我需要访问一个安全的Web服务,标头中的每个请求都需要携带一个令牌.
我知道Web服务的端点,我也知道如何创建令牌.
但我无法看到Web服务的WSDL.
在C#中有没有办法创建一个没有WSDL文件的soap客户端.
我正在使用WSIT/Metro创建一个简单的Web服务.当客户端尝试使用简单的用户名/ passowrd身份验证方案连接时,我在服务器上收到以下错误:
2010.03.31. 19:10:33 com.sun.xml.ws.protocol.soap.MUTube getMisUnderstoodHeaders
INFO: Element not understood={http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security
我不知道如何使WSIT理解安全块.
我从客户端获得的请求:
<?xml version="1.0" encoding="http://www.w3.org/2003/05/soap-envelope" standalone="no"?>
<soapenv:Envelope xmlns:soapenv="http://www.w3.org/2003/05/soap-envelope">
<soapenv:Header xmlns:wsa="http://www.w3.org/2005/08/addressing">
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
soapenv:mustUnderstand="true">
<wsse:UsernameToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
wsu:Id="UsernameToken-1">
<wsse:Username>admin</wsse:Username>
<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">admin</wsse:Password>
</wsse:UsernameToken>
</wsse:Security>
<wsa:To>http://localhost:11122/services/TopJtapiRemoteMethods</wsa:To>
<wsa:MessageID>urn:uuid:D5C576F83D74F761311270055433217</wsa:MessageID>
<wsa:Action>urn:hasCallPolling</wsa:Action>
</soapenv:Header>
<soapenv:Body />
</soapenv:Envelope>
服务器的WSDL:
<?xml version="1.0" encoding="UTF-8"?>
<wsdl:definitions
targetNamespace="http://soapserver.topjtapi.cti.topdesk.com"
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
xmlns:ns="http://soapserver.topjtapi.cti.topdesk.com"
xmlns:wsaw="http://www.w3.org/2006/05/addressing/wsdl"
xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/"
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:wsoap12="http://schemas.xmlsoap.org/wsdl/soap12/">
<wsp:Policy wsu:Id="PasswordAuthPolicy">
<wsp:All>
<sp:SupportingTokens>
<wsp:Policy>
<sp:UsernameToken sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:WssUsernameToken10 />
</wsp:Policy>
</sp:UsernameToken>
</wsp:Policy>
</sp:SupportingTokens>
</wsp:All>
</wsp:Policy>
<wsdl:types>
<!-- ... -->
</wsdl:types>
<wsdl:message name="incomingCallRequest">
<!-- ... -->
</wsdl:message>
<wsdl:portType …所以我一直在努力使用WS-Security一段时间,慢慢取得进展.首先让我简要介绍一下我的设置.我有一个在tomcat中运行的Java应用程序,它提供了一个webservice端点(使用Spring).我想要传入消息进行签名.我正在测试SoapUI.所以经过长时间的努力,我得到服务器,只要检查传入的消息签名,我也有SoapUI,签署外发消息.但是,服务器一直拒绝证书,我不确定我在哪里做错了,即我发送了错误的证书信息与我的测试请求,或者我没有在信任库中正确维护证书.以下是请求的示例:
<soapenv:Envelope xmlns="http://movilitas.com/movilizer/v7" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<wsu:Timestamp wsu:Id="Timestamp-7" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsu:Created>2011-06-30T12:51:33.407Z</wsu:Created>
<wsu:Expires>2011-06-30T12:53:13.407Z</wsu:Expires>
</wsu:Timestamp>
<ds:Signature Id="Signature-6" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#id-2">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>OiRQ2oXbajnnrSGsbOALT2i6brs=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
fmtFMSccFcwEfL1M8qgQ...
</ds:SignatureValue>
<ds:KeyInfo Id="KeyId-C3B38A939F7D63D51F13094382933988">
<wsse:SecurityTokenReference wsu:Id="STRId-C3B38A939F7D63D51F13094382933989" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsse:KeyIdentifier EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3SubjectKeyIdentifier">
MIICbzCCAdgCAQEwDQ...
</wsse:KeyIdentifier>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
</wsse:Security>
</soapenv:Header>
<soapenv:Body wsu:Id="id-2" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
[...]
