java WSO2 ESB ws-security引发异常、AxisFault、无效安全性
我需要调用一个实现ws-security的web服务rampart,它在SSL中使用用户名令牌和时间戳身份验证。当尝试调用服务时,以下SOAP消息在ESB日志中作为响应结束,出现继续的异常
响应SOAP消息
"<?xml version="1.0" encoding="UTF-8"?>
<soapenv:Envelope xmlns:soapenv="http://www.w3.org/2003/05/soap-envelope">
<soapenv:Header>
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" soapenv:mustUnderstand="true">
<wsu:Timestamp xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="Timestamp-18784">
<wsu:Created>2016-04-19T04:30:20.850Z</wsu:Created><wsu:Expires>2016-04-19T04:35:20.850Z</wsu:Expires></wsu:Timestamp>
</wsse:Security>
</soapenv:Header>
<soapenv:Body>
<soapenv:Fault xmlns:axis2ns72="http://www.w3.org/2003/05/soap-envelope">
<soapenv:Code>
<soapenv:Value>axis2ns72:Sender</soapenv:Value>
<soapenv:Subcode>
<soapenv:Value xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">wsse:InvalidSecurity</soapenv:Value>
</soapenv:Subcode></soapenv:Code><soapenv:Reason><soapenv:Text xml:lang="en-US">General security error (WSSecurityEngine: No cryptoproperty file supplied for decryption)
</soapenv:Text></soapenv:Reason><soapenv:Detail></soapenv:Detail></soapenv:Fault>
</soapenv:Body>
</soapenv:Envelope>
例外情况
[2016-04-19 09:59:52,730] ERROR - AxisEngine InvalidSecurity
org.apache.axis2.AxisFault: InvalidSecurity
at org.apache.rampart.handler.PostDispatchVerificationHandler.invoke(PostDispatchVerificationHandler.java:164)
at org.apache.axis2.engine.Phase.invokeHandler(Phase.java:340)
at org.apache.axis2.engine.Phase.invoke(Phase.java:313)
at org.apache.axis2.engine.AxisEngine.invoke(AxisEngine.java:261)
at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:167)
at org.apache.synapse.transport.passthru.ClientWorker.run(ClientWorker.java:247)
at org.apache.axis2.transport.base.threads.NativeWorkerPool$1.run(NativeWorkerPool.java:172)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at java.lang.Thread.run(Thread.java:745)
[2016-04-19 09:59:52,733] ERROR - ClientWorker Fault processing response messagethrough Axis2
org.apache.axis2.AxisFault: InvalidSecuritytDispatchVerificationHandler.java:164)
at org.apache.axis2.engine.Phase.invokeHandler(Phase.java:340)
at org.apache.axis2.engine.Phase.invoke(Phase.java:313)
at org.apache.axis2.engine.AxisEngine.invoke(AxisEngine.java:261)
at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:167)
at org.apache.synapse.transport.passthru.ClientWorker.run(ClientWorker.java:247)
at org.apache.axis2.transport.base.threads.NativeWorkerPool$1.run(NativeWorkerPool.java:172)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at java.lang.Thread.run(Thread.java:745)
代理服务
<?xml version="1.0" encoding="UTF-8"?>
<proxy name="EDI_Proxy" startOnLoad="true" trace="disable"
transports="http https" xmlns="http://ws.apache.org/ns/synapse">
<target>
<inSequence>
<log description="log" level="custom">
<property name="msg" value="Initiating mcash"/>
</log>
<payloadFactory description="pf_mcash" media-type="xml">
<format>
<flw:purchaceFromMMR xmlns:flw="http://flw.mwt.mobitel.com/">
<!--Optional: -->
<bankPurchaseRequest xmlns="">
<amount>1</amount>
<!--Optional: -->
<bankCode>00</bankCode>
<!--Optional: -->
<date>07042016</date>
<!--Optional: -->
<mobile>0711231234</mobile>
<!--Optional: -->
<time>120000</time>
<!--Optional: -->
<transactionId>SDC12345</transactionId>
</bankPurchaseRequest>
</flw:purchaceFromMMR>
</format>
<args/>
</payloadFactory>
<log description="log" level="custom">
<property name="msg" value="Payload created.."/>
</log>
<property
expression="fn:concat('Basic ', base64Encode('aaa:bbb'))"
name="Authorization" scope="operation" type="STRING" xmlns:ns="http://org.apache.synapse/xsd"/>
<call>
<endpoint>
<address trace="disable" uri="https://mywssecendpoint.com/Testservices/TestPurchaseService?wsdl">
