1

我必须调用客户提供的 Web 服务(出于这个原因,下面的一些信息被屏蔽了)。我已经获得了一个 java 密钥库,其中包含我需要用来生成签名以包含在我的请求的 WSSecurity 标头中的私钥。

此外,我收到了一个有效的 SoapUI 项目,该项目使用适当的安全配置实现了此服务。soapUI 中的传出安全配置将“密钥标识符类型”设置为“二进制安全令牌”

我正在尝试使用 Apache Rampart 在我的 Java 应用程序中设置此调用。我注意到 OutflowSecurity 配置中没有等效于“二进制安全令牌”的密钥标识符,所以我正在尝试以下操作。这是我的axis2.xml文件中的相关片段:

<module ref="rampart" />
<parameter name="OutflowSecurity">
    <action>
        <items>Signature</items>
        <user>*******</user>
        <passwordCallbackClass>*******.PWCBHandler</passwordCallbackClass>
        <signaturePropFile>crypto.properties</signaturePropFile>
        <signatureKeyIdentifier>DirectReference</signatureKeyIdentifier>
    </action>
</parameter>

这是我的 crypto.properties 文件的内容:

org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin
org.apache.ws.security.crypto.merlin.keystore.type=jks
org.apache.ws.security.crypto.merlin.file=C:/rampart/*****.jks
org.apache.ws.security.crypto.merlin.keystore.alias=******
org.apache.ws.security.crypto.merlin.alias.password=**********
org.apache.ws.security.crypto.merlin.keystore.password=********* (same as above)

问题是,当我尝试使用此配置执行服务时,出现以下错误:

org.apache.axis2.AxisFault: Error during Signature: 
at org.apache.rampart.handler.WSDoAllSender.processMessage(WSDoAllSender.java:75)
at org.apache.rampart.handler.WSDoAllHandler.invoke(WSDoAllHandler.java:72)
at org.apache.axis2.engine.Phase.invokeHandler(Phase.java:340)
at org.apache.axis2.engine.Phase.invoke(Phase.java:313)
at org.apache.axis2.engine.AxisEngine.invoke(AxisEngine.java:262)
at org.apache.axis2.engine.AxisEngine.send(AxisEngine.java:427)
at org.apache.axis2.description.OutInAxisOperationClient.send(OutInAxisOperation.java:406)
at org.apache.axis2.description.OutInAxisOperationClient.executeImpl(OutInAxisOperation.java:229)
at org.apache.axis2.client.OperationClient.execute(OperationClient.java:165)
... (removed)
Caused by: org.apache.ws.security.WSSecurityException: Error during Signature: 
at org.apache.ws.security.action.SignatureAction.execute(SignatureAction.java:64)
at org.apache.ws.security.handler.WSHandler.doSenderAction(WSHandler.java:202)
at org.apache.rampart.handler.WSDoAllSender.processBasic(WSDoAllSender.java:212)
at org.apache.rampart.handler.WSDoAllSender.processMessage(WSDoAllSender.java:72)
... 13 more
Caused by: org.apache.ws.security.WSSecurityException: Signature creation failed
at org.apache.ws.security.message.WSSecSignature.computeSignature(WSSecSignature.java:558)
at org.apache.ws.security.message.WSSecSignature.computeSignature(WSSecSignature.java:478)
at org.apache.ws.security.message.WSSecSignature.build(WSSecSignature.java:384)
at org.apache.ws.security.action.SignatureAction.execute(SignatureAction.java:61)
... 16 more
Caused by: org.apache.ws.security.WSSecurityException: General security error (The private key for the supplied alias does not exist in the keystore)
at org.apache.ws.security.components.crypto.Merlin.getPrivateKey(Merlin.java:725)
at org.apache.ws.security.message.WSSecSignature.computeSignature(WSSecSignature.java:501)
... 19 more
Caused by: java.security.UnrecoverableKeyException: Cannot recover key
at sun.security.provider.KeyProtector.recover(Unknown Source)
at sun.security.provider.JavaKeyStore.engineGetKey(Unknown Source)
at sun.security.provider.JavaKeyStore$JKS.engineGetKey(Unknown Source)
at java.security.KeyStore.getKey(Unknown Source)
at org.apache.ws.security.components.crypto.Merlin.getPrivateKey(Merlin.java:711)
... 20 more

我已经尝试了所有不同的 signatureKeyIdentifiers 选项,但没有任何运气。谁能帮我弄清楚从这里去哪里调试这个问题?

谢谢!

4

3 回答 3

2

我不确定您的整体配置,但明显的问题是您用于从密钥库加载密钥的别名无效。也许您使用一些公钥的别名而不是私钥?当未提供别名本身时, Rampart 将使用用户作为关键别名,因此我将确保服务配置中的用户和属性中的别名都设置为相同的值。

您可以通过使用 JDK 中的 keytool 列出密钥库内容来验证要使用哪一个:

JDK/bin/keytool -list -keystore path/to/keystore

它应该打印:

alias1, 13-May-2013, trustedCertEntry, (public key only, used to verify signature)
Certificate fingerprint (SHA1): *****
alias2, 13-May-2013, PrivateKeyEntry, (private/public key pair, used to sign messages)
Certificate fingerprint (SHA1): *****
于 2013-06-15T10:01:04.603 回答
1

问题: 1. 除策略文件外,我们是否需要进行任何其他配置。2. 如果是,我们需要在哪里添加它。3. 您能否查看策略文件是否适合使用二进制安全令牌的要求。

        <ramp:RampartConfig xmlns:ramp="http://ws.apache.org/rampart/policy">
            <ramp:user>***</ramp:user>
            <ramp:passwordCallbackClass>com.sosnoski.ws.library.adb.PWCBHandler</ramp:passwordCallbackClass>

            <ramp:signatureCrypto>
                <ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin">
                    <ramp:property name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property>
                    <ramp:property name="org.apache.ws.security.crypto.merlin.file">com/sosnoski/ws/library/adb/***.jks</ramp:property>
                    <ramp:property name="org.apache.ws.security.crypto.merlin.keystore.password">******</ramp:property>
                </ramp:crypto>
            </ramp:signatureCrypto>
        </ramp:RampartConfig>
    </wsp:All>
</wsp:ExactlyOne>

于 2014-03-20T20:42:03.917 回答
0

固定的。我的密码回调处理程序中的用户名错误。无法找到用于访问密钥的密码。感谢您的帮助。抱歉回复晚了。我之前曾将其作为对原始问题的评论。

于 2017-04-11T06:46:55.690 回答