X509 WS-Security 使用 spring-ws，WebSphere 中的 XWS 拦截器

发布于 2024-12-20 07:15:15 字数 3930 浏览 2 评论 0原文

我在 WebSphere v7 中使用基于 X509 证书的 WS-Security 时遇到了困难。

这是一些背景知识：我们在应用程序中使用 spring-ws，并且允许 UsernameToken 配置文件安全性或 X509 安全性。这两者是使用 Xws 安全拦截器实现的，该拦截器运行于 Xws 安全框架：

http://docs.oracle.com/cd/E17802_01/webservices/webservices/docs/1.6/tutorial/doc/XWS-SecurityIntro4.html

我们在客户端上实现安全性 -侧面&服务器端，都使用 XWSS 拦截器。有两个问题：

从 WebSphere 返回的 javax.xml.crypto 类“http://www.w3.org/2001/10/xml-exc-c14n#”或任何 CanonicalizationMethod 与 XWSS 拦截器不兼容。我们在服务器端的消息日志中看到此错误：

12/5/11 17:26:41:098 EST 00000023 XwsSecurityIn W org.springframework.ws.soap.security.AbstractWsSecurityInterceptor handleValidationException 无法验证请求：com. sun.xml.wss.XWSSecurityException： javax.xml.crypto.MarshalException：java.security.NoSuchAlgorithmException：为 TransformService 配置的类：com.ibm.xml.crypto.dsig.dom.transform.ExcC14nTransformer 不是 TransformService；嵌套异常为 com.sun.xml.wss.XWSSecurityException：com.sun.xml.wss.XWSSecurityException：javax.xml.crypto.MarshalException：java.security.NoSuchAlgorithmException：为 TransformService 配置的类：com.ibm.xml.crypto。 dsig.dom.transform.ExcC14nTransformer 不是 TransformService

我认为这里最好的做法是覆盖哪个实现用于解密这些类型。我们确实将 xmldsig-1.0.jar 包含在我们的 war 文件中（该文件是在类加载器设置为parent-last 的情况下部署的）。有人知道有什么方法可以覆盖这个吗？我尝试在运行时环境的 java.security 中指定“org.jcp.xml.dsig.internal.dom.XMLDSigRI”，但这不起作用。我们将 xmldsig-1.0.jar 添加到我们的应用程序中。

这似乎是 IBM 的 JRE 和 JRE 之间的兼容性问题。 Sun 的 JRE。 XWSS 拦截器是 Sun 编写的，因此他们可能认为某些事情是理所当然的。

我们在客户端尝试插入签署请求所需的标头元素时收到 NullPointerException。我们使用 xerces 来实现 DOM，但这似乎符合 SOAPFactory 的风格。我尝试将属性“javax.xml.soap.SOAPFactory”设置为“com.sun.xml.messaging.saaj.soap.ver1_1.SOAPFactory1_1Impl”，但这似乎没有解决问题。这是堆栈跟踪：
[11/12/3 13:39:52:560 EST] 00000027 XwsSecurityIn E org.springframework.ws.soap.security.AbstractWsSecurityInterceptor handleSecurementException 无法保护响应：java.lang.NullPointerException；嵌套异常是 com.sun.xml.wss.XWSSecurityException: java.lang.NullPointerException org.springframework.ws.soap.security.xwss.XwsSecuritySecurementException: java.lang.NullPointerException;嵌套异常是 com.sun.xml.wss.XWSSecurityException: java.lang.NullPointerException
...
由以下原因引起：com.sun.xml.wss.XWSSecurityException：java.lang.NullPointerException 在com.sun.xml.wss.impl.misc.XWSSProcessor2_0Impl.secureOutboundMessage（XWSSProcessor2_0Impl.java:98）在 org.springframework.ws.soap.security.xwss.XwsSecurityInterceptor.secureMessage(XwsSecurityInterceptor.java:135) ... 86 更多引起原因：java.lang.NullPointerException 在 com.sun.xml.wss.core.Timestamp.getAsSoapElement(Timestamp.java:265) 在 com.sun.xml.wss.core.SecurityHeader.insertHeaderBlock(SecurityHeader.java:90) 在 com.sun.xml.wss.impl.filter.TimestampFilter.process(TimestampFilter.java:149) 在 com.sun.xml.wss.impl.HarnessUtil.processWSSPolicy(HarnessUtil.java:87) 在 com.sun.xml.wss.impl.HarnessUtil.processDeep(HarnessUtil.java:237) 在 com.sun.xml.wss.impl.SecurityAnnotator.processMessagePolicy(SecurityAnnotator.java:162) 在 com.sun.xml.wss.impl.SecurityAnnotator.secureMessage(SecurityAnnotator.java:137) 在com.sun.xml.wss.impl.misc.XWSSProcessor2_0Impl.secureOutboundMessage（XWSSProcessor2_0Impl.java:96） ... 87 更多

我尝试将策略配置设置为禁用时间戳，但随后我在不同的元素上得到了 NPE。我不认为配置是罪魁祸首，但无论如何：

<?xml version="1.0" encoding="UTF-8"?>
<SecurityConfiguration xmlns="http://java.sun.com/xml/ns/xwss/config" dumpMessages="true">
    <Sign includeTimestamp="false">
        <X509Token certificateAlias="1"/>
    </Sign>
</SecurityConfiguration>

我已经在 JBoss 和 JBoss 上进行了测试。 Jetty，两者都按预期工作。任何帮助将不胜感激...