<enableSec policy="gov:ws-policy/sample_policy.xml"/>
</address>
</endpoint>
</call>
<log description="log" level="custom">
<property name="msg" value="After calling address endpoint"/>
</log>
</inSequence>
<outSequence>
<log description="log" level="full"/>
</outSequence>
<faultSequence/>
</target>
<parameter name="engagedModules">rampart,rahas</parameter>
</proxy>
策略文件
<wsp:Policy wsu:Id="SgnEncrUsername"
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"
xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing"
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsp:ExactlyOne>
<wsp:All>
<sp:SymmetricBinding>
<wsp:Policy>
<sp:ProtectionToken>
<wsp:Policy>
<sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never">
<wsp:Policy>
<sp:RequireThumbprintReference/>
<sp:WssX509V3Token10/>
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:ProtectionToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic256/>
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Lax/>
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp/>
<sp:OnlySignEntireHeadersAndBody/>
</wsp:Policy>
</sp:SymmetricBinding>
<sp:SignedParts>
<sp:Body/>
</sp:SignedParts>
<sp:EncryptedParts>
<sp:Body/>
</sp:EncryptedParts>
<sp:SignedSupportingTokens>
<wsp:Policy>
<sp:UsernameToken sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:WssUsernameToken10/>
</wsp:Policy>
</sp:UsernameToken>
</wsp:Policy>
</sp:SignedSupportingTokens>
<sp:Wss11>
<wsp:Policy>
<sp:MustSupportRefKeyIdentifier/>
<sp:MustSupportRefIssuerSerial/>
<sp:MustSupportRefThumbprint/>
<sp:MustSupportRefEncryptedKey/>
<sp:RequireSignatureConfirmation/>
</wsp:Policy>
</sp:Wss11>
<sp:Trust10>
<wsp:Policy>
<sp:MustSupportIssuedTokens/>
<sp:RequireClientEntropy/>
<sp:RequireServerEntropy/>
</wsp:Policy>
</sp:Trust10>
</wsp:All>
</wsp:ExactlyOne>
<rampart:RampartConfig xmlns:rampart="http://ws.apache.org/rampart/policy">
<rampart:passwordCallbackClass>com.wssec.PWCallbackHandler</rampart:passwordCallbackClass>
<rampart:user>Testuser</rampart:user>
<rampart:encryptionUser>wso2carbon</rampart:encryptionUser>
<rampart:timestampPrecisionInMilliseconds>true</rampart:timestampPrecisionInMilliseconds>
<rampart:timestampTTL>300</rampart:timestampTTL>
<rampart:timestampMaxSkew>300</rampart:timestampMaxSkew>
<rampart:timestampStrict>true</rampart:timestampStrict>
<rampart:tokenStoreClass>org.wso2.carbon.security.util.SecurityTokenStore
</rampart:tokenStoreClass>
<rampart:nonceLifeTime>300</rampart:nonceLifeTime>
<rampart:encryptionCrypto>
<rampart:crypto
cryptoKey="org.wso2.carbon.security.crypto.privatestore" provider="org.wso2.carbon.security.util.ServerCrypto">
<rampart:property name="org.wso2.carbon.security.crypto.alias">mcash.cer</rampart:property>
<rampart:property name="org.wso2.carbon.security.crypto.privatestore">wso2carbon.jks</rampart:property>
<rampart:property name="org.wso2.stratos.tenant.id">-1234</rampart:property>
<rampart:property name="org.wso2.carbon.security.crypto.truststores">wso2carbon.jks</rampart:property>
<rampart:property name="rampart.config.user">wso2carbon</rampart:property>
</rampart:crypto>
</rampart:encryptionCrypto>
<rampart:signatureCrypto>
<rampart:crypto
cryptoKey="org.wso2.carbon.security.crypto.privatestore" provider="org.wso2.carbon.security.util.ServerCrypto">
<rampart:property name="org.wso2.carbon.security.crypto.alias">mcash.cer</rampart:property>
<rampart:property name="org.wso2.carbon.security.crypto.privatestore">wso2carbon.jks</rampart:property>
<rampart:property name="org.wso2.stratos.tenant.id">-1234</rampart:property>
<rampart:property name="org.wso2.carbon.security.crypto.truststores">wso2carbon.jks</rampart:property>
<rampart:property name="rampart.config.user">wso2carbon</rampart:property>
</rampart:crypto>
</rampart:signatureCrypto>
</rampart:RampartConfig>