</soapenv:Body>
</soapenv:Envelope>
现在,当我从我的信任库(证书的base64编码版本)导出证书时,我所拥有的内容与我得到的内容相同.我发送请求时收到的错误如下:
Jul 5, 2011 4:42:23 PM com.sun.xml.wss.impl.dsig.KeySelectorImpl resolve
SEVERE: WSS1353: Error occurred while resolving key information
com.sun.xml.wss.XWSSecurityException: No Matching public key for MIICbzCCAdgCAQEwDQ... subject …我正在尝试使用Apache CXF开发支持WS-security的Web服务.我关注的教程就在这里.不幸的是,我不断得到以下错误让人感到懊恼.我正在使用Spring framework 3.0.5和CXF 2.3.3以及WSS4J 1.6.1.这可能是一个愚蠢的问题,但我几乎厌倦了寻找解决方案.请帮忙....
org.springframework.web.util.NestedServletException: Handler processing failed; nested exception is java.lang.NoSuchMethodError: org.apache.ws.security.util.WSSecurityUtil.decodeAction(Ljava/lang/String;Ljava/util/Vector;Lorg/apache/ws/security/WSSConfig;)I
org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:839)
org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:719)
org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:644)
org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:549)
javax.servlet.http.HttpServlet.service(HttpServlet.java:617)
javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
root cause
java.lang.NoSuchMethodError: org.apache.ws.security.util.WSSecurityUtil.decodeAction(Ljava/lang/String;Ljava/util/Vector;Lorg/apache/ws/security/WSSConfig;)I
org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor$WSS4JOutInterceptorInternal.handleMessage(WSS4JOutInterceptor.java:192)
org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor$WSS4JOutInterceptorInternal.handleMessage(WSS4JOutInterceptor.java:134)
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:255)
org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:516)
org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:313)
org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:265)
org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:73)
org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:124)
$Proxy800.getEmployee(Unknown Source)
org.samith.web.controller.FrontController.frontRequestHandler(FrontController.java:35)
sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
java.lang.reflect.Method.invoke(Method.java:597)
org.springframework.web.bind.annotation.support.HandlerMethodInvoker.invokeHandlerMethod(HandlerMethodInvoker.java:176)
org.springframework.web.servlet.mvc.annotation.AnnotationMethodHandlerAdapter.invokeHandlerMethod(AnnotationMethodHandlerAdapter.java:426)
org.springframework.web.servlet.mvc.annotation.AnnotationMethodHandlerAdapter.handle(AnnotationMethodHandlerAdapter.java:414)
org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:790)
org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:719)
org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:644)
org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:549)
javax.servlet.http.HttpServlet.service(HttpServlet.java:617)
javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
这就是我的客户端代码的样子.
ClassPathXmlApplicationContext context = new ClassPathXmlApplicationContext(
new String[]{"SpringCXFClient-servlet.xml"});
AuthService client = (AuthService) context.getBean("client");
Employee employee = client.getEmployee("0223938");
model.addAttribute("lastname", employee.getLastName());
model.addAttribute(
"firstname", employee.getFirstName());
和我的clientCXF.xml文件,
<bean id="proxyFactory" class="org.apache.cxf.jaxws.JaxWsProxyFactoryBean">
<property name="serviceClass" …我正在使用Apache CXF来构建Web服务.它使用Apache WSS4J来提供WS-Security功能.我需要发出SOAP请求,必须签名.
