“请求中缺少 wsse:安全标头”当我尝试使用 Axis2 和 Rampart 发布 SOAP 消息时
我感觉我一直在关注这个问题。
背景: 我必须调用安全的第三方网络服务。主体和标头块都需要使用客户端证书进行签名。 如果我禁用 Rampart 并使用 tcpmon 并捕获传出信封,我可以配置 SOAPUI 来发送消息(通过将 SOAPUI 配置为使用证书来签署前面讨论的重要部分)。这告诉我消息不是问题。
如果我启用 Rampart 并捕获传出消息,它看起来是正确的(两个元素已签名,安全元素全部就位)。
当我尝试使用 Rampart 调用服务时,我得到以下堆栈:
org.apache.axis2.AxisFault: Missing wsse:Security header in request
at org.apache.rampart.handler.RampartReceiver.setFaultCodeAndThrowAxisFault(RampartReceiver.java:166)
at org.apache.rampart.handler.RampartReceiver.invoke(RampartReceiver.java:99)
at org.apache.axis2.engine.Phase.invoke(Phase.java:318)
at org.apache.axis2.engine.AxisEngine.invoke(AxisEngine.java:254)
at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:160)
at org.apache.axis2.description.OutInAxisOperationClient.handleResponse(OutInAxisOperation.java:364)
at org.apache.axis2.description.OutInAxisOperationClient.send(OutInAxisOperation.java:417)
at org.apache.axis2.description.OutInAxisOperationClient.executeImpl(OutInAxisOperation.java:229)
at org.apache.axis2.client.OperationClient.execute(OperationClient.java:165)
at org.apache.axis2.axis2userguide.RetrieveCurrentBidResults_v20090801ServiceStub.retrieveCurrentBidResults_v20090801(RetrieveCurrentBidResults_v20090801ServiceStub.java:225)
at org.transalta.weezer.soap.client.RetrieveCleanBidsClient.main(RetrieveCleanBidsClient.java:64)
这是我正在使用的policy.xml 文件:
<?xml version="1.0" encoding="UTF-8"?>
<wsp:Policy wsu:Id="SigEncr"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
<wsp:ExactlyOne>
<wsp:All>
<sp:AsymmetricBinding
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:InitiatorToken>
<wsp:Policy>
<sp:X509Token
sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:RequireThumbprintReference />
<sp:WssX509V1Token10 />
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:InitiatorToken>
<sp:RecipientToken>
<wsp:Policy>
<sp:X509Token
sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never">
<wsp:Policy>
<sp:RequireThumbprintReference />
<sp:WssX509V3Token10 />
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:RecipientToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:TripleDesRsa15 />
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Strict />
</wsp:Policy>
</sp:Layout>
<sp:OnlySignEntireHeadersAndBody />
</wsp:Policy>
</sp:AsymmetricBinding>
<sp:Wss10 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:MustSupportRefKeyIdentifier />
<sp:MustSupportRefIssuerSerial />
</wsp:Policy>
</sp:Wss10>
<sp:SignedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<sp:Body />
<sp:Header Name="CAISOWSHeader" Namespace="http://www.caiso.com/soa/2006-09-30/CAISOWSHeader.xsd" />
</sp:SignedParts>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
所以我想知道 Rampart 到底想告诉我什么?我知道它认为不存在的组件就在那里。
I feel like I've been looking at this issue forever.
Background:
I have to call a secured third party web service. The body and a header block both need to be signed with a client certificate.
If I disable Rampart and use tcpmon and capture the outgoing envelope, I can configure SOAPUI to send the message (by configuring SOAPUI to use the cert to sign the important parts discussed earlier). That tells me the message isn't the issue.
If I enable Rampart and capture the outgoing message, it looks correct (the two elements are signed, the security elements are all in place).
