Fatal编程技术网
  • java/
  • Java 迁移到CXF 3.2.7->如何解决SOAP RQ处理过程中与密码相关的安全错误?

Java 迁移到CXF 3.2.7->如何解决SOAP RQ处理过程中与密码相关的安全错误?

java soap

Java 迁移到CXF 3.2.7->如何解决SOAP RQ处理过程中与密码相关的安全错误?,java,soap,cxf,ws-security,wss4j,Java,Soap,Cxf,Ws Security,Wss4j,上下文:我正在尝试将Web服务从CXF 2.2.2迁移到CXF 3.2.7 问题: 迁移后每当我试图通过SOAP UI之类的软件对我的Web服务发出以下基于HTTP-Post SOAP的请求时: <SOAP-ENV:Header> <wsse:Security SOAP-ENV:mustUnderstand="1"> <wsse:UsernameToken wsu:Id=""> <wsse:Username&g

上下文:我正在尝试将Web服务从CXF 2.2.2迁移到CXF 3.2.7

问题: 迁移后每当我试图通过SOAP UI之类的软件对我的Web服务发出以下基于HTTP-Post SOAP的请求时:

<SOAP-ENV:Header>
      <wsse:Security SOAP-ENV:mustUnderstand="1">
        <wsse:UsernameToken wsu:Id="">
        <wsse:Username>sampleUser</wsse:Username>
        <wsse:Password>12345</wsse:Password>
        <wsse:PartnerID>samplePartner</wsse:PartnerID>
</wsse:UsernameToken>
</wsse:Security>
    <wsa:To>http://localhost:8080/sampleWs</wsa:To>
    <wsa:Action>http://localhost:8080/sampleWs/sampleAction</wsa:Action>
      <wsa:From>
      <wsa:Address>http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</wsa:Address>
</wsa:From>
</SOAP-ENV:Header>
我从CXF安全模块收到以下安全异常:

18:11:29,250 WARNING [org.apache.cxf.phase.PhaseInterceptorChain] (http-127.0.0.1:8080-1) Interceptor for {http://ws.sampleWs.varun/}SampleWebService has thrown exception, unwinding now: org.apache.cxf.binding.soap.SoapFault: A security error was encountered when verifying the message
        at org.apache.cxf.ws.security.wss4j.WSS4JUtils.createSoapFault(WSS4JUtils.java:234) [cxf-rt-ws-security-3.2.7.jar:3.2.7]
        at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessageInternal(WSS4JInInterceptor.java:341) [cxf-rt-ws-security-3.2.7.jar:3.2.7]
        at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:176) [cxf-rt-ws-security-3.2.7.jar:3.2.7]
        at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:87) [cxf-rt-ws-security-3.2.7.jar:3.2.7]
        at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:308) [cxf-core-3.2.7.jar:3.2.7]
        at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121) [cxf-core-3.2.7.jar:3.2.7]
        .
        .
        .
Caused by: org.apache.wss4j.common.ext.WSSecurityException: BSP:R4201: Any PASSWORD MUST specify a Type attribute
        at org.apache.wss4j.common.bsp.BSPEnforcer.handleBSPRule(BSPEnforcer.java:57) [wss4j-ws-security-common-2.2.2.jar:2.2.2]
        at org.apache.wss4j.dom.message.token.UsernameToken.checkBSPCompliance(UsernameToken.java:834) [wss4j-ws-security-dom-2.2.2.jar:2.2.2]
        at org.apache.wss4j.dom.message.token.UsernameToken.<init>(UsernameToken.java:143) [wss4j-ws-security-dom-2.2.2.jar:2.2.2]
        at org.apache.wss4j.dom.processor.UsernameTokenProcessor.handleUsernameToken(UsernameTokenProcessor.java:137) [wss4j-ws-security-dom-2.2.2.jar:2.2.2]
        at org.apache.wss4j.dom.processor.UsernameTokenProcessor.handleToken(UsernameTokenProcessor.java:62) [wss4j-ws-security-dom-2.2.2.jar:2.2.2]
        at org.apache.wss4j.dom.engine.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:340) [wss4j-ws-security-dom-2.2.2.jar:2.2.2]
        at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessageInternal(WSS4JInInterceptor.java:285) [cxf-rt-ws-security-3.2.7.jar:3.2.7]
        ... 28 more
根本原因似乎是wsse:password标记中缺少一个属性

我检查了安全WS规范:

在那里,我找不到最新的CXF所期望的wsse:password的强制类型属性

注意:CXF 2.2.2版可以很好地处理相同的请求

问题: 是否有办法防止CXF放弃上述请求并允许其通过。 我到处找了很多,但找不到任何答案?有什么建议吗?
或者修改SOAP请求是唯一的解决方案?

上述请求被删除,因为正如@GPI前面所述,CXF试图强制执行基本安全规范中的R4201

为了防止CXF强制执行此操作,我们可以使用ws-security和wss4j提供的配置常量来指示CXF停止强制执行

解决方案1使用WSS4J拦截器

在spring配置文件中,您可以将isBspCompliant设置为false:

有关其他配置选项,您可以参考以下页面:

我也面临同样的问题,并发现soap请求中存在问题

我可以通过添加以下内容来解决此问题:

soap中的以下属性:信封xmlns:wsse=http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd wsse中的以下属性:密码类型=http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0PasswordText 我请求的标题如下所示

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:tic="http://ticket.degroupage.atos.ma/"  xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
   <soapenv:Header>
      <wsse:Security soapenv:mustUnderstand="1">
         <wsse:UsernameToken><wsse:Username>XXXX</wsse:Username>
         <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">XXXX</wsse:Password>
         </wsse:UsernameToken>
     </wsse:Security></soapenv:Header>
   <soapenv:Body>
...
没有为您的问题提供解决方案,但您提到的XSD确实要求使用类型属性wsse:Password是PasswordString类型,它扩展了AttributeString,后者具有强制类型。此外,XSD只是基本需求概要规则R4201的翻译谢谢!请原谅我的愚蠢,但您这么说是因为AttributedString中没有minOccurs=0?同样,如果是这样的话,我仍然会保留这个问题,以防有人有解决方案。一般来说,在XSD规范中,当没有指定基数时,默认值是强制性的,并且只有一个Occurs minOccurs=maxOccurs=1。看见但这甚至无关紧要,因为规范而不是XSD表明该属性是强制性的,所以即使XSD不是强制性的,WSS4J也会检查它。谢谢你提供的信息,你能给我提供规范链接吗?或者快速谷歌搜索的关键词?在我的第一条评论中有链接:- 
    <jaxws:endpoint id="sample" implementor="sample.ws.SampleWebService" address="/SampleWebService">
    <jaxws:properties> 
    <entry key="ws-security.is-bsp-compliant" value="false"/> 
    </jaxws:properties> 
</jaxws:endpoint>

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:tic="http://ticket.degroupage.atos.ma/"  xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
   <soapenv:Header>
      <wsse:Security soapenv:mustUnderstand="1">
         <wsse:UsernameToken><wsse:Username>XXXX</wsse:Username>
         <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">XXXX</wsse:Password>
         </wsse:UsernameToken>
     </wsse:Security></soapenv:Header>
   <soapenv:Body>
...