这是我传递给WSS4J的属性文件的内容:
org.apache.ws.security.crypto.provider = org.apache.ws.security.components.crypto.Merlin
org.apache.ws.security.crypto.merlin.keystore.type = PKCS12
org.apache.ws.security.crypto.merlin.keystore.provider = BC
org.apache.ws.security.crypto.merlin.keystore.password = 12345678
org.apache.ws.security.crypto.merlin.keystore.alias = my-alias
org.apache.ws.security.crypto.merlin.keystore.file = my_certificate.p12
我希望摆脱那条线,我的密码写成纯文本.我删除了那一行并为我的WSS4JOutInterceptor提供了一个密码回调处理程序,就像上面的代码一样:
public SoapInterceptor newSignerInterceptor() {
Map<String, Object> outProps = new HashMap<String, Object>();
outProps.put(WSHandlerConstants.ACTION, "Signature");
outProps.put(WSHandlerConstants.USER, config.getKeyAlias());
outProps.put(WSHandlerConstants.SIG_KEY_ID, "DirectReference");
outProps.put(WSHandlerConstants.USE_REQ_SIG_CERT, WSHandlerConstants.SIGNATURE_USER);
outProps.put(WSHandlerConstants.USE_SINGLE_CERTIFICATE, "false");
outProps.put(WSHandlerConstants.PW_CALLBACK_CLASS, this.getClass().getName());
outProps.put(WSHandlerConstants.SIG_PROP_FILE, config.getPropertiesFileName());
return new WSS4JOutInterceptor(outProps);
}
@Override
public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException {
for (int i = 0; i < callbacks.length; i++) {
if (callbacks[i] instanceof WSPasswordCallback) {
((WSPasswordCallback) callbacks[i]).setPassword(password);
}
} …我需要使用基于ASP.NET 4.5应用程序的X.509证书的WS-Security的Web服务.到目前为止,我已经创建了Web引用,但我不知道如何实现WS-Security.我没有获得证书的问题,但我不知道在这种情况下如何使用它,我需要获得如何继续的建议.
到目前为止我的代码非常基本,我需要添加WS-Security:
var tere = new serviciotereSoapClient();
tere.ClientCredentials.ClientCertificate.Certificate = myCert;
var response = tere.agregarGuia( guia );
服务配置:
<system.serviceModel>
<bindings>
<basicHttpBinding>
<binding name="serviciotereSoapBinding" >
<security mode="Transport">
<transport clientCredentialType="None" proxyCredentialType="None"
realm="" />
<message clientCredentialType="Certificate" algorithmSuite="Default" />
</security>
</binding>
</basicHttpBinding>
</bindings>
<client>
<endpoint address="https://secure.aduana.gov.py/test/tere/serviciotere"
binding="basicHttpBinding" bindingConfiguration="serviciotereSoapBinding"
contract="TEREReference.serviciotereSoap" name="serviciotereSoap" />
</client>
</system.serviceModel>
编辑1
基于@TrevorBrooks的答案,我带来了以下实现:
web.config现在看起来像这样:
<system.serviceModel>
<bindings>
<wsHttpBinding>
<binding name="WSHttpBinding_TereService" >
<security mode="Transport">
<transport clientCredentialType="None" proxyCredentialType="None"
realm="" />
<message clientCredentialType="Certificate" algorithmSuite="Default" />
</security>
</binding>
</wsHttpBinding>
</bindings>
<client>
<endpoint address="https://secure.aduana.gov.py/test/tere/serviciotere" …我正在使用 Apache CXF 从 Java 客户端调用 WCF 服务。使用另一个地址的 STS 来保护服务的安全。我已将服务客户端配置为在调用主服务之前调用安全令牌,并且它可以工作(它尝试调用 STS),但 STS 期望在元素中提供一些额外的数据RequestSecurityToken。STS 的策略指定RequestSecurityToken在发送之前对其进行加密和签名,这就是导致我出现问题的原因。加密和签名正在工作,但我似乎无法在加密之前修改 SOAP 消息。
我查看了这个问题:如何修改出站 CXF 请求的原始 XML 消息?虽然它有很大帮助,但我需要更改的 XML 部分位于已加密和签名的 SOAP 消息的一部分内。
我做了一个Interceptor并在我能找到的所有不同阶段进行了尝试,但在RequestSecurityToken创建和加密和签名之间似乎没有一个阶段被调用。
有吗?或者已经有一个可以向其中添加额外元素的工具RequestSecurityToken?
