我在 GlassFish 3.0.1(Metro 堆栈)中托管 JAX-WS Web 服务。我想使用 UsernameTokens 在此 Web 服务上启用 WS-Security。我该怎么做呢?我还没有找到关于这个主题的非常好的文档 - 其中大部分是关于独立的 Metro 实现的,并且看起来非常复杂。相比之下,Apache CXF 只需要一个拦截器和一个密码回调。有人可以指导我一些简单的说明吗?
谢谢。纳雷什
我正在努力处理WCF绑定配置。我添加了第三方服务作为我的项目的参考。我得到了一些规格。
我需要使用,SOAP v1.2所以我想我需要WSHttpBinding它,https所以我需要SecurityMode.Transport
像这样的东西:
var binding = new WSHttpBinding();
binding.Security.Mode = SecurityMode.Transport;
var client = new MyClient(binding, addr);
var result = client.Method(new MyObject());
它会产生此请求正文。
var binding = new WSHttpBinding();
binding.Security.Mode = SecurityMode.Transport;
var client = new MyClient(binding, addr);
var result = client.Method(new MyObject());
根据我提供的规范,我需要在标头中包含和Security元素。正是我想要得到的和UsernameTokenTimestampBasicHttpBindingBasicHttpSecurityMode.TransportWithMessageCredential
当我尝试使用请求正文设置TransportWithMessageCredential模式时WSHttpBinding,请求正文会发生巨大变化。
binding.Security.Mode = SecurityMode.TransportWithMessageCredential;
binding.Security.Message.ClientCredentialType = MessageCredentialType.UserName;
var client = new MyClient(binding, addr);
client.ClientCredentials.UserName.UserName = "username";
client.ClientCredentials.UserName.Password …我正在尝试请求这项内部服务,负责它的团队表示它需要用户名+密码并使用证书加密。
我想到使用这个模块node-soap,并在文档中找到了这个:
1- https://github.com/vpulim/node-soap#wssecurity
2- https://github.com/vpulim/node-soap#wssecuritycert
它解释了如何实现 WSSecurity,但一个规则会覆盖另一个规则。所以这段代码将不起作用:
var wsSecurity = new soap.WSSecurity('username', 'password', options)
client.setSecurity(wsSecurity);
var wsSecurity = new soap.WSSecurityCert(privateKey, publicKey, password);
client.setSecurity(wsSecurity);
使用这两种策略的正确方法是什么?
我是 SOAP 的新手,任何帮助将不胜感激
我正在尝试将 WS-Security 添加到我现有的服务中,其中所述服务是通过 TLS 访问的,并且我基本上成功地使用 SoapUI 对其进行了测试。
但是我对返回的响应有疑问;尽管响应看起来很完整,SoapUI 仍报告:
ERROR:org.apache.ws.security.WSSecurityException: An invalid security token was provided (Bad TokenType "")
org.apache.ws.security.WSSecurityException: An invalid security token was provided (Bad TokenType "")
at org.apache.ws.security.str.BSPEnforcer.checkEncryptedKeyBSPCompliance(BSPEnforcer.java:113)
at org.apache.ws.security.str.SecurityTokenRefSTRParser.processPreviousResult(SecurityTokenRefSTRParser.java:313)
at org.apache.ws.security.str.SecurityTokenRefSTRParser.parseSecurityTokenReference(SecurityTokenRefSTRParser.java:101)
at org.apache.ws.security.processor.ReferenceListProcessor.decryptDataRefEmbedded(ReferenceListProcessor.java:169)
at org.apache.ws.security.processor.ReferenceListProcessor.handleReferenceList(ReferenceListProcessor.java:104)
at org.apache.ws.security.processor.ReferenceListProcessor.handleToken(ReferenceListProcessor.java:64)
at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:402)
根据我所读到的内容,这是由于回复中的 SecurityTokenReference 元素缺少 TokenType 属性,这是遵守基本安全配置文件的条件。
问题是 - 如何在 WCF 中填充此属性?我没有找到任何关于这方面的明确信息。
来自 WCF 服务的 SOAP 响应中的加密密钥部分如下所示:
<e:EncryptedKey Id="_0" xmlns:e="http://www.w3.org/2001/04/xmlenc#">
<e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" xmlns="http://www.w3.org/2000/09/xmldsig#"/>
</e:EncryptionMethod>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<o:SecurityTokenReference>
<o:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentifier" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">K6Ag94AG3hQuQ+rqQcBvb88Vl+Y=</o:KeyIdentifier>
</o:SecurityTokenReference>
</KeyInfo>
<e:CipherData>
