我正在使用 Spring 签署 SOAP 消息,此 doc准确地说。我的配置和文档中描述的没有区别。一切正常,我正在签署传出消息,标头看起来像
<SOAP-ENV:Header>
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="Signature-1">
...
</ds:Signature>
</wsse:Security>
</SOAP-ENV:Header>
但是,问题是服务器期望类似的内容
<SOAP-ENV:Header>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="Signature-1">
...
</ds:Signature>
</SOAP-ENV:Header>
,所以,服务器不喜欢我的请愿书。我无法更改服务器上的任何内容,因此我需要找到解决方案。如果使用soapUI生成请求,则请求中没有wsse:Security标记,因此服务器期望的内容与其WSDL一致。
我用谷歌搜索了几个小时,但没有运气。有没有办法删除 wsse:Security 标签?我可以用 Spring 解决这个问题还是我应该实现一些自定义代码?
I am signing a SOAP message on using Spring, this doc to be exactly. There is no difference between my configuration and the one described in the documentation. Everything is working and I am signing the outgoing message and the header looks like
<SOAP-ENV:Header>
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="Signature-1">
...
</ds:Signature>
</wsse:Security>
</SOAP-ENV:Header>
However, the problem is that the server is expecting something like
<SOAP-ENV:Header>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="Signature-1">
...
</ds:Signature>
</SOAP-ENV:Header>
So, the server doesn't like my petition. I cannot change anything on the server so I need to find a solution. If a use soapUI to generate a Request, in the request there is no wsse:Security tag so what server is expecting is aligned with its WSDL.
I have googled few hours with no luck. Is there anyway to remove wsse:Security tag? Can I resolve this with Spring or I should implement some custom code?
发布评论
评论(1)
好吧,我不确定这是否是最好的答案,但这是我发现的。
Spring WS 安全性侧重于 WS-Security 的三个不同领域:身份验证、数字签名和加密/解密,符合 WS-安全性。
XML 签名 涵盖了这三个领域中的两个,即身份验证和数字签名,因此,如果您只想要在不加密/解密的情况下对您的消息进行签名和/或验证,您可以直接使用 XML 签名,而不是作为 WS-Security 的一部分。这就是我的情况,客户只是直接期待
我没有找到如何使用 Spring WS 做到这一点(整个事情),所以我使用 XMLSignature 与 Spring 对消息进行签名的方式相同。
Well, I am not sure if this is the best answer but this is what I have found out.
Spring WS security focuses on the three different areas of WS-Security: Authentication, Digital signatures and Encryption/Decryption according with WS-Security.
Two of these three areas, Authentication and Digital signatures, are covered by XML Signature so if you just want to sign and/or authenticate your message without encryption/decryption you can use XML Signature directly and not as part of WS-Security. That was my case, client just expecting
<ds:Signature... >directly and not under<wsse:Security ...>I did not find how to do this (the whole thing) with Spring WS, so I implemented it using XMLSignature from Apache WSS4J package that is the the same that Spring does to sign the message.