为了清楚起见编辑:
这是我的 RST 现在的样子:
<wst:RequestSecurityToken xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512">
<wst:RequestType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue</wst:RequestType>
<wsp:AppliesTo xmlns:wsp="http://www.w3.org/ns/ws-policy">
<wsa:EndpointReference xmlns:wsa="http://www.w3.org/2005/08/addressing">
<wsa:Address>http://localhost:9085/MyService</wsa:Address>
</wsa:EndpointReference>
</wsp:AppliesTo>
<wst:TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1</wst:TokenType>
<wst:KeyType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/SymmetricKey</wst:KeyType>
<wst:KeySize>192</wst:KeySize>
<wst:Entropy>
<wst:BinarySecret Type="http://docs.oasis-open.org/ws-sx/ws-trust/200512/Nonce">OlbfbuCUf3N2lNf9mhD03gfeMk0TfPI2nLWx8edlL5w=</wst:BinarySecret>
</wst:Entropy>
<wst:ComputedKeyAlgorithm>http://docs.oasis-open.org/ws-sx/ws-trust/200512/CK/PSHA1</wst:ComputedKeyAlgorithm>
<wst:Renewing/>
</wst:RequestSecurityToken>
以下是服务提供商的文档所说的大致内容(请注意Credentials末尾附近的元素):
<t:RequestSecurityToken xmlns:t="http://schemas.xmlsoap.org/ws/2005/02/trust">
<t:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Issue</t:RequestType>
<wsp:AppliesTo xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
<EndpointReference xmlns="http://www.w3.org/2005/08/addressing">
<Address>http://localhost:9085/MyService</Address>
</EndpointReference>
</wsp:AppliesTo>
<t:Entropy>
<t:BinarySecret u:Id="uuid-e2d08122-45ab-45cd-80d1-46de2306836b-1" Type="http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce" …我正在尝试调用 Web 服务并希望手动将 ws-security 标头添加到请求中,因为 .net core 2.2 当前不支持 ws-security。
我已经创建了我的自定义安全头类:
public class SoapSecurityHeader : MessageHeader
{
private readonly string _password, _username;
public SoapSecurityHeader(string id, string username, string password)
{
_password = password;
_username = username;
}
public override bool MustUnderstand => true;
public override string Name
{
get { return "Security"; }
}
public override string Namespace
{
get { return "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"; }
}
protected override void OnWriteStartHeader(XmlDictionaryWriter writer, MessageVersion messageVersion)
{
writer.WriteStartElement("wsse", Name, Namespace);
writer.WriteAttributeString("s", "mustUnderstand", "http://schemas.xmlsoap.org/soap/envelope/", "1"); …帮助签署 SOAP 调用。
在 .Net Framework 的旧实现中,其工作方式为 (Microsoft.Web.Services3):
var svc = new QueryNumberPortingService.QueryNumberPortingService
{
Url = "someServiceUrl"
};
var cert = new X509Certificate2("certFilePath", "certPassword", X509KeyStorageFlags.MachineKeySet);
svc.wsMessageHeader = new WsMessageHeaderType { ... };
var signatureToken = new X509SecurityToken(cert);
SoapContext requestContext = svc.RequestSoapContext;
requestContext.Security.Elements.Add(new MessageSignature(signatureToken));
return svc;
收到的输出:
<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope
xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing"
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<soap:Header>
// Custom headers
// ...
<wsa:Action wsu:Id="Id-b6bb139a-38eb-4b01-8adc-dd8f7212dd65">...</wsa:Action>
<wsa:MessageID wsu:Id="Id-4601e0cd-aae2-4405-a7ec-8a6002563478">urn:uuid:6eaf15d8-9769-454f-9fc3-9757a7a8c924</wsa:MessageID>
<wsa:ReplyTo wsu:Id="Id-c6a68fcf-2b3d-4f02-afcf-e88fa760e7b8">
<wsa:Address>http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</wsa:Address>
</wsa:ReplyTo>
<wsa:To wsu:Id="Id-1b0b6cf7-a96c-4a09-a57e-c96122fadb0c">https://...</wsa:To>
<wsse:Security soap:mustUnderstand="1"> …有没有办法在ZSI,Python中的SOAP请求中添加wsse:Security,UsernameToken标头?我在网上搜索,但找不到答案.
ws-security ×10
java ×4
c# ×3
cxf ×3
wcf ×3
web-services ×3
asp.net-core ×2
soap ×2
header ×1
python ×1
soap-client ×1
soapui ×1
spring ×1
token ×1
wcf-security ×1
wsit ×1
wss4j ×1
xml ×1
zsi ×1