WCF服务器和WS-Security到Java客户端(SoapUI)
我正在尝试将WS-Security添加到现有的服务中,其中所述服务通过TLS进行访问,并且我已经成功地使用SoapUI对其进行了测试 然而,我有一个问题的反应回来;尽管响应看起来很完整,但SoapUI报告:WCF服务器和WS-Security到Java客户端(SoapUI),wcf,soap,soapui,ws-security,Wcf,Soap,Soapui,Ws Security,我正在尝试将WS-Security添加到现有的服务中,其中所述服务通过TLS进行访问,并且我已经成功地使用SoapUI对其进行了测试 然而,我有一个问题的反应回来;尽管响应看起来很完整,但SoapUI报告: ERROR:org.apache.ws.security.WSSecurityException: An invalid security token was provided (Bad TokenType "") org.apache.ws.security.WSSecurityEx
ERROR:org.apache.ws.security.WSSecurityException: An invalid security token was provided (Bad TokenType "")
org.apache.ws.security.WSSecurityException: An invalid security token was provided (Bad TokenType "")
at org.apache.ws.security.str.BSPEnforcer.checkEncryptedKeyBSPCompliance(BSPEnforcer.java:113)
at org.apache.ws.security.str.SecurityTokenRefSTRParser.processPreviousResult(SecurityTokenRefSTRParser.java:313)
at org.apache.ws.security.str.SecurityTokenRefSTRParser.parseSecurityTokenReference(SecurityTokenRefSTRParser.java:101)
at org.apache.ws.security.processor.ReferenceListProcessor.decryptDataRefEmbedded(ReferenceListProcessor.java:169)
at org.apache.ws.security.processor.ReferenceListProcessor.handleReferenceList(ReferenceListProcessor.java:104)
at org.apache.ws.security.processor.ReferenceListProcessor.handleToken(ReferenceListProcessor.java:64)
at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:402)
从中,这是由于回复中的SecurityTokenReference元素缺少TokenType属性,这是遵守基本安全配置文件的一个条件
问题是-如何在WCF中填充此属性?我没有找到任何关于这方面的明确信息
来自WCF服务的SOAP响应中的加密密钥部分如下所示:
<e:EncryptedKey Id="_0" xmlns:e="http://www.w3.org/2001/04/xmlenc#">
<e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" xmlns="http://www.w3.org/2000/09/xmldsig#"/>
</e:EncryptionMethod>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<o:SecurityTokenReference>
<o:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentifier" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">K6Ag94AG3hQuQ+rqQcBvb88Vl+Y=</o:KeyIdentifier>
</o:SecurityTokenReference>
</KeyInfo>
<e:CipherData>
<e:CipherValue>FQ58hAfisez2D8J9A49xFRQjfTSFhrWP9wJDnWq0MctAyLhoAynzu3/Z0jYK91uE4DVCgkFo9QGH6O/kR1icQxkpv/xb5gcB1mJTbIpbCOzw6ZtMEfbY0r9ML2fDcChGFPM/nh70Daqi4P9IO8dIZ5EAUcERvDMFvj4fhwwVycSNFUX40/8ywQALQksPb+1j2B3pzHntcyb6CJ0qD10xjbyyQoT0BgR/HeDQEJDQNvx41eqoDSy2/ImkNNfFCXQ47/k1sN48tWur6GEzDuwUBbiAJxVrCgzc6a7F9CrhWiE6DAublBzM8/EBKP5UD5p2WTcjDQxI4cBhqRwIGYcfhQ==</e:CipherValue>
</e:CipherData>
</e:EncryptedKey>
<customBinding>
<binding name="NewBinding0">
<security
authenticationMode="MutualCertificate"
allowSerializedSigningTokenOnReply="true"
messageSecurityVersion="WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10"
securityHeaderLayout="Lax"
requireSignatureConfirmation="false"
messageProtectionOrder="EncryptBeforeSign"
includeTimestamp="false"
>
<localServiceSettings detectReplays="false" />
</security>
<textMessageEncoding messageVersion="Soap11" />
<httpsTransport />
</binding>
</customBinding>
K6Ag94AG3hQuQ+rqQcBvb88Vl+Y=
2.中国政府在2008年8月8日发布了一份关于一份关于一份关于一份关于一份关于一份关于一份关于一份关于一份关于一份关于一份关于一份关于一份关于一份关于一份关于一份关于一份关于一份关于一份关于一份关于一份关于一份关于一份关于一份关于一份关于一份关于一份关于一份关于一份关于一份关于一份关于一份关于一份关于一份关于一份关于一份关于一份关于一份关于一份关于一份关于一份关于一份关于一份关于一份关于一份关于一份关于一份关于一份关于一份关于一份关于一份关于一份关于一份关于一份关于一份关于一份关于一份关于一份关于一份关于一份关于一份关于一份关于一份关于一份关于一份关于一份关于一份关于一份关于一份关于两份关于两份关于两份关于两份关于两份关于两份关于两份关于DQXI4CBHQRWIGYCFHQ==
我的WCF绑定如下所示:
<e:EncryptedKey Id="_0" xmlns:e="http://www.w3.org/2001/04/xmlenc#">
<e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" xmlns="http://www.w3.org/2000/09/xmldsig#"/>
</e:EncryptionMethod>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<o:SecurityTokenReference>
<o:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentifier" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">K6Ag94AG3hQuQ+rqQcBvb88Vl+Y=</o:KeyIdentifier>
</o:SecurityTokenReference>
</KeyInfo>
<e:CipherData>
<e:CipherValue>FQ58hAfisez2D8J9A49xFRQjfTSFhrWP9wJDnWq0MctAyLhoAynzu3/Z0jYK91uE4DVCgkFo9QGH6O/kR1icQxkpv/xb5gcB1mJTbIpbCOzw6ZtMEfbY0r9ML2fDcChGFPM/nh70Daqi4P9IO8dIZ5EAUcERvDMFvj4fhwwVycSNFUX40/8ywQALQksPb+1j2B3pzHntcyb6CJ0qD10xjbyyQoT0BgR/HeDQEJDQNvx41eqoDSy2/ImkNNfFCXQ47/k1sN48tWur6GEzDuwUBbiAJxVrCgzc6a7F9CrhWiE6DAublBzM8/EBKP5UD5p2WTcjDQxI4cBhqRwIGYcfhQ==</e:CipherValue>
</e:CipherData>
</e:EncryptedKey>
<customBinding>
<binding name="NewBinding0">
<security
authenticationMode="MutualCertificate"
allowSerializedSigningTokenOnReply="true"
messageSecurityVersion="WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10"
securityHeaderLayout="Lax"
requireSignatureConfirmation="false"
messageProtectionOrder="EncryptBeforeSign"
includeTimestamp="false"
>
<localServiceSettings detectReplays="false" />
</security>
<textMessageEncoding messageVersion="Soap11" />
<httpsTransport />
</binding>
</customBinding>
事后想一想,BSP是否严格要求是“好”消息?我看不到任何方法可以在SoapUI中关闭BSP检查,但鉴于WCF没有应用它,我认为这是可以接受的?最终,该服务的使用者可能是Java,可能是.NET,可能是其他东西,因此如果可以禁用BSP,我很乐意以更广泛兼容性的名义放弃BSP支持。如果这看起来确实是一条可接受的路径,那么,与其.NET尝试遵从BSP,我如何在SoapUI中关闭BSP处理以进行测试?(也就是说,如果在.NET中通过调整绑定来直接启用BSP,我很高兴能够做到这一点)