<e:CipherValue>FQ58hAfisez2D8J9A49xFRQjfTSFhrWP9wJDnWq0MctAyLhoAynzu3/Z0jYK91uE4DVCgkFo9QGH6O/kR1icQxkpv/xb5gcB1mJTbIpbCOzw6ZtMEfbY0r9ML2fDcChGFPM/nh70Daqi4P9IO8dIZ5EAUcERvDMFvj4fhwwVycSNFUX40/8ywQALQksPb+1j2B3pzHntcyb6CJ0qD10xjbyyQoT0BgR/HeDQEJDQNvx41eqoDSy2/ImkNNfFCXQ47/k1sN48tWur6GEzDuwUBbiAJxVrCgzc6a7F9CrhWiE6DAublBzM8/EBKP5UD5p2WTcjDQxI4cBhqRwIGYcfhQ==</e:CipherValue>
</e:CipherData> …我正在尝试使用 Node 使用 SOAP WS-Security 服务,并且请求必须具有如下摘要结构:
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:v1="http://ws.hc2.dc.com/v1">
<soapenv:Header>
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="X509-F9932E49C67837D88415342820380929"><!--DATA--></wsse:BinarySecurityToken>
<ds:Signature Id="SIG-F9932E49C67837D884153428203810212" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
</ds:Signature>
<wsse:UsernameToken wsu:Id="UsernameToken-F9932E49C67837D88415342820380868">
<wsse:Username><!--DATA--></wsse:Username>
<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText"><!--DATA--></wsse:Password>
<wsse:Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"><!--DATA--></wsse:Nonce>
<wsu:Created>2018-08-14T21:27:18.086Z</wsu:Created>
</wsse:UsernameToken>
<wsu:Timestamp wsu:Id="TS-F9932E49C67837D88415342820380867">
<wsu:Created>2018-08-14T21:27:18.086Z</wsu:Created>
<wsu:Expires>2018-08-14T21:28:18.086Z</wsu:Expires>
</wsu:Timestamp>
</wsse:Security>
</soapenv:Header>
<soapenv:Body wsu:Id="id-E40CE4DF6628FFDAE615320042127276" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<!--BODY-->
</soapenv:Body>
</soapenv:Envelope>
请注意,标题仅包含security包含 4 个元素的标签:
BinarySecurityTokenSignatureUsernameTokenTimestamp使用 node soap模块,我只能生成一个标题:
UsernameToken 和 TimestampBinarySecurityToken, Signature, Timestamp(我不确定这些是否正确)但是我无法生成带有 4 个安全元素的标头。
那么,如何在 Node 中使用具有这四个限制的 SOAP WS-Security 服务?或者也许在 PHP 中?
我读过 Java 和 C# …
我有一些 Web 服务(用 Java 编写),我需要在 .NET 中为它创建客户端。WebService 具有 WS-Security 并且需要 PasswordDigest。首先,我已经在 SoapUI 中对其进行了测试,它适用于:
POST http://192.168.100.101:8181/services/ws/SomeService HTTP/1.1
Accept-Encoding: gzip,deflate
Content-Type: application/soap+xml;charset=UTF-8;action="someMethod"
Content-Length: 971
Host: 192.168.100.101:8181
Connection: Keep-Alive
User-Agent: Apache-HttpClient/4.1.1 (java 1.5)
<soap:Envelope xmlns:not="http://existing-domain.com/op/integration/services" xmlns:soap="http://www.w3.org/2003/05/soap-envelope">
<soap:Header>
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsse:UsernameToken wsu:Id="UsernameToken-2C1E2DE2B61EBB94E115572099598331">
<wsse:Username>SOME_LOGIN</wsse:Username>
<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest">rcSb6Hd8btcI9g6JvO7dGdiTBTI=</wsse:Password>
<wsse:Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">PCoVwJm9oEXtusx6gkMb7w==</wsse:Nonce>
<wsu:Created>2019-05-07T06:19:19.824Z</wsu:Created>
</wsse:UsernameToken>
</wsse:Security>
</soap:Header>
<soap:Body>
<not:someMethod/>
</soap:Body>
</soap:Envelope>
在下一步中,我在 .NET 中准备了简单的客户端,并使用 Wireshark 检查它发送的内容:
POST /services/ws/SomeService HTTP/1.1
Accept-Encoding: gzip,deflate
Content-Type: application/soap+xml;charset=UTF-8;action="someMethod"
User-Agent: Apache-HttpClient/4.1.1 (java 1.5)
Host: 192.168.100.101:8181
Content-Length: 1124
Expect: 100-continue
Connection: Keep-Alive
<soap:Envelope xmlns:not="http://existing-domain.com/op/integration/services" xmlns:soap="http://www.w3.org/2003/05/soap-envelope">
<soap:Header> …好的,我们有一个目前在.NET 3.5中运行的传统ASMX Web服务,我们正在使用Visual Studio 2008.