<sec:CarbonSecConfig xmlns:sec="http://www.wso2.org/products/carbon/security">
<sec:Authorization>
<sec:property name="org.wso2.carbon.security.allowedroles">admin</sec:property>
</sec:Authorization>
</sec:CarbonSecConfig>
</wsp:Policy>
我已经参与了本question中所述的rampart模块。编写了密码回调处理程序类,并将其添加到已成功调用的<ESB_HOME>/repository/components/lib中。
我在注册表资源中编写了一个策略文件,并进行了必要的配置(密码回调处理、密钥库)
如果有人能通过查看回复和异常来帮助或指出我遗漏了什么,我将非常高兴
提前谢谢
--编辑--连线中的请求
"POST /Testservices/BankPurchaseService?wsdl HTTP/1.1[\r][\n]" {org.apache.synapse.transport.http.wire}
"Cookie: region3_registry_menu=visible; menuPanel=visible; menuPanelType=main; JSESSIONID=95CAE85DE74F34BBAB10163E36087B12; requestedURI="../../carbon/service-mgt/index.jsp?region=region1&item=services_list_menu"; region1_configure_menu=none; region4_monitor_menu=none; region5_tools_menu=none; current-breadcrumb=manage_menu%2Cservices_menu%2Cservices_list_menu%23[\r][\n]" {org.apache.synapse.transport.http.wire}
"Content-Type: application/soap+xml; charset=UTF-8; action="urn:mediate"[\r][\n]" {org.apache.synapse.transport.http.wire}
"Transfer-Encoding: chunked[\r][\n]" {org.apache.synapse.transport.http.wire}
"Host: mobextintvpn.mobitel.lk:443[\r][\n]" {org.apache.synapse.transport.http.wire}
"Connection: Keep-Alive[\r][\n]" {org.apache.synapse.transport.http.wire}
"User-Agent: Synapse-PT-HttpComponents-NIO[\r][\n]" {org.apache.synapse.transport.http.wire}
"[\r][\n]" {org.apache.synapse.transport.http.wire}
"1287[\r][\n]" {org.apache.synapse.transport.http.wire}
"<?xml version='1.0' encoding='UTF-8'?><soapenv:Envelope xmlns:soapenv="http://www.w3.org/2003/05/soap-envelope" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"><soapenv:Header><wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" soapenv:mustUnderstand="true"><wsu:Timestamp xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="Timestamp-1"><wsu:Created>2016-04-19T10:18:22.520Z</wsu:Created><wsu:Expires>2016-04-19T10:23:22.520Z</wsu:Expires></wsu:Timestamp><xenc:EncryptedKey Id="EncKeyId-95F8BA9FA0125DE2C814610611030642"><xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">[\n]" {org.apache.synapse.transport.http.wire}
"<wsse:SecurityTokenReference><wsse:KeyIdentifier EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1">a/jhNus21KVuoFx65LmkW2O/l10=</wsse:KeyIdentifier></wsse:SecurityTokenReference>[\n]" {org.apache.synapse.transport.http.wire}
"</ds:KeyInfo><xenc:CipherData><xenc:CipherValue>OAbkdbMWv8icJf+Y9u34aiQI79G1qWYA8Femy/VDAd0osCW8kVglQ7SpfKUEvVfz7qNZUHabOEQh3opPEA/o7/0wEWYLZbdXj1cUtl1ViwobdJr1UaWH2IuWQVPoJFSh88/5LJWDDdhrpgIrpMVyuu7/DL6d/DJJFdcOfznjTpM=</xenc:CipherValue></xenc:CipherData></xenc:EncryptedKey><xenc:ReferenceList><xenc:DataReference URI="#EncDataId-4"/></xenc:ReferenceList><wsse:UsernameToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="UsernameToken-2"><wsse:Username>Hnbmwtuser</wsse:Username><wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">Hnbmwtuser</wsse:Password></wsse:UsernameToken><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="Signature-3">[\n]" {org.apache.synapse.transport.http.wire}
"<ds:SignedInfo>[\n]" {org.apache.synapse.transport.http.wire}
"<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>[\n]" {org.apache.synapse.transport.http.wire}
"<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1"/>[\n]" {org.apache.synapse.transport.http.wire}
"<ds:Reference URI="#Id-1995499025">[\n]" {org.apache.synapse.transport.http.wire}
"<ds:Transforms>[\n]" {org.apache.synapse.transport.http.wire}
"<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>[\n]" {org.apache.synapse.transport.http.wire}
"</ds:Transforms>[\n]" {org.apache.synapse.transport.http.wire}
"<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>[\n]" {org.apache.synapse.transport.http.wire}
