在 Java 中调用安全的 Web 服务
我需要编写一个 Web 服务客户端来调用第三方 Web 服务(基于 SOAP)。第三方发布了 wsdl 和关联的 xsd 文件。
第三方使用 .p12 证书保护他们的网站和服务
我使用 wsdl2java 生成我的存根。我修改了端点并调用了该服务。我收到以下错误:
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
<SOAP-ENV:Header></SOAP-ENV:Header>
<SOAP-ENV:Body>
<SOAP-ENV:Fault>
<faultcode xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">wsse:InvalidSecurity</faultcode>
<faultstring>SECU1075: An error was discovered processing the <wsse:Security> header</faultstring>
<detail>SECU3510: Signature requirements validation failed: Element (/soapenv:Envelope/soapenv:Body) was not signed</detail>
</SOAP-ENV:Fault>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
嗯,好的。我应该签署该文件,这是有道理的。
(对我来说)奇怪的是 WSDL 文件中的任何地方都没有安全定义。这是正常的吗?我联系了第三方,他们向我发送了 SOAP 消息的 pdf 文件。标题中出现以下标签: 包含:
<wsse:BinarySecurityToken>
所以
<dsig:SignedInfo>
根据我收集的信息,它需要我的证书和一些数字签名。
有人可以推荐如何用 Java 生成这些吗?我开始沿着 Axis2/Rampart 路径走,但老实说,这些似乎是基于 WSDL 文件中定义的安全要求(如果我错了,请纠正我)。
I need to write a web service client to call a third party web service (SOAP based). The third party published a wsdl and the associated xsd files.
The third party secure their website and services using .p12 certificates
I used wsdl2java to generate my stubs. I modified the endpoints and called the service. I received the following error:
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
<SOAP-ENV:Header></SOAP-ENV:Header>
<SOAP-ENV:Body>
<SOAP-ENV:Fault>
<faultcode xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">wsse:InvalidSecurity</faultcode>
<faultstring>SECU1075: An error was discovered processing the <wsse:Security> header</faultstring>
<detail>SECU3510: Signature requirements validation failed: Element (/soapenv:Envelope/soapenv:Body) was not signed</detail>
</SOAP-ENV:Fault>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
Hmmm, ok. Makes sense that I should be signing the document.
The strange part (to me) is there isn't a security definition anywhere in the WSDL file. Is this normal? I contacted the third party and they sent me a pdf of what the SOAP message needs to look like. The following tags appear in the header:
containing:
<wsse:BinarySecurityToken>
and
<dsig:SignedInfo>
so from what I gather, it requires my certificate and some digital signatures.
Can someone recommend how to generate these in Java? I started down the Axis2/Rampart path but honestly, it seems those are predicated on having the security requirements defined in the WSDL file (correct me if I'm wrong).
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
看起来您需要使用 WS-Security 标准对消息进行签名。 WS 安全标准没有指定任何到 wsdl 文件的安全映射。某些应用程序将 WS-Security 策略和 WS-Policy Attachment 与 Ws-security 结合使用。 WS-Policy Attachment 指定了将策略映射到 WSDL 的方式。
您可以从 w3.org 了解有关这些标准的更多信息
,是的,您走在正确的道路上,可以使用 WSS4J 或 axis Rampart 您的选择。
Looks like you need to sign you message using The WS-Security standard. The WS-security standard does not specify any security mapping to wsdl file. Some application use WS-Security policy and WS-Policy Attachement in conjunction with Ws-security. WS-Policy Attachment does specifies the way to map policies to WSDL.
You can learn more about these standard from w3.org
And yes you are on the right path, could use WSS4J or axis rampart it your choice.