我正在使用 WSS4J 来验证肥皂消息中的签名和时间戳。但是当我收到没有签名时间戳部分的消息时,wssj4 认为一切正常,我希望在这种情况下看到错误。
我的好消息是这样的:
<?xml version="1.0" encoding="UTF-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Header>
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" soap:mustUnderstand="1">
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="SIG-3">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="soap"/>
</ds:CanonicalizationMethod>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1"/>
<ds:Reference URI="#id-2">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList=""/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>u8CMT7Q7fJJ1Dv5dEmzGU1FO5Y0=</ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#TS-1">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="wsse soap"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>m8XN2C3FUjK4WHAXhO9gLI82XeE=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>X9EntCBO7nmNrYsYuugpHxN13wSUNhTF4exkRRWj0tTrfEqbz8potg==</ds:SignatureValue>
<ds:KeyInfo Id="KI-B60AEEFF94DBA35E9413402583324452">
<wsse:SecurityTokenReference wsu:Id="STR-B60AEEFF94DBA35E9413402583324473">
<ds:X509Data>
<ds:X509IssuerSerial>
<ds:X509IssuerName>CN=TEST,OU=Unknown,O=Unknown,L=Unknown,ST=Unknown,C=Unknown</ds:X509IssuerName>
<ds:X509SerialNumber>1332750124</ds:X509SerialNumber>
</ds:X509IssuerSerial>
</ds:X509Data>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
<wsu:Timestamp wsu:Id="TS-1">
<wsu:Created>2012-06-21T05:58:52.392Z</wsu:Created>
<wsu:Expires>2012-06-21T06:03:52.392Z</wsu:Expires>
</wsu:Timestamp>
</wsse:Security>
</soap:Header>
<soap:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="id-2">
[...]
</soap:Body>
</soap:Envelope>
和坏消息(这个应该抛出类似“时间戳未签名”的异常):
<?xml version="1.0" encoding="UTF-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Header>
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" soap:mustUnderstand="1">
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="SIG-3">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="soap"/>
</ds:CanonicalizationMethod>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1"/>
<ds:Reference URI="#id-2">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList=""/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>u8CMT7Q7fJJ1Dv5dEmzGU1FO5Y0=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>U6TSJXJTCryEm5FhoMBbEoiUIL0jjFDvPxPJ3ihoOHsWCwk4t3++2w==</ds:SignatureValue>
<ds:KeyInfo Id="KI-9AEDF8EC92B112ADE113402583983992">
<wsse:SecurityTokenReference wsu:Id="STR-9AEDF8EC92B112ADE113402583984013">
<ds:X509Data>
<ds:X509IssuerSerial>
<ds:X509IssuerName>CN=TEST,OU=Unknown,O=Unknown,L=Unknown,ST=Unknown,C=Unknown</ds:X509IssuerName>
<ds:X509SerialNumber>1332750124</ds:X509SerialNumber>
</ds:X509IssuerSerial>
</ds:X509Data>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
<wsu:Timestamp wsu:Id="TS-1">
<wsu:Created>2012-06-21T05:59:58.376Z</wsu:Created>
<wsu:Expires>2012-06-21T06:04:58.376Z</wsu:Expires>
</wsu:Timestamp>
</wsse:Security>
</soap:Header>
<soap:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="id-2">
[...]
</soap:Body>
</soap:Envelope>
所以我的坏消息不包含:
<ds:Reference URI="#TS-1">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="wsse soap"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>m8XN2C3FUjK4WHAXhO9gLI82XeE=</ds:DigestValue>
</ds:Reference>
目前我的拦截器配置如下:
// verifying incepteptor
final String actions = WSHandlerConstants.TIMESTAMP + " " + WSHandlerConstants.SIGNATURE;
Map<String, Object> inProps = new HashMap<String, Object>();
Map<QName, Validator> validatorMap = new HashMap<QName, Validator>();
validatorMap.put(WSSecurityEngine.SIGNATURE, new SignatureTrustValidator());
validatorMap.put(WSSecurityEngine.TIMESTAMP, new TimeStampValidator());
inProps.put(WSS4JInInterceptor.VALIDATOR_MAP, validatorMap);
inProps.put(WSHandlerConstants.ACTION, actions);
inProps.put(WSHandlerConstants.SIGNATURE_PARTS, "{Element}{http://schemas.xmlsoap.org/soap/envelope/}Body;{Element}{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd}Timestamp");
inProps.put(WSHandlerConstants.SIG_PROP_FILE, SIG_PROPFILE);
WSS4JInInterceptor verifying = new WSS4JInInterceptor(inProps);
如何设置 wss4j 来实现这种行为?顺便说一句:CXF 版本:2.5.1 WSS4J 版本:1.6.2