"<ds:DigestValue>zOGehBXKICE+35najzJhEV+lxfo=</ds:DigestValue>[\n]" {org.apache.synapse.transport.http.wire}
"</ds:Reference>[\n]" {org.apache.synapse.transport.http.wire}
"<ds:Reference URI="#Timestamp-1">[\n]" {org.apache.synapse.transport.http.wire}
"<ds:Transforms>[\n]" {org.apache.synapse.transport.http.wire}
"<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>[\n]" {org.apache.synapse.transport.http.wire}
"</ds:Transforms>[\n]" {org.apache.synapse.transport.http.wire}
"<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>[\n]" {org.apache.synapse.transport.http.wire}
"<ds:DigestValue>MVyAyqaqT/h9KmttU1wP4QSTo1A=</ds:DigestValue>[\n]" {org.apache.synapse.transport.http.wire}
"</ds:Reference>[\n]" {org.apache.synapse.transport.http.wire}
"<ds:Reference URI="#UsernameToken-2">[\n]" {org.apache.synapse.transport.http.wire}
"<ds:Transforms>[\n]" {org.apache.synapse.transport.http.wire}
"<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>[\n]" {org.apache.synapse.transport.http.wire}
"</ds:Transforms>[\n]" {org.apache.synapse.transport.http.wire}
"<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>[\n]" {org.apache.synapse.transport.http.wire}
"<ds:DigestValue>ftAIvRUNNgVoN1mPq4L08UBdwHs=</ds:DigestValue>[\n]" {org.apache.synapse.transport.http.wire}
"</ds:Reference>[\n]" {org.apache.synapse.transport.http.wire}
"</ds:SignedInfo>[\n]" {org.apache.synapse.transport.http.wire}
"<ds:SignatureValue>B4HfIv89mQBvAH0E5pqm70k0hOc=</ds:SignatureValue>[\n]" {org.apache.synapse.transport.http.wire}
"<ds:KeyInfo Id="KeyId-95F8BA9FA0125DE2C814610611031013">[\n]" {org.apache.synapse.transport.http.wire}
"<wsse:SecurityTokenReference xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="STRId-95F8BA9FA0125DE2C814610611031014"><wsse:Reference URI="#EncKeyId-95F8BA9FA0125DE2C814610611030642" ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey"/></wsse:SecurityTokenReference>[\n]" {org.apache.synapse.transport.http.wire}
"</ds:KeyInfo>[\n]" {org.apache.synapse.transport.http.wire}
"</ds:Signature></wsse:Security></soapenv:Header><soapenv:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="Id-1995499025"><xenc:EncryptedData Id="EncDataId-4" Type="http://www.w3.org/2001/04/xmlenc#Content"><xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">[\n]" {org.apache.synapse.transport.http.wire}
"<wsse:SecurityTokenReference xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"><wsse:Reference URI="#EncKeyId-95F8BA9FA0125DE2C814610611030642"/></wsse:SecurityTokenReference>[\n]" {org.apache.synapse.transport.http.wire}
"</ds:KeyInfo><xenc:CipherData><xenc:CipherValue>wIL1a9udg+JfIITcM++vJ0iA+oYahKZzUtq3xLpK/2eTHg8boNsrT+omZbq+aqscUmxqV9ofgei/[\n]" {org.apache.synapse.transport.http.wire}
"vlj1evRic21e82d5R9oIXE35s5NYR7M1ij23bfsPo5WCtg2QTXWg3Ijdae9ASSXBgShhsxYeCBkv[\n]" {org.apache.synapse.transport.http.wire}
"07cgLYZjOOqrpww5B/PG4cBccTJevTWTgkU8yW6WlqPtjlQgg9olRw598JIBvgX6/od/dLMtReA4[\n]" {org.apache.synapse.transport.http.wire}
"cTsjzRIMeQiG3u8oBwzDav9zdYiNV2Pyhr+M8juiEX4jlKCNF3XBS/k4RdAJBObAIu3RBNKbWkjT[\n]" {org.apache.synapse.transport.http.wire}
"8bSs7GxlW8yVgeMb6UzoZHlfES+siSm7iINnskl0AdZMLhn8na9iAJS94Cw6925/eulAKLAOS0dj[\n]" {org.apache.synapse.transport.http.wire}
"Hf7lISscNRZxHEcD84Q9PBK6/XGn/qyE5Q0gyNTFu2ASLq3w9+yMOZAI7X+z6qprOTssOE6VltAW[\n]" {org.apache.synapse.transport.http.wire}
"VpBCZN/XmbZSdT40y7dfQ/ykQjsCFAnF5lSJ7TP9vf5Qc+76qCNnZyrwOTdeuqNr0Sle9AQ717YH[\n]" {org.apache.synapse.transport.http.wire}
"Yw==</xenc:CipherValue></xenc:CipherData></xenc:EncryptedData></soapenv:Body></soapenv:Envelope>[\r][\n]"
# 1 楼答案
错误信息非常清楚:“WSSecurityEngine:没有提供用于解密的cryptoproperty文件”。看起来您正在服务器端使用wss4j。您应该配置Wss4JSecurityInterceptor以使用正确的cryptoproperties。否则,它无法验证您请求中的签名内容。如果您使用的是xml配置,那么应该添加如下内容:
如果您使用的是纯java,那么这些方法非常相似