问题是,我们需要添加身份验证,并希望利用WS-Security模型,而不会破坏任何不需要当前身份验证的现有内部客户端.
我们已经考虑过添加自定义标头,但这不是WS-Security-ish.升级到WCF虽然是长期目标,但短期内不可行.
有没有办法间接访问VS2008 ASMX Web服务的soap标头中的UsernameToken(假设它是由客户端传递的)?
我使用CXF的wsdl2java从WSDL生成了一堆客户端类.在执行以下操作时,如何将WS-Security添加到标头:
URL url = new URL("http://fqdn:8080/service/MessageHandler");
MessageHandlerService service = new MessageHandlerService(url);
MessageHandler handler = service.getMessageHandler();
MyMessage message = new MyMessage();
message.setSender("User 1");
handler.sendMessage(message);
我认为handler是一个javax.xml.ws.Service例子.
我在尝试向服务器发送soap请求(soapCall)时收到错误.
Fatal error: Uncaught SoapFault exception: [ns1:InvalidSecurity] An error was discovered processing the <wsse:Security> header
我需要发送ws-security标头
<wsse:Security soapenv:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<wsse:UsernameToken wsu:Id="UsernameToken-1" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsse:Username>userID</wsse:Username>
<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">passwd</wsse:Password>
<wsse:Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">ZTQ3YmJjZmM1ZTU5ODg3YQ==</wsse:Nonce>
<wsu:Created>2013-07-05T19:55:36.458Z</wsu:Created>
</wsse:UsernameToken>
</wsse:Security>
经过大量的研究后,我认为我得到的问题是nonce没有达到要求.正如我正在编制肥皂标题看起来像我得到的例子.唯一未知的因素是计算这个随机数......
从我得到的示例nonce,它是一组24个数字+字母+特殊字符
像这样的东西
ZTQ3YmJjZmM1ZTU5ODg3YQ==
但是,我不太确定你如何从php计算wsse nonce ...有什么标准吗?
我的代码
$nonce = sha1(mt_rand());
结果
dabddf9dbd95b490ace429f7ad6b55c3418cdd58
这与示例完全不同......我相信这就是为什么这段代码无效的原因.
所以我正在做更多的研究,现在我正在使用它
$NASC = substr(md5(uniqid('the_password_i_am _using', true)), 0, 16);
$nonce = base64_encode($NASC);
结果
NzJlMDQ4OTAyZWIxYWU5ZA==
现在,它看起来类似于示例,但我仍然从头开始显示该错误.
有人可以帮我一把吗?
用soapUI进行一些进一步测试.
相同的userID和passwd,将passwordtype设置为passwordtext
它正在发挥作用.
有谁知道soapUI如何计算nonce?或者知道soapUI如何通过ws-security?
我正在使用WSDL,我需要在发出SOAP请求时使用我的客户端证书签署Timestamp和SOAP-body.
我的签名证书必须在消息中表示为BinarySecurityToken,并包含在SOAP头中,如下所示:
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" soap:mustUnderstand="true">
<wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs
.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="X509-15730854BE4465A46D14538884282111">MIIFO.......56Q==</wss
e:BinarySecurityToken>
<wsu:Timestamp wsu:Id="TS-1">
<wsu:Created>2016-03-16T09:53:48.201Z</wsu:Created>
<wsu:Expires>2016-03-16T09:58:48.201Z</wsu:Expires>
</wsu:Timestamp>
.......
我正在使用WSS4JOutInterceptor来自定义我的请求,但无法找到如何将签名证书包含在请求中的方法:
// for outgoing messages: Signature and Timestamp validation
outProps.put(WSHandlerConstants.ACTION, WSHandlerConstants.SIGNATURE + " " + WSHandlerConstants.TIMESTAMP);
outProps.put(WSHandlerConstants.USER, "sss");
outProps.put(WSHandlerConstants.PW_CALLBACK_CLASS, ClientKeystorePasswordCallbackHandler.class.getName());
outProps.put(WSHandlerConstants.SIG_PROP_FILE, "client_sec.properties");
outProps.put(WSHandlerConstants.SIG_KEY_ID, "X509KeyIdentifier");
outProps.put(WSHandlerConstants.SIGNATURE_PARTS, "{}{http://schemas.xmlsoap.org/soap/envelope/}Body;{}{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd}Timestamp}");
谁能建议我怎么做?