3

环境 :

  1. 阿帕奇 CXF 2.7.8
  2. Jboss EAP 6
  3. 用于测试客户端的 SoapUI

我尝试实现简单身份验证,即使用密码简单文本类型,它正在工作,但是当我尝试实现密码摘要类型时,给了我异常:

现在展开:org.apache.cxf.binding.soap.SoapFault:消息已过期 org.apache.ws.security.WSSecurityException:消息已过期

我在五分钟内为每个请求和时间提供新的随机数值

WSS4JInInterceptor Bean 类定义:

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xmlns:jaxws="http://cxf.apache.org/jaxws"
    xsi:schemaLocation="
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://cxf.apache.org/jaxws http://cxf.apache.org/schemas/jaxws.xsd">

    <import resource="classpath:META-INF/cxf/cxf.xml" /> 
    <import resource="classpath:META-INF/cxf/cxf-extension-soap.xml" />
    <import resource="classpath:META-INF/cxf/cxf-servlet.xml" /> 

    <jaxws:endpoint id="orderProcess" implementor="demo.order.OrderProcessImpl" address="/OrderProcess" >

      <jaxws:inInterceptors>
         <bean
            class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
            <constructor-arg>
                <map>
                  <entry key="action" value="UsernameToken"/>
                  <entry key="passwordType" value="PasswordDigest"/>
                  <entry key="passwordCallbackRef" value-ref="myPasswordCallback"/>
               </map> 
            </constructor-arg>
         </bean>
      </jaxws:inInterceptors>
      </jaxws:endpoint>
      <bean id="myPasswordCallback" class="service.ServerPasswordCallback" />  
</beans>

客户端xml请求代码:

  <soapenv:Envelope 
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" 
xmlns:ord="http://order.demo/" 
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" 
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
 <soapenv:Header>
<wsse:Security>
           <wsse:UsernameToken>
                                <wsse:Username>joe</wsse:Username>
                                <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest">PE7F51/oyWFVMsiZURuUwjoZVPY=</wsse:Password>
                         <!--<wsu:Created>2013-12-17T13:12:00.429Z</wsu:Created>-->
                           <wsse:Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">efPSkfHXTM6NFDDD1CJHsw==</wsse:Nonce>
                              <wsu:Created>2013-12-23T12:17:15Z</wsu:Created>
               </wsse:UsernameToken>


</wsse:Security>
</soapenv:Header>
   <soapenv:Body>
      <ord:processOrder>
         <!--Optional:-->
         <arg0>
            <!--Optional:-->
            <customerID>234</customerID>
            <!--Optional:-->
            <itemID>0908923</itemID>
            <price>23423</price>
            <qty>1000</qty>
         </arg0>
      </ord:processOrder>
   </soapenv:Body>
</soapenv:Envelope>

当我尝试调用该服务时,我遇到了异常

<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
   <soap:Body>
      <soap:Fault>
         <faultcode xmlns:ns1="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">ns1:MessageExpired</faultcode>
         <faultstring>The message has expired</faultstring>
      </soap:Fault>
   </soap:Body>
</soap:Envelope>

谁能告诉我我在哪里犯错?

4

1 回答 1

1

我怀疑这是 wss4j 早期版本中的错误。如果您使用 SimpleDateFormat 解析日期,您可能希望将时区设置为 UTC(祖鲁时间)。

sdf.setTimeZone("UTC");

然而,这已在 2.0-beta 中得到修复。

http://grepcode.com/file/repo1.maven.org/maven2/org.apache.wss4j/wss4j-ws-security-dom/2.0-beta/org/apache/wss4j/dom/message/token/UsernameToken。爪哇#226

编辑:这不是 wss4j 中的错误。规范规定时区必须是 UTC。

于 2014-04-30T12:12:39.077 回答