Java 验证SOAP响应xml时间戳和签名X509 spring ws-security
我是spring ws-security的新手,已经阅读了几乎所有关于google和stacktrace的文章,但无法使其正常工作。Java 验证SOAP响应xml时间戳和签名X509 spring ws-security,java,web-services,soap,x509,spring-ws,Java,Web Services,Soap,X509,Spring Ws,我是spring ws-security的新手,已经阅读了几乎所有关于google和stacktrace的文章,但无法使其正常工作。 我需要验证响应XML签名、时间戳,然后检索数据。当我跳过验证时,没有问题,但当我添加验证代码时,我收到错误: 警告:无法验证请求:签名或解密无效;嵌套异常为org.apache.ws.security.WSSecurityException:签名或解密无效 @Configuration public class SoapClientConfig { final
我需要验证响应XML签名、时间戳,然后检索数据。当我跳过验证时,没有问题,但当我添加验证代码时,我收到错误: 警告:无法验证请求:签名或解密无效;嵌套异常为org.apache.ws.security.WSSecurityException:签名或解密无效
@Configuration
public class SoapClientConfig {
final String generatedResource = "packageName";
@Bean
public KeyStoreCallbackHandler securityCallbackHandler() {
KeyStoreCallbackHandler callbackHandler = new KeyStoreCallbackHandler();
callbackHandler.setPrivateKeyPassword("serverkeystorepassword");
return callbackHandler;
}
@Bean
public Wss4jSecurityInterceptor securityInterceptor() throws Exception {
Wss4jSecurityInterceptor securityInterceptor = new Wss4jSecurityInterceptor();
// set security actions
securityInterceptor.setSecurementActions("Timestamp Signature");
securityInterceptor.setSecurementUsername("clientkeystoreusername");
securityInterceptor.setSecurementPassword("clientkeystorepassword");
//sign both body and timestamp - default body will be signed
securityInterceptor.setSecurementSignatureParts("{}{http://schemas.xmlsoap.org/soap/envelope/}Body;{}{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd}Timestamp");
//This will generate binarySecurityToken in header
securityInterceptor.setSecurementSignatureKeyIdentifier("DirectReference");
securityInterceptor.setSecurementSignatureCrypto(getRequestCryptoBean().getObject());
//This is validation code, which is not validating response.
securityInterceptor.setValidationActions("Timestamp Signature");
securityInterceptor.setValidationSignatureCrypto(getResponseCryptoBean().getObject());
securityInterceptor.setValidationCallbackHandler(securityCallbackHandler());
return securityInterceptor;
}
@Bean
public CryptoFactoryBean getRequestCryptoBean() throws IOException, URISyntaxException {
CryptoFactoryBean cryptoFactoryBean = new CryptoFactoryBean();
cryptoFactoryBean.setKeyStorePassword("clientkeystorepassword");
cryptoFactoryBean.setKeyStoreLocation("client.jks");
return cryptoFactoryBean;
}
@Bean
public CryptoFactoryBean getResponseCryptoBean() throws Exception {
CryptoFactoryBean cryptoFactoryBean = new CryptoFactoryBean();
cryptoFactoryBean.setDefaultX509Alias("1");
cryptoFactoryBean.setKeyStorePassword("serverkeystorepassword");
cryptoFactoryBean.setKeyStoreLocation("server.jks");
cryptoFactoryBean.afterPropertiesSet();
return cryptoFactoryBean;
}
@Bean
public Jaxb2Marshaller getMarshaller() {
Jaxb2Marshaller marshaller = new Jaxb2Marshaller();
marshaller.setContextPath(generatedResource);
return marshaller;
}
@Bean
public Card getAvailableCardsClient() throws Exception {
Card memberCard = new Card();
memberCard.setMarshaller(getMarshaller());
memberCard.setUnmarshaller(getMarshaller());
//Set timeout for soap service
HttpComponentsMessageSender sender = new HttpComponentsMessageSender();
sender.setConnectionTimeout(2000);
sender.setReadTimeout(2000);
memberCard.setMessageSender(sender);
//end timeout
memberCard.setDefaultUri("url");
//add interceptor for adding and validating signature
ClientInterceptor[] interceptors = new ClientInterceptor[]{securityInterceptor()};
memberCard.setInterceptors(interceptors);