I get the following stack when I try calling the service with Rampart:
org.apache.axis2.AxisFault: Missing wsse:Security header in request
at org.apache.rampart.handler.RampartReceiver.setFaultCodeAndThrowAxisFault(RampartReceiver.java:166)
at org.apache.rampart.handler.RampartReceiver.invoke(RampartReceiver.java:99)
at org.apache.axis2.engine.Phase.invoke(Phase.java:318)
at org.apache.axis2.engine.AxisEngine.invoke(AxisEngine.java:254)
at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:160)
at org.apache.axis2.description.OutInAxisOperationClient.handleResponse(OutInAxisOperation.java:364)
at org.apache.axis2.description.OutInAxisOperationClient.send(OutInAxisOperation.java:417)
at org.apache.axis2.description.OutInAxisOperationClient.executeImpl(OutInAxisOperation.java:229)
at org.apache.axis2.client.OperationClient.execute(OperationClient.java:165)
at org.apache.axis2.axis2userguide.RetrieveCurrentBidResults_v20090801ServiceStub.retrieveCurrentBidResults_v20090801(RetrieveCurrentBidResults_v20090801ServiceStub.java:225)
at org.transalta.weezer.soap.client.RetrieveCleanBidsClient.main(RetrieveCleanBidsClient.java:64)
and here is the policy.xml file I'm using:
<?xml version="1.0" encoding="UTF-8"?>
<wsp:Policy wsu:Id="SigEncr"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
<wsp:ExactlyOne>
<wsp:All>
<sp:AsymmetricBinding
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:InitiatorToken>
<wsp:Policy>
<sp:X509Token
sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:RequireThumbprintReference />
<sp:WssX509V1Token10 />
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:InitiatorToken>
<sp:RecipientToken>
<wsp:Policy>
<sp:X509Token
sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never">
<wsp:Policy>
<sp:RequireThumbprintReference />
<sp:WssX509V3Token10 />
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:RecipientToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:TripleDesRsa15 />
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Strict />
</wsp:Policy>
</sp:Layout>
<sp:OnlySignEntireHeadersAndBody />
</wsp:Policy>
</sp:AsymmetricBinding>
<sp:Wss10 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:MustSupportRefKeyIdentifier />
<sp:MustSupportRefIssuerSerial />
</wsp:Policy>
</sp:Wss10>
<sp:SignedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<sp:Body />
<sp:Header Name="CAISOWSHeader" Namespace="http://www.caiso.com/soa/2006-09-30/CAISOWSHeader.xsd" />
</sp:SignedParts>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
So what I want to know is what the heck is Rampart trying to tell me? I know the component it doesn't think is present IS there.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
如果您也发布了捕获的请求响应消息之一,那就更好了。由于您说的是策略中定义的预期元素已被签名,因此请检查请求消息中是否存在 TimeStamp 元素。如果时间戳存在,那么它也必须被签名,在这种情况下,这可能是失败的原因。
It is better if you have posted one of the captured request-response messages too. Since you are saying expected elements that are defined in the policy are singed, please check if the TimeStamp element is there in the request message. If the timestamp is there, then it MUST be signed too, in that case this might be the reason for the failure.
我通过修改 Rampart 模块以跳过“安全”阶段以及流入之后的所有阶段来解决这个问题。
I solved this by modifying the rampart module to skip the 'security' phase and all phases after for the inflow.
我在我的代码中应用了“Tambu”的“modifyRampartModule”方法,并且它开始正常工作。我曾尝试通过 axis2.xml 中的配置执行相同的操作,但我应该做错了什么,因为对我来说,这不起作用。
关键是标头必须在请求和响应中传输...但是如果您有“解决方案提供商”,也许会从响应中删除标头...并且您将面临这个问题。
I applied the method "modifyRampartModule" of "Tambu", in my code, and it began to work fine. I had tried to do the same through configurations in the axis2.xml, but I should have done something wrong, because for me, didn't work.
The point is that the header must travel in the request and also in the response... but if you have a "Solution Provider", maybe will remove the header from the response... and You will be facing this issue.