SAML令牌数字签名问题(WSO2版本与xml签名的独立JAR)
我使用WSO2对消息进行数字签名和加密: web服务部署在weblogic上,需要一个SAML令牌、主体和头以及签名和加密 场景1:使用独立的axis api(1.6.2+)为wsdl生成一个web服务客户机,该客户机的策略需要SAML令牌。该代码生成一个数字签名和加密的SOAP信封,命中端点并成功返回结果SAML令牌数字签名问题(WSO2版本与xml签名的独立JAR),wso2,wso2esb,xml-signature,Wso2,Wso2esb,Xml Signature,我使用WSO2对消息进行数字签名和加密: web服务部署在weblogic上,需要一个SAML令牌、主体和头以及签名和加密 场景1:使用独立的axis api(1.6.2+)为wsdl生成一个web服务客户机,该客户机的策略需要SAML令牌。该代码生成一个数字签名和加密的SOAP信封,命中端点并成功返回结果 <ds:Reference URI="#c4243cf4c8b6b8d6bc6570af5c0573e6"> <ds:Transforms>
<ds:Reference URI="#c4243cf4c8b6b8d6bc6570af5c0573e6">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="wsse wsu soapenv" />
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<ds:DigestValue>lWQgTrlIVeFKWqT1ktPs0/kK3tQ=</ds:DigestValue>
</ds:Reference>
lWQgTrlIVeFKWqT1ktPs0/kK3tQ=
场景2:在WSO2 ESB 4.7中使用与场景1相同的代码,上面的客户端作为类中介,使用WSO2 ESB JAR。请求SOAP信封经过了完美的签名和加密,只是XML语法发生了变化
<ds:Reference URI="#Id-2003921168">
<ds:Transforms>
<ds:Transform
Algorithm="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform">
<wsse:TransformationParameters>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</wsse:TransformationParameters>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<ds:DigestValue>mfNA+3ZPnCMzS2Y0TJ1GsYcdHNE=</ds:DigestValue>
</ds:Reference>
mfNA+3ZPnCMzS2Y0TJ1GsYcdHNE=
这两种情况下生成的签名似乎有所不同。XML安全性的WSO2 ESB实现与独立的apache XML安全性实现不同吗
从场景生成的SOAP信封无法在weblogic Web服务器上对此签名进行验证,并引发具有以下堆栈跟踪的SOAP错误:
<?xml version="1.0" encoding="utf-8"?><env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/"><env:Body><env:Fault><faultcode>env:Server</faultcode><faultstring>Failed to validate signature.</faultstring><detail><bea_fault:stacktrace xmlns:bea_fault="http://www.bea.com/servers/wls70/webservice/fault/1.0.0">weblogic.xml.crypto.wss.WSSecurityException: Failed to validate signature.
at weblogic.xml.crypto.wss.SecurityImpl.unmarshalAndProcessSignature(SecurityImpl.java:740)
at weblogic.xml.crypto.wss.SecurityImpl.unmarshalAndProcessSignature(SecurityImpl.java:689)
at weblogic.xml.crypto.wss.SecurityImpl.unmarshalChildren(SecurityImpl.java:544)
at weblogic.xml.crypto.wss.SecurityImpl.unmarshalInternal(SecurityImpl.java:450)
Caused by: weblogic.xml.crypto.dsig.api.XMLSignatureException
at weblogic.xml.crypto.wss.STRTransform.transform(STRTransform.java:303)
at weblogic.xml.crypto.dsig.ReferenceUtils.applyTransforms(ReferenceUtils.java:49)
at weblogic.xml.crypto.dsig.ReferenceImpl.createDigest(ReferenceImpl.java:161)
Caused by: weblogic.xml.crypto.wss.WSSecurityException: No token handler found for null
at weblogic.xml.crypto.wss.WSSecurityContext.getRequiredTokenHandler(WSSecurityContext.java:410)
at weblogic.xml.crypto.wss.STRTransform.transform(STRTransform.java:193)
Caused by: weblogic.xml.crypto.dsig.api.XMLSignatureException
at weblogic.xml.crypto.wss.STRTransform.transform(STRTransform.java:303)
at weblogic.xml.crypto.dsig.ReferenceUtils.applyTransforms(ReferenceUtils.java:49)
at weblogic.xml.crypto.dsig.ReferenceImpl.createDigest(ReferenceImpl.java:161)
at weblogic.xml.crypto.dsig.ReferenceImpl.validate(ReferenceImpl.java:116)
at weblogic.xml.crypto.dsig.XMLSignatureImpl.validate(XMLSignatureImpl.java:256)
env:server验证签名失败。weblogic.xml.crypto.wss.WSSecurityException:验证签名失败。
位于weblogic.xml.crypto.wss.SecurityImpl.unmarshalAndProcessSignature(SecurityImpl.java:740)
位于weblogic.xml.crypto.wss.SecurityImpl.unmarshalAndProcessSignature(SecurityImpl.java:689)
位于weblogic.xml.crypto.wss.SecurityImpl.unmarshalChildren(SecurityImpl.java:544)
位于weblogic.xml.crypto.wss.SecurityImpl.unmarshalInternal(SecurityImpl.java:450)
