtEVxwntL/RjMCNhId57cg=</ds:DigestValue>
                    </ds:Reference>
                </ds:SignedInfo>
                <ds:SignatureValue>
YbOB3FRduCr5rutpIvch9sDZfZToy3pjm+Kyl/Oqz6cAPqMVKqvKBb4P7ebnzP/3SVjm+PfLqlE5
BGgcT3Vz93apyg+eY1rAIYUs7K1Zt9F5ejMmij6HQpQTGpyM9BUXJi1x5bt9GuMtD0SK939bIIE2
ZUyZ0jPJp/wUhMonskw=
</ds:SignatureValue>
                <ds:KeyInfo Id="KeyId-15734641">
                    <wsse:SecurityTokenReference xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="STRId-3852606">
                        <ds:X509Data>
                            <ds:X509IssuerSerial>
                                <ds:X509IssuerName>CN=Mark Hesketh,OU=asdf,O=DVA,L=Canberra,ST=ACT,C=AU</ds:X509IssuerName>
                                <ds:X509SerialNumber>1231310305</ds:X509SerialNumber>
                            </ds:X509IssuerSerial>
                        </ds:X509Data>
                    </wsse:SecurityTokenReference>
                </ds:KeyInfo>
            </ds:Signature>
        </wsse:Security>
    </soapenv:Header>
    <soapenv:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="id-18414151">
        <message xmlns="http://www.tibco.com/schemas/CertificateWork/Resources/Schema.xsd" text="Sample msg with SHA1 signature"/>
    </soapenv:Body>
</soapenv:Envelope>

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(2

鲜肉鲜肉永远不皱 2024-07-17 22:12:03

哇...如果您仍然遇到这个问题,那么您比我更有耐心...但为了以防万一,这是我的想法:

  • http://schemas.xmlsoap.org/specs/ws-security/ws-security.htm#ws-security__toc6201567 - 建议这是读取标签时出现的问题。
  • 让我印象深刻的一件事是,我没有看到将签名连接到密钥信息的参考。 当然,我会假设 KeyInfo 元素描述使用私钥生成 SignatureValue 的证书,但我没有看到任何 XML 片段告诉软件这一点。 我认为包含 KeyInfo 还不够,可能必须有一个指向它的链接。
  • 如果不是这样,我会根据模式仔细检查这一点,也许还有一个独立的模式验证源。 标题级别的错误让我思考格式而不是内容。

这是我对此的第一个猜测,这只是一个猜测,没有实际操作您的系统并尝试一堆不同的东西。 如果这不起作用,这是我针对此类错误的一般逻辑链:

  1. 格式 - 根据架构,XML 是否正确?
  2. 签名 - 签名需要三样东西:数据、密钥、一组用于制作签名的算法。 检查所有三项 - 数据是否正确,密钥是否正确,算法是否适合密钥以及如何处理消息? 另外,您的图书馆是否正确引用并找到了密钥和数据项?
  3. 外部信息源 - 在这种情况下,您的密钥信息引用的证书可能是从其他地方提取的 - 例如 LDAP 证书存储。 那么..您的代码可以访问该外部源吗?运行代码的数据源和网络是否可以访问? 等等。
  4. 如果 PKI - 证书验证/信任 - 系统必须在幕后做什么才能信任签名者? OCSP 检查? 在 LDAP 中查找? 链接到受信任的根? 信任算法是否正常工作,是否具有所需的一切 - 即访问 OCSP 响应程序、正确配置的证书存储等。

我根据对错误含义的猜测重新排序这些步骤。 这些错误并不那么直观——所以我经常执行所有这些步骤,以防我对错误的解释错误。 此外,我可以防止以后出现问题......

Wow... if you're still having this problem, you have more patience than I... but just in case, here's my thoughts:

  • http://schemas.xmlsoap.org/specs/ws-security/ws-security.htm#ws-security__toc6201567 - suggests that this is a problem reading the tag.
  • One thing that sticks out to me is that I don't see a reference connecting the signature to the key info. Certainly, I would assume that the KeyInfo element is describing the certificate that used a private key to make the SignatureValue, but I don't see a peice of the XML that is telling the software that. I don't think including the KeyInfo is enough, there may have to be a link to it.
  • If not that, I'd double check this against the schema, and maybe an independant schema verifying source. An error at the header level makes me think format rather than content.

That's my first guess at this one, and it's just a guess without getting hands on with your system and trying a bunch of different things. If that doesn't work, this my general logical chain for this type of error:

  1. Format - the XML correct according to the schema?
  2. Signature - the signature needs three things: data, a key, a set of algorithms for making it. Check all three - is the data correct, is the key correct, are the algorithms appropriate for the key and for how the message will be handled? Also, are the key and data items referenced properly and being found by your library?
  3. External sources of info - in this case, your key info references a certificate that presumably is pulled from somewhere else - like an LDAP cert store. So.. can your code get to that external source, is the source of data running and network accessible from where you are running the code? etc.
  4. If PKI -- Certificate Validation/Trust - what does the system have to do behind the scenes to trust the signer? OCSP checks? Lookup in LDAP? Chain to trusted root? etc. Is the trust algorithm working properly and does it have everything it needs - ie, access to OCSP responder, properly configured certificate store, etc.

I reorder these steps based upon my guess on what the error means. The errors are not so intuitive -- so I often go through all these steps just in case my interpretation of the error is wrong. Besides, I may then prevent a problem later...

放飞的风筝 2024-07-17 22:12:03

检查标头中的 SOAPAction。 WSDL 中的值必须与调用中的值相同。 错误的值可能会导致 InvalidSecurity 错误。

在 Java 中,您可以通过此处获取文本形式的消息,

soapMessage.getSOAPPart().getEnvelope();

您可以检查值和设置。

Check your SOAPAction in the Header. The value in the WSDL must be the same as in the call. A wrong value can cause an InvalidSecurity error.

In Java you can get the message as text with

soapMessage.getSOAPPart().getEnvelope();

Here you can check the values and settings.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文