Java 迁移到CXF 3.2.7->如何解决SOAP RQ处理过程中与密码相关的安全错误?
上下文:我正在尝试将Web服务从CXF 2.2.2迁移到CXF 3.2.7 问题: 迁移后每当我试图通过SOAP UI之类的软件对我的Web服务发出以下基于HTTP-Post SOAP的请求时:Java 迁移到CXF 3.2.7->如何解决SOAP RQ处理过程中与密码相关的安全错误?,java,soap,cxf,ws-security,wss4j,Java,Soap,Cxf,Ws Security,Wss4j,上下文:我正在尝试将Web服务从CXF 2.2.2迁移到CXF 3.2.7 问题: 迁移后每当我试图通过SOAP UI之类的软件对我的Web服务发出以下基于HTTP-Post SOAP的请求时: <SOAP-ENV:Header> <wsse:Security SOAP-ENV:mustUnderstand="1"> <wsse:UsernameToken wsu:Id=""> <wsse:Username&g
<SOAP-ENV:Header>
<wsse:Security SOAP-ENV:mustUnderstand="1">
<wsse:UsernameToken wsu:Id="">
<wsse:Username>sampleUser</wsse:Username>
<wsse:Password>12345</wsse:Password>
<wsse:PartnerID>samplePartner</wsse:PartnerID>
</wsse:UsernameToken>
</wsse:Security>
<wsa:To>http://localhost:8080/sampleWs</wsa:To>
<wsa:Action>http://localhost:8080/sampleWs/sampleAction</wsa:Action>
<wsa:From>
<wsa:Address>http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</wsa:Address>
</wsa:From>
</SOAP-ENV:Header>
我从CXF安全模块收到以下安全异常:
18:11:29,250 WARNING [org.apache.cxf.phase.PhaseInterceptorChain] (http-127.0.0.1:8080-1) Interceptor for {http://ws.sampleWs.varun/}SampleWebService has thrown exception, unwinding now: org.apache.cxf.binding.soap.SoapFault: A security error was encountered when verifying the message
at org.apache.cxf.ws.security.wss4j.WSS4JUtils.createSoapFault(WSS4JUtils.java:234) [cxf-rt-ws-security-3.2.7.jar:3.2.7]
at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessageInternal(WSS4JInInterceptor.java:341) [cxf-rt-ws-security-3.2.7.jar:3.2.7]
at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:176) [cxf-rt-ws-security-3.2.7.jar:3.2.7]
at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:87) [cxf-rt-ws-security-3.2.7.jar:3.2.7]
at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:308) [cxf-core-3.2.7.jar:3.2.7]
at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121) [cxf-core-3.2.7.jar:3.2.7]
.
.
.
Caused by: org.apache.wss4j.common.ext.WSSecurityException: BSP:R4201: Any PASSWORD MUST specify a Type attribute
at org.apache.wss4j.common.bsp.BSPEnforcer.handleBSPRule(BSPEnforcer.java:57) [wss4j-ws-security-common-2.2.2.jar:2.2.2]
at org.apache.wss4j.dom.message.token.UsernameToken.checkBSPCompliance(UsernameToken.java:834) [wss4j-ws-security-dom-2.2.2.jar:2.2.2]
at org.apache.wss4j.dom.message.token.UsernameToken.<init>(UsernameToken.java:143) [wss4j-ws-security-dom-2.2.2.jar:2.2.2]
at org.apache.wss4j.dom.processor.UsernameTokenProcessor.handleUsernameToken(UsernameTokenProcessor.java:137) [wss4j-ws-security-dom-2.2.2.jar:2.2.2]
at org.apache.wss4j.dom.processor.UsernameTokenProcessor.handleToken(UsernameTokenProcessor.java:62) [wss4j-ws-security-dom-2.2.2.jar:2.2.2]
at org.apache.wss4j.dom.engine.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:340) [wss4j-ws-security-dom-2.2.2.jar:2.2.2]
at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessageInternal(WSS4JInInterceptor.java:285) [cxf-rt-ws-security-3.2.7.jar:3.2.7]
... 28 more
根本原因似乎是wsse:password标记中缺少一个属性
我检查了安全WS规范:
在那里,我找不到最新的CXF所期望的wsse:password的强制类型属性
注意:CXF 2.2.2版可以很好地处理相同的请求
问题:
是否有办法防止CXF放弃上述请求并允许其通过。
我到处找了很多,但找不到任何答案?有什么建议吗?
或者修改SOAP请求是唯一的解决方案?上述请求被删除,因为正如@GPI前面所述,CXF试图强制执行基本安全规范中的R4201 为了防止CXF强制执行此操作,我们可以使用ws-security和wss4j提供的配置常量来指示CXF停止强制执行 解决方案1使用WSS4J拦截器 在spring配置文件中,您可以将isBspCompliant设置为false: 有关其他配置选项,您可以参考以下页面:
我也面临同样的问题,并发现soap请求中存在问题 我可以通过添加以下内容来解决此问题: soap中的以下属性:信封xmlns:wsse=http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd wsse中的以下属性:密码类型=http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0PasswordText 我请求的标题如下所示
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:tic="http://ticket.degroupage.atos.ma/" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<soapenv:Header>
<wsse:Security soapenv:mustUnderstand="1">
<wsse:UsernameToken><wsse:Username>XXXX</wsse:Username>
<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">XXXX</wsse:Password>
</wsse:UsernameToken>
</wsse:Security></soapenv:Header>
<soapenv:Body>
...
没有为您的问题提供解决方案,但您提到的XSD确实要求使用类型属性wsse:Password是PasswordString类型,它扩展了AttributeString,后者具有强制类型。此外,XSD只是基本需求概要规则R4201的翻译谢谢!请原谅我的愚蠢,但您这么说是因为AttributedString中没有minOccurs=0?同样,如果是这样的话,我仍然会保留这个问题,以防有人有解决方案。一般来说,在XSD规范中,当没有指定基数时,默认值是强制性的,并且只有一个Occurs minOccurs=maxOccurs=1。看见但这甚至无关紧要,因为规范而不是XSD表明该属性是强制性的,所以即使XSD不是强制性的,WSS4J也会检查它。谢谢你提供的信息,你能给我提供规范链接吗?或者快速谷歌搜索的关键词?在我的第一条评论中有链接:-
<jaxws:endpoint id="sample" implementor="sample.ws.SampleWebService" address="/SampleWebService">
<jaxws:properties>
<entry key="ws-security.is-bsp-compliant" value="false"/>
</jaxws:properties>
</jaxws:endpoint>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:tic="http://ticket.degroupage.atos.ma/" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<soapenv:Header>
<wsse:Security soapenv:mustUnderstand="1">
<wsse:UsernameToken><wsse:Username>XXXX</wsse:Username>
<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">XXXX</wsse:Password>
</wsse:UsernameToken>
</wsse:Security></soapenv:Header>
<soapenv:Body>
...