原因:weblogic.xml.crypto.dsig.api.XMLSignatureException
位于weblogic.xml.crypto.wss.STRTransform.transform(STRTransform.java:303)
位于weblogic.xml.crypto.dsig.ReferenceUtils.applyTransforms(ReferenceUtils.java:49)
在weblogic.xml.crypto.dsig.ReferenceImpl.createDigest(ReferenceImpl.java:161)上
原因:weblogic.xml.crypto.wss.WSSecurityException:找不到null的令牌处理程序
位于weblogic.xml.crypto.wss.WSSecurityContext.getRequiredTokenHandler(WSSecurityContext.java:410)
位于weblogic.xml.crypto.wss.STRTransform.transform(STRTransform.java:193)
原因:weblogic.xml.crypto.dsig.api.XMLSignatureException
位于weblogic.xml.crypto.wss.STRTransform.transform(STRTransform.java:303)
位于weblogic.xml.crypto.dsig.ReferenceUtils.applyTransforms(ReferenceUtils.java:49)
在weblogic.xml.crypto.dsig.ReferenceImpl.createDigest(ReferenceImpl.java:161)上
在weblogic.xml.crypto.dsig.ReferenceImpl.validate(ReferenceImpl.java:116)上
在weblogic.xml.crypto.dsig.XMLSignatureImpl.validate(XMLSignatureImpl.java:256)上
使用的web服务策略文件是:
<wsp:Policy xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsp:All>
<ns1:AsymmetricBinding
xmlns:ns1="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
<wsp:Policy>
<ns1:InitiatorToken>
<wsp:Policy>
<ns1:X509Token
ns1:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<ns1:WssX509V3Token10 />
</wsp:Policy>
</ns1:X509Token>
</wsp:Policy>
</ns1:InitiatorToken>
<ns1:RecipientToken>
<wsp:Policy>
<ns1:X509Token
ns1:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never">
<wsp:Policy>
<ns1:WssX509V3Token10 />
</wsp:Policy>
</ns1:X509Token>
</wsp:Policy>
</ns1:RecipientToken>
<ns1:AlgorithmSuite>
<wsp:Policy>
<ns1:Basic256 />
</wsp:Policy>
</ns1:AlgorithmSuite>
<ns1:Layout>
<wsp:Policy>
<ns1:Lax />
</wsp:Policy>
</ns1:Layout>
<ns1:IncludeTimestamp />
<ns1:ProtectTokens />
<ns1:OnlySignEntireHeadersAndBody />
</wsp:Policy>
</ns1:AsymmetricBinding>
<ns2:SignedSupportingTokens
xmlns:ns2="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
<wsp:Policy>
<ns2:IssuedToken
ns2:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
<ns2:Issuer>
<Address xmlns="http://www.w3.org/2005/08/addressing">https://HYD-69ZRV01-L:6002/standalonests/SamlSTS
</Address>
</ns2:Issuer>
<ns2:RequestSecurityTokenTemplate>
<t:TokenType xmlns:t="http://docs.oasis-open.org/ws-sx/ws-trust/200512">urn:oasis:names:tc:SAML:1.0:assertion
</t:TokenType>
</ns2:RequestSecurityTokenTemplate>
<wsp:Policy>
<ns2:RequireInternalReference />
</wsp:Policy>
</ns2:IssuedToken>
</wsp:Policy>
<wsp:Policy>
<ns2:SamlToken
ns2:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<ns2:WssSamlV11Token10 />
</wsp:Policy>
</ns2:SamlToken>
</wsp:Policy>
</ns2:SignedSupportingTokens>
<!--
<ns2:SignedSupportingTokens
xmlns:ns2="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
<wsp:Policy>
<ns2:SamlToken
ns2:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<ns2:WssSamlV11Token10 />
</wsp:Policy>
</ns2:SamlToken>
</wsp:Policy>
</ns2:SignedSupportingTokens>
-->
<ns3:Wss10 xmlns:ns3="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
<wsp:Policy>
<ns3:MustSupportRefKeyIdentifier />
<ns3:MustSupportRefIssuerSerial />
</wsp:Policy>
</ns3:Wss10>
<ns4:EncryptedParts
xmlns:ns4="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
<ns4:Body />
</ns4:EncryptedParts>
<ns5:SignedParts
xmlns:ns5="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
<ns5:Body />
</ns5:SignedParts>
</wsp:All>
</wsp:Policy>
https://HYD-69ZRV01-L:6002/standalonests/SamlSTS
urn:oasis:names:tc:SAML:1.0:assertion
谢谢。在两种情况下使用的变换算法有所不同。这一定是问题的原因。Pushpalanka,我可以从差异中看出。在使用Apache Rampart时,有没有一种方法可以指定用于数字签名的转换算法?