使用安全 UserNameToken 的 Web 服务
出于安全原因,我正在尝试解决我们使用 glassfish V2 使用普通 UserNameToken 发布简单 Web 服务时遇到的问题。 由于我们使用 Netbeans 6.5 来存档此内容,因此我们正在研究本教程< /a>.
因此,完成了以下步骤: 在我们的开发环境中,我们安装了 Sun Java(TM) System Access Manager,并且可以通过管理控制台以及 Netbeans IDE 对其进行管理。 都好。 本教程中的示例效果非常好,因此我们认为我们已经处于继续前进的有利位置。
更改 Web 服务的安全选项后,我们在没有安装任何 Netbeans 的测试环境中发布了此服务。
之后,完成以下步骤:
- 部署服务
- 在 Access Manager 中配置领域的 IP 地址
- 设置预期用户访问 Web 服务。
当我们的合作伙伴现在访问 Web 服务时,不会访问实际的 Web 服务代码,并且我们总是在服务器日志记录中发现安全标头不被理解。
这是我们在服务器上收到的消息:
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<soapenv:Header>
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" soapenv:mustUnderstand="1">
<wsu:Timestamp xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="Timestamp-10034404">
<wsu:Created>2009-01-19T16:33:38.537Z</wsu:Created>
<wsu:Expires>2009-01-19T16:34:08.537Z</wsu:Expires></wsu:Timestamp><wsse:UsernameToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="UsernameToken-10034094">
<wsse:Username>myUser</wsse:Username>
<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">myPasswd</wsse:Password>
</wsse:UsernameToken>
</wsse:Security>
<wsa:MessageID soapenv:mustUnderstand="0">uuid:ecc3b150-e646-11dd-96e5-9f80a576275b</wsa:MessageID>
<wsa:To soapenv:mustUnderstand="0">http://62.154.241.166:8080/HTNGService/WebServiceForTrustService</wsa:To>
<wsa:Action soapenv:mustUnderstand="0">http://webservice.trustinternational.com/ws/services/Htng2ReservationService</wsa:Action>
<wsa:From xmlns="http://schemas.xmlsoap.org/ws/2004/08/addressing" soapenv:mustUnderstand="0">
<wsa:Address>http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</wsa:Address></wsa:From>
</soapenv:Header>
<soapenv:Body>
...
</soapenv:Body></soapenv:Envelope>
我们的 wsit.xml 如下所示:
<?xml version="1.0" encoding="UTF-8"?>
<definitions
xmlns="http://schemas.xmlsoap.org/wsdl/"
xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" name="WebServiceForTrustService" targetNamespace="http://wstrust/" xmlns:tns="http://wstrust/" xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:wsp1="http://www.w3.org/ns/ws-policy" xmlns:fi="http://java.sun.com/xml/ns/wsit/2006/09/policy/fastinfoset/service" xmlns:tcp="http://java.sun.com/xml/ns/wsit/2006/09/policy/soaptcp/service"
>
<message name="otaHotelResNotif"/>
<message name="otaHotelResNotifResponse"/>
<portType name="WebServiceForTrust">
<operation name="otaHotelResNotif">
<input message="tns:otaHotelResNotif"/>
<output message="tns:otaHotelResNotifResponse"/>
</operation>
</portType>
<binding name="WebServiceForTrustPortBinding" type="tns:WebServiceForTrust">
<wsp:PolicyReference URI="#WebServiceForTrustPortBindingPolicy"/>
<operation name="otaHotelResNotif">
<input/>
<output/>
</operation>
</binding>
<service name="WebServiceForTrustService">
<port name="WebServiceForTrustPort" binding="tns:WebServiceForTrustPortBinding"/>
</service>
<wsp:Policy wsu:Id="WebServiceForTrustPortBindingPolicy">
<wsp:ExactlyOne>
<wsp:All/>
</wsp:ExactlyOne>
</wsp:Policy>
</definitions>
有谁知道这里可能缺少什么配置吗?
我们还意识到,在打开安全性(AM 安全性)后,在 IDE 中会在配置文件/ amserver 下创建一个名为 amconfig.xml 的文件。
部署服务后,我们无法在网络服务器上找到该文件,也无法在 *.war 中或在 addons/amserver 等目录下找到该文件。
该文件内部看起来像:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<ns2:AMConfig xmlns:ns2="http://identity.netbeans.org/access_manager_config_1_0">
<ProviderConfig type="WSP" name="WebServiceForTrustService">
<SecurityMechanism uri="urn:sun:wss:security:null:UserNameToken-Plain"/>
</ProviderConfig>
</ns2:AMConfig>
由于信息已经在服务器上发布的 sun-web.xml 中,我认为这不应该是问题,但可能对您有帮助。
I am trying to resolve a problem we have using glassfish V2 to publish a simple web service using a plain UserNameToken for security reasons. Since we were using Netbeans 6.5 to archive this we were looking into this tutorial.