原文

I am having a hard time with X509 certificate-based WS-Security in WebSphere v7.

Here's a little background:
We are using spring-ws in our application, and we allow for UsernameToken profile security or X509 security. The two are implemented using the Xws Security interceptor, which runs off of the Xws Security Framework:

http://docs.oracle.com/cd/E17802_01/webservices/webservices/docs/1.6/tutorial/doc/XWS-SecurityIntro4.html

We implement the security on both the client-side & the server-side, both using the XWSS interceptor. There are two issues:

The javax.xml.crypto class returned from WebSphere for "http://www.w3.org/2001/10/xml-exc-c14n#" or any CanonicalizationMethod is not compatible with XWSS interceptor. We are seeing this error in the message log on the server-side:

12/5/11 17:26:41:098 EST 00000023 XwsSecurityIn W org.springframework.ws.soap.security.AbstractWsSecurityInterceptor handleValidationException Could not validate request: com.sun.xml.wss.XWSSecurityException: javax.xml.crypto.MarshalException: java.security.NoSuchAlgorithmException: class configured for TransformService: com.ibm.xml.crypto.dsig.dom.transform.ExcC14nTransformer not a TransformService; nested exception is com.sun.xml.wss.XWSSecurityException: com.sun.xml.wss.XWSSecurityException: javax.xml.crypto.MarshalException: java.security.NoSuchAlgorithmException: class configured for TransformService: com.ibm.xml.crypto.dsig.dom.transform.ExcC14nTransformer not a TransformService

I think the best thing to do here is override which implementation is used for decrypting these types. We do include the xmldsig-1.0.jar in our war file (which gets deployed with the classloader set to parent-last). Does anybody know of a way to overwrite this? I tried specifying "org.jcp.xml.dsig.internal.dom.XMLDSigRI" in the java.security in my runtime environment, but that did not work. We are including the xmldsig-1.0.jar in our application.

This seems like a compatibility issue between IBM's JRE & Sun's JRE. The XWSS interceptor was written by Sun, so they may have taken some things for granted.

We are getting a NullPointerException on the client-side trying to insert the header elements needed to sign the request. We are using xerces for our DOM implementation, but this seems to be along the lines of the SOAPFactory. I tried setting the property "javax.xml.soap.SOAPFactory" to "com.sun.xml.messaging.saaj.soap.ver1_1.SOAPFactory1_1Impl", but that did not seem to fix the issue. Here is the stack trace:
[12/3/11 13:39:52:560 EST] 00000027 XwsSecurityIn E org.springframework.ws.soap.security.AbstractWsSecurityInterceptor handleSecurementException Could not secure response: java.lang.NullPointerException; nested exception is com.sun.xml.wss.XWSSecurityException: java.lang.NullPointerException
org.springframework.ws.soap.security.xwss.XwsSecuritySecurementException: java.lang.NullPointerException; nested exception is com.sun.xml.wss.XWSSecurityException: java.lang.NullPointerException
...
Caused by: com.sun.xml.wss.XWSSecurityException: java.lang.NullPointerException
at com.sun.xml.wss.impl.misc.XWSSProcessor2_0Impl.secureOutboundMessage(XWSSProcessor2_0Impl.java:98)
at org.springframework.ws.soap.security.xwss.XwsSecurityInterceptor.secureMessage(XwsSecurityInterceptor.java:135)
... 86 more
Caused by: java.lang.NullPointerException
at com.sun.xml.wss.core.Timestamp.getAsSoapElement(Timestamp.java:265)
at com.sun.xml.wss.core.SecurityHeader.insertHeaderBlock(SecurityHeader.java:90)
at com.sun.xml.wss.impl.filter.TimestampFilter.process(TimestampFilter.java:149)
at com.sun.xml.wss.impl.HarnessUtil.processWSSPolicy(HarnessUtil.java:87)
at com.sun.xml.wss.impl.HarnessUtil.processDeep(HarnessUtil.java:237)
at com.sun.xml.wss.impl.SecurityAnnotator.processMessagePolicy(SecurityAnnotator.java:162)
at com.sun.xml.wss.impl.SecurityAnnotator.secureMessage(SecurityAnnotator.java:137)
at com.sun.xml.wss.impl.misc.XWSSProcessor2_0Impl.secureOutboundMessage(XWSSProcessor2_0Impl.java:96)
... 87 more

I've tried setting my policy configuration to disable the timestamp, but then I get a NPE on a different element. I don't believe the configuration is to blame, but here it is anyway:

<?xml version="1.0" encoding="UTF-8"?>
<SecurityConfiguration xmlns="http://java.sun.com/xml/ns/xwss/config" dumpMessages="true">
    <Sign includeTimestamp="false">
        <X509Token certificateAlias="1"/>
    </Sign>
</SecurityConfiguration>

I have tested this on JBoss & Jetty, and both worked as expected. Any assistance would be greatly appreciated...

分享到QQ

分享到微博