我正在开发一个 JAX-WS Web 服务,它必须根据 XML 数字签名规范验证传入的 SOAP 消息。我注意到一个奇怪的行为,我可以验证第一条传入的消息,但随后的消息(签名和引用)验证失败。如果我重新启动应用程序服务器(Websphere 8.5),我可以验证第一条消息。似乎应用程序服务器在我解析传入的 SOAP 消息之前对其进行了修改。修改后的 SOAP 消息在逻辑上是等效的 XML 文档,但它们的物理表示不同,并且规范化并不能解决问题。
下面是从 SOAPMessageContext 检索 SOAPMessage 并打印信封的代码。
@Override
public boolean handleMessage(SOAPMessageContext messageContext) {
// get the message from the context
SOAPMessage message = messageContext.getMessage();
// is an outgoing message?
Boolean isOutgoing = (Boolean) messageContext.get(MessageContext.MESSAGE_OUTBOUND_PROPERTY);
if(!isOutgoing){
// incoming message...
// Retrieve the SOAP part of the incoming message
SOAPPart soapPart = message.getSOAPPart();
try {
System.out.println(soapPart.getEnvelope().toString());
} catch (SOAPException e1) {
// TODO Auto-generated catch block
e1.printStackTrace();
}
//...omissis...
}
}
以下是第一条消息的输出:
<?xml version="1.0" encoding="UTF-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<soap:Body>
<CommandMessage xmlns="http://www.cryptomathic.com/ckms">
<Commands Count="1">
<PushServerPublicKeyCommand>
<SerialNumber>10</SerialNumber>
<Target>COPS</Target>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<KeyValue>
<RSAKeyValue>
<Modulus>nnVA6qE9XnEtZPDLrtmWYfyh7nSC6R0543mwWoPFR+JtnRb6kQUXzf8fYaqyUFb3WD+57d1a9OxCzXLW4ilhe+QjrSy7zfqEQWTxkf+ajUuH3q3V/EpWqJvz4zwcxdTOkseap7skMh+zTacmViKAOm2oZAca3HQ2RwSiaYpiOTLAijnvPXieGGxBau8tlfyXZ8c+3TSRBevuiVT9Q5xBph+iT+Kk0Ay1762M3NoPJYAF3zUoaRZ95HqzmE0uuX/fJ4OAju87uvSD7V5uRW5L1LQ6vESIExZ3XmmCc6zOPSIiwBc3z+E6OZiIxoHw068qyNCdNk184X0rtw2ccl3nyQ==</Modulus>
<Exponent>AQAB</Exponent>
</RSAKeyValue>
</KeyValue>
</KeyInfo>
</PushServerPublicKeyCommand>
</Commands>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<Reference URI="">
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>XKl5mK5WVr1RU95Zui14kVz4Bpo=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>NFakMv6OTJIDJowl2SabGmxSii55OuxLUoJcEIURVZKf4aqoeC03aKSY42agOnUep/Ov7ijF5rLOfrxdDsqT5TCYGaSNEaviR4LnCxFjZ5DJKHCNFuCvRQGTEKgzQFqxh9T7RpvyzuN0dh3WJvhCLMYGGZTmFqSpCpcpEU0pCcKO0U+VlwVGVK8eFrKxKYj+uo/y2p1KLpOl+BfdM/caUZ93CIS7AHgwABhQg0uW5Bg/3nuYnmtpHpoGgco0Ds+LTlUFmvInaCn8TK4tVe3TZB8s4bMnBLY1ztut4xdLL4OPRUyryV+r67H2oFnsfGrQ/GMstdcnYaM8GHm9EycjCg==</SignatureValue>
<KeyInfo>
<KeyValue>
<RSAKeyValue>
<Modulus>nnVA6qE9XnEtZPDLrtmWYfyh7nSC6R0543mwWoPFR+JtnRb6kQUXzf8fYaqyUFb3WD+57d1a9OxCzXLW4ilhe+QjrSy7zfqEQWTxkf+ajUuH3q3V/EpWqJvz4zwcxdTOkseap7skMh+zTacmViKAOm2oZAca3HQ2RwSiaYpiOTLAijnvPXieGGxBau8tlfyXZ8c+3TSRBevuiVT9Q5xBph+iT+Kk0Ay1762M3NoPJYAF3zUoaRZ95HqzmE0uuX/fJ4OAju87uvSD7V5uRW5L1LQ6vESIExZ3XmmCc6zOPSIiwBc3z+E6OZiIxoHw068qyNCdNk184X0rtw2ccl3nyQ==</Modulus>