Therefore the following steps were done:
In our dev environment we installed the Sun Java(TM) System Access Manager and can administer this through the admin console as well as through the Netbeans IDE. All good. The example from the tutorial worked perfect so we thought we are in a good position to move on.
After changing the security options for our web service we published this on our test environment without any Netbeans installed.
After that the following steps were done:
- deploying the service
- configure the realm in Access Manager for the IP address
- setup the expected user to access the web service.
When our partner is now accessing the web service the actual web service code is not accessed and we always find in the server logging that the security header was not understood.
This is the message we receive at the server:
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<soapenv:Header>
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" soapenv:mustUnderstand="1">
<wsu:Timestamp xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="Timestamp-10034404">
<wsu:Created>2009-01-19T16:33:38.537Z</wsu:Created>
<wsu:Expires>2009-01-19T16:34:08.537Z</wsu:Expires></wsu:Timestamp><wsse:UsernameToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="UsernameToken-10034094">
<wsse:Username>myUser</wsse:Username>
<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">myPasswd</wsse:Password>
</wsse:UsernameToken>
</wsse:Security>
<wsa:MessageID soapenv:mustUnderstand="0">uuid:ecc3b150-e646-11dd-96e5-9f80a576275b</wsa:MessageID>
<wsa:To soapenv:mustUnderstand="0">http://62.154.241.166:8080/HTNGService/WebServiceForTrustService</wsa:To>
<wsa:Action soapenv:mustUnderstand="0">http://webservice.trustinternational.com/ws/services/Htng2ReservationService</wsa:Action>
<wsa:From xmlns="http://schemas.xmlsoap.org/ws/2004/08/addressing" soapenv:mustUnderstand="0">
<wsa:Address>http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</wsa:Address></wsa:From>
</soapenv:Header>
<soapenv:Body>
...
</soapenv:Body></soapenv:Envelope>
our wsit.xml looks like this:
<?xml version="1.0" encoding="UTF-8"?>
<definitions
xmlns="http://schemas.xmlsoap.org/wsdl/"
xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" name="WebServiceForTrustService" targetNamespace="http://wstrust/" xmlns:tns="http://wstrust/" xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:wsp1="http://www.w3.org/ns/ws-policy" xmlns:fi="http://java.sun.com/xml/ns/wsit/2006/09/policy/fastinfoset/service" xmlns:tcp="http://java.sun.com/xml/ns/wsit/2006/09/policy/soaptcp/service"
>
<message name="otaHotelResNotif"/>
<message name="otaHotelResNotifResponse"/>
<portType name="WebServiceForTrust">
<operation name="otaHotelResNotif">
<input message="tns:otaHotelResNotif"/>
<output message="tns:otaHotelResNotifResponse"/>
</operation>
</portType>
<binding name="WebServiceForTrustPortBinding" type="tns:WebServiceForTrust">
<wsp:PolicyReference URI="#WebServiceForTrustPortBindingPolicy"/>
<operation name="otaHotelResNotif">
<input/>
<output/>
</operation>
</binding>
<service name="WebServiceForTrustService">
<port name="WebServiceForTrustPort" binding="tns:WebServiceForTrustPortBinding"/>
</service>
<wsp:Policy wsu:Id="WebServiceForTrustPortBindingPolicy">
<wsp:ExactlyOne>
<wsp:All/>
</wsp:ExactlyOne>
</wsp:Policy>
</definitions>
Does anyone has any idea what configuration might be missing here?
We also realised that in the IDE after turning the security (AM security) on there was a file created under configuration files/ amserver called amconfig.xml.
This file we can't find on the webserver after deploying the service nor in the *.war nor under addons/amserver or so.
The file internally looks like:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<ns2:AMConfig xmlns:ns2="http://identity.netbeans.org/access_manager_config_1_0">
<ProviderConfig type="WSP" name="WebServiceForTrustService">
<SecurityMechanism uri="urn:sun:wss:security:null:UserNameToken-Plain"/>
</ProviderConfig>
</ns2:AMConfig>
since the information is already in sun-web.xml which is published on the server I think that should not be the problem but might be helpful for you.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
因为我们在上面进一步做了一些新的事情,即使它没有解决。
示例教程已重建并部署在测试服务器上。 客户端和服务器测试应用程序。 在测试服务器上本地启动时,两者都工作正常。
如果我们配置远程客户端如何使用具有相同安全信息的相同 Web 服务,我们会发现与其他应用程序相同的错误。
因此我认为它与 Access Manager 的配置有关,但不知道是哪一个。
我希望这可以帮助任何人帮助我。
谢谢!
since we worked further on the above here a few new things even if it isn't solved.
The example tutorial was rebuild and deployed on the test-server. Client and Server Test app. Both are working fine when started locally on the test-server.
If we configure how ever a client from remote to use the same web-service with the same security information, we find the same error like with our other application.
Therefore I assume it has something to do with the configurations o Access Manager, but no idea which one.
I hope that helps anyone to help me.
Thanks!