我使用 WSO2 对消息进行数字签名和加密:
Web 服务部署在 weblogic 上,需要 SAML 令牌、正文和标头,并进行签名和加密。
场景 1:使用沿轴 api (1.6.2 +) 的支架为 wsdl 生成一个 Web 服务客户端,其策略需要 SAML 令牌。该代码生成一个经过数字签名和加密的 SOAP 信封,到达端点并成功返回结果。
<ds:Reference URI="#c4243cf4c8b6b8d6bc6570af5c0573e6">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="wsse wsu soapenv" />
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<ds:DigestValue>lWQgTrlIVeFKWqT1ktPs0/kK3tQ=</ds:DigestValue>
</ds:Reference>
场景 2:在 WSO2 ESB 4.7 中使用场景 1 中的相同代码,上述客户端作为类中介并使用 WSO2 ESB jar。请求 SOAP 信封经过完美签名和加密,除了 XML 语法的更改。
<ds:Reference URI="#Id-2003921168">
<ds:Transforms>
<ds:Transform
Algorithm="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform">
<wsse:TransformationParameters>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</wsse:TransformationParameters>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<ds:DigestValue>mfNA+3ZPnCMzS2Y0TJ1GsYcdHNE=</ds:DigestValue>
</ds:Reference>
两种情况下生成的签名似乎有所不同。WSO2 ESB 的 XML 安全实现与独立的 apache XML 安全实现不同吗?
从场景生成的 SOAP 信封无法在 weblogic Web 服务器上针对此签名进行验证,并通过以下堆栈跟踪引发 SOAP 错误:
<?xml version="1.0" encoding="utf-8"?><env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/"><env:Body><env:Fault><faultcode>env:Server</faultcode><faultstring>Failed to validate signature.</faultstring><detail><bea_fault:stacktrace xmlns:bea_fault="http://www.bea.com/servers/wls70/webservice/fault/1.0.0">weblogic.xml.crypto.wss.WSSecurityException: Failed to validate signature.
at weblogic.xml.crypto.wss.SecurityImpl.unmarshalAndProcessSignature(SecurityImpl.java:740)
at weblogic.xml.crypto.wss.SecurityImpl.unmarshalAndProcessSignature(SecurityImpl.java:689)
at weblogic.xml.crypto.wss.SecurityImpl.unmarshalChildren(SecurityImpl.java:544)
at weblogic.xml.crypto.wss.SecurityImpl.unmarshalInternal(SecurityImpl.java:450)
Caused by: weblogic.xml.crypto.dsig.api.XMLSignatureException
at weblogic.xml.crypto.wss.STRTransform.transform(STRTransform.java:303)
at weblogic.xml.crypto.dsig.ReferenceUtils.applyTransforms(ReferenceUtils.java:49)
at weblogic.xml.crypto.dsig.ReferenceImpl.createDigest(ReferenceImpl.java:161)
Caused by: weblogic.xml.crypto.wss.WSSecurityException: No token handler found for null
at weblogic.xml.crypto.wss.WSSecurityContext.getRequiredTokenHandler(WSSecurityContext.java:410)
at weblogic.xml.crypto.wss.STRTransform.transform(STRTransform.java:193)
Caused by: weblogic.xml.crypto.dsig.api.XMLSignatureException
at weblogic.xml.crypto.wss.STRTransform.transform(STRTransform.java:303)
at weblogic.xml.crypto.dsig.ReferenceUtils.applyTransforms(ReferenceUtils.java:49)
at weblogic.xml.crypto.dsig.ReferenceImpl.createDigest(ReferenceImpl.java:161)
at weblogic.xml.crypto.dsig.ReferenceImpl.validate(ReferenceImpl.java:116)
at weblogic.xml.crypto.dsig.XMLSignatureImpl.validate(XMLSignatureImpl.java:256)
使用的 Web 服务策略文件是:
<wsp:Policy xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsp:All>
<ns1:AsymmetricBinding
xmlns:ns1="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
<wsp:Policy>
<ns1:InitiatorToken>
<wsp:Policy>
<ns1:X509Token
ns1:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<ns1:WssX509V3Token10 />
</wsp:Policy>
</ns1:X509Token>
</wsp:Policy>
</ns1:InitiatorToken>
<ns1:RecipientToken>
<wsp:Policy>
<ns1:X509Token
ns1:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never">
<wsp:Policy>
<ns1:WssX509V3Token10 />
</wsp:Policy>
</ns1:X509Token>
</wsp:Policy>
</ns1:RecipientToken>
<ns1:AlgorithmSuite>
<wsp:Policy>
<ns1:Basic256 />
</wsp:Policy>
</ns1:AlgorithmSuite>
<ns1:Layout>
<wsp:Policy>
<ns1:Lax />
</wsp:Policy>
</ns1:Layout>
<ns1:IncludeTimestamp />
<ns1:ProtectTokens />
<ns1:OnlySignEntireHeadersAndBody />
</wsp:Policy>
</ns1:AsymmetricBinding>
<ns2:SignedSupportingTokens
xmlns:ns2="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
<wsp:Policy>
<ns2:IssuedToken
ns2:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
<ns2:Issuer>
<Address xmlns="http://www.w3.org/2005/08/addressing">https://HYD-69ZRV01-L:6002/standalonests/SamlSTS
</Address>
</ns2:Issuer>
<ns2:RequestSecurityTokenTemplate>
<t:TokenType xmlns:t="http://docs.oasis-open.org/ws-sx/ws-trust/200512">urn:oasis:names:tc:SAML:1.0:assertion
</t:TokenType>
</ns2:RequestSecurityTokenTemplate>
<wsp:Policy>
<ns2:RequireInternalReference />
</wsp:Policy>
</ns2:IssuedToken>
</wsp:Policy>
<wsp:Policy>
<ns2:SamlToken
ns2:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<ns2:WssSamlV11Token10 />
</wsp:Policy>
</ns2:SamlToken>
</wsp:Policy>
</ns2:SignedSupportingTokens>
<!--
<ns2:SignedSupportingTokens
xmlns:ns2="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
<wsp:Policy>
<ns2:SamlToken
ns2:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<ns2:WssSamlV11Token10 />
</wsp:Policy>
</ns2:SamlToken>
</wsp:Policy>
</ns2:SignedSupportingTokens>
-->
<ns3:Wss10 xmlns:ns3="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
<wsp:Policy>
<ns3:MustSupportRefKeyIdentifier />
<ns3:MustSupportRefIssuerSerial />
</wsp:Policy>
</ns3:Wss10>
<ns4:EncryptedParts
xmlns:ns4="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
<ns4:Body />
</ns4:EncryptedParts>
<ns5:SignedParts
xmlns:ns5="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
<ns5:Body />
</ns5:SignedParts>
</wsp:All>
</wsp:Policy>
谢谢。