<Exponent>AQAB</Exponent>
</RSAKeyValue>
</KeyValue>
</KeyInfo>
</Signature>
</CommandMessage>
</soap:Body>
这是后续消息的输出:
<?xml version="1.0" encoding="UTF-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<soap:Body>
<CommandMessage xmlns="http://www.cryptomathic.com/ckms" xmlns:ns2="http://www.w3.org/2000/09/xmldsig#">
<Commands Count="1">
<PushServerPublicKeyCommand>
<SerialNumber>10</SerialNumber>
<Target>COPS</Target>
<ns2:KeyInfo>
<ns2:KeyValue>
<ns2:RSAKeyValue>
<ns2:Modulus>nnVA6qE9XnEtZPDLrtmWYfyh7nSC6R0543mwWoPFR+JtnRb6kQUXzf8fYaqyUFb3WD+57d1a9OxCzXLW4ilhe+QjrSy7zfqEQWTxkf+ajUuH3q3V/EpWqJvz4zwcxdTOkseap7skMh+zTacmViKAOm2oZAca3HQ2RwSiaYpiOTLAijnvPXieGGxBau8tlfyXZ8c+3TSRBevuiVT9Q5xBph+iT+Kk0Ay1762M3NoPJYAF3zUoaRZ95HqzmE0uuX/fJ4OAju87uvSD7V5uRW5L1LQ6vESIExZ3XmmCc6zOPSIiwBc3z+E6OZiIxoHw068qyNCdNk184X0rtw2ccl3nyQ==</ns2:Modulus>
<ns2:Exponent>AQAB</ns2:Exponent>
</ns2:RSAKeyValue>
</ns2:KeyValue>
</ns2:KeyInfo>
</PushServerPublicKeyCommand>
</Commands>
<ns2:Signature>
<ns2:SignedInfo>
<ns2:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ns2:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ns2:Reference URI="">
<ns2:Transforms>
<ns2:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ns2:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ns2:Transforms>
<ns2:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ns2:DigestValue>XKl5mK5WVr1RU95Zui14kVz4Bpo=</ns2:DigestValue>
</ns2:Reference>
</ns2:SignedInfo>
<ns2:SignatureValue>NFakMv6OTJIDJowl2SabGmxSii55OuxLUoJcEIURVZKf4aqoeC03aKSY42agOnUep/Ov7ijF5rLOfrxdDsqT5TCYGaSNEaviR4LnCxFjZ5DJKHCNFuCvRQGTEKgzQFqxh9T7RpvyzuN0dh3WJvhCLMYGGZTmFqSpCpcpEU0pCcKO0U+VlwVGVK8eFrKxKYj+uo/y2p1KLpOl+BfdM/caUZ93CIS7AHgwABhQg0uW5Bg/3nuYnmtpHpoGgco0Ds+LTlUFmvInaCn8TK4tVe3TZB8s4bMnBLY1ztut4xdLL4OPRUyryV+r67H2oFnsfGrQ/GMstdcnYaM8GHm9EycjCg==</ns2:SignatureValue>
<ns2:KeyInfo>
<ns2:KeyValue>
<ns2:RSAKeyValue>
<ns2:Modulus>nnVA6qE9XnEtZPDLrtmWYfyh7nSC6R0543mwWoPFR+JtnRb6kQUXzf8fYaqyUFb3WD+57d1a9OxCzXLW4ilhe+QjrSy7zfqEQWTxkf+ajUuH3q3V/EpWqJvz4zwcxdTOkseap7skMh+zTacmViKAOm2oZAca3HQ2RwSiaYpiOTLAijnvPXieGGxBau8tlfyXZ8c+3TSRBevuiVT9Q5xBph+iT+Kk0Ay1762M3NoPJYAF3zUoaRZ95HqzmE0uuX/fJ4OAju87uvSD7V5uRW5L1LQ6vESIExZ3XmmCc6zOPSIiwBc3z+E6OZiIxoHw068qyNCdNk184X0rtw2ccl3nyQ==</ns2:Modulus>
<ns2:Exponent>AQAB</ns2:Exponent>
</ns2:RSAKeyValue>
</ns2:KeyValue>
</ns2:KeyInfo>
</ns2:Signature>
</CommandMessage>
</soap:Body>
我总是使用 SoapUI 发送相同的消息,但正如您所见,消息在逻辑上是等效的,但在物理上是不同的。我怎样才能避免这种行为?
问候,乔瓦尼