return memberCard;
}
}
**server.jks包含服务器的公钥。而且这个身份验证是X509证书。
请帮助我找出如何验证响应。我找到了我的解决方案,并为其他同舟共济的人发布了帖子。
在我的场景中,因为我必须使用两个不同的证书(server.jks、client.jks)进行请求和响应验证;我不能使用相同的拦截器。我最终创建了两个不同的拦截器,一个用于请求,一个用于响应 以下是工作代码副本:
@Configuration
public class SoapClientConfig {
@Bean
public KeyStoreCallbackHandler securityCallbackHandler() throws Exception {
KeyStoreCallbackHandler callbackHandler = new KeyStoreCallbackHandler();
callbackHandler.setSymmetricKeyPassword("serverPassword");
return callbackHandler;
}
@Bean
public Wss4jSecurityInterceptor securityInterceptor() throws IOException, Exception {
Wss4jSecurityInterceptor securityInterceptor = new Wss4jSecurityInterceptor();
// set security actions
securityInterceptor.setSecurementActions("Timestamp Signature");
securityInterceptor.setSecurementUsername("clientAias");
securityInterceptor.setSecurementPassword("clientPassword");
//sign both body and timestamp - default body will be signed
securityInterceptor.setSecurementSignatureParts("{}{http://schemas.xmlsoap.org/soap/envelope/}Body;{}{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd}Timestamp");
//This will generate binarySecurityToken in header
securityInterceptor.setSecurementSignatureKeyIdentifier("DirectReference");
securityInterceptor.setSecurementSignatureCrypto(getRequestCryptoBean().getObject());
return securityInterceptor;
}
@Bean
public CryptoFactoryBean getRequestCryptoBean() throws IOException {
CryptoFactoryBean cryptoFactoryBean = new CryptoFactoryBean();
cryptoFactoryBean.setKeyStorePassword("clientPassword");
cryptoFactoryBean.setKeyStoreLocation("clientCertLoc");
return cryptoFactoryBean;
}
@Bean
public Wss4jSecurityInterceptor responseSecurityInterceptor() throws IOException, Exception {
Wss4jSecurityInterceptor securityInterceptor = new Wss4jSecurityInterceptor();
securityInterceptor.setValidationActions("Timestamp Signature");
securityInterceptor.setValidationSignatureCrypto(getResponseCryptoBean().getObject());
securityInterceptor.setValidationCallbackHandler(securityCallbackHandler());
return securityInterceptor;
}
@Bean
public CryptoFactoryBean getResponseCryptoBean() throws Exception {
CryptoFactoryBean cryptoFactoryBean = new CryptoFactoryBean();
cryptoFactoryBean.setKeyStoreLocation("serverCertLoc");
cryptoFactoryBean.setDefaultX509Alias("serverAlias");
cryptoFactoryBean.setKeyStorePassword("serverPassword");
cryptoFactoryBean.afterPropertiesSet();
return cryptoFactoryBean;
}
@Bean
public Jaxb2Marshaller getMarshaller() {
Jaxb2Marshaller marshaller = new Jaxb2Marshaller();
marshaller.setContextPath(generatedResource);
return marshaller;
}
@Bean
public WebServiceClass getPojoClassMethod() throws ConnectException, Exception {
WebServiceClass pClass= new WebServiceClass();
pClass.setMarshaller(getMarshaller());
pClass.setUnmarshaller(getMarshaller());
//Set timeout for soap service
HttpComponentsMessageSender sender = new HttpComponentsMessageSender();
int timeout;
if (null == stringFromEnvironmentOrIllegalStateException(env, timeoutInMs)) {
timeout = 10000;
} else {
timeout = Integer.parseInt(stringFromEnvironmentOrIllegalStateException(env, timeoutInMs));
}
sender.setConnectionTimeout(timeout);
sender.setReadTimeout(timeout);
pClass.setMessageSender(sender);
//end timeout config
pClass.setDefaultUri("actionURL");
ClientInterceptor[] interceptors = new ClientInterceptor[]{securityInterceptor(), responseSecurityInterceptor()};
pClass.setInterceptors(interceptors);
return pClass;
}
}
感谢您的帮助,我正在寻找一种解决方案,使用您调用soap Web服务的方法在X509Data下设置X509Certificate标记。