WSO2安全用户名令牌ESB和DSS
[英]WSO2 SECURITY USERNAMETOKEN ESB AND DSS
问题描述
proxyI'm trying to build a web service using ESB from WSO2. 
我正在尝试使用WSO2中的ESB构建Web服务。 My service use a dataservice to get data from a database so I need to connect esb with dss. 我的服务使用dataservice从数据库获取数据,因此我需要将esb与dss连接。 When proxy and dataservice aren't securice they work ok, but when they are securice I get the follow error 当代理和数据服务不是安全的时,它们可以正常工作,但是当它们是安全的时,会出现以下错误
<soapenv:Fault xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<faultcode>wsse:InvalidSecurity</faultcode>
<faultstring>Nonce value : 8/BKMsFNs2gTJ58FXyV43Q==, already seen before for user name : UsuarioPrueba1. Possibly this could be a replay attack.</faultstring>
<detail/>
</soapenv:Fault>
Securizing dataservice but not proxy its work ok. 确保数据服务安全,但不能代理其工作。 I send the usernametoken and password created in user and roles from ESB and DSS 我发送从ESB和DSS在用户和角色中创建的用户名令牌和密码
1 个解决方案
解决方案1
1 2015-06-13 15:26:53
One possible scenario where we could get this error is, if we are using the header mediator to send a custom SOAP security header. 如果我们正在使用标头调解器发送自定义SOAP安全标头,则可能会出现此错误的一种情况是。
For example, I created a proxy as in [1], and you may notice that I have put the following element in the soap message security header. 例如,我在[1]中创建了一个代理,您可能会注意到,我在肥皂消息安全性标头中放置了以下元素。
<wsse:Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">95euUDNp5wT7nT3BadS9Tw==</wsse:Nonce>
Since I'm sending the same nonce everytime to the backened, it is detected as a possible replay attack by the backend. 由于我每次都向受支持者发送相同的随机数,因此后端会将其检测为可能的重播攻击。
To get rid of this error, I remove the above 'Nonce' element. 为了消除此错误,我删除了上面的“ Nonce”元素。 Then the backend stopped giving the error 然后后端停止给出错误
"Nonce value : 95euUDNp5wT7nT3BadS9Tw==, already seen before for user name : admin. Possibly this could be a replay attack."
anymore. 了。
Only if we send the 'Nonce' element in the Soap security header, the backend will check for possible replay attacks. 仅当我们在Soap安全标头中发送“ Nonce”元素时,后端才会检查可能的重播攻击。 So removing that element is one way of getting rid of the error. 因此,删除该元素是摆脱错误的一种方法。
This also means that, this is a solution only if you don't want the backend to evaluate the Nonce value for detecting replay attacks. 这也意味着,仅当您不希望后端评估Nonce值以检测重放攻击时,这才是解决方案。
I know this question is one year-old; 我知道这个问题已经一岁了; but thought to add an answer as a reference. 但是想添加一个答案作为参考。
[1] [1]
<?xml version="1.0" encoding="UTF-8"?>
<proxy xmlns="http://ws.apache.org/ns/synapse"
name="InsuranceServiceProxy2"
transports="https,http"
statistics="disable"
trace="disable"
startOnLoad="true">
<target>
<inSequence>
<header scope="default">
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
soapenv:mustUnderstand="1">
<wsu:Timestamp wsu:Id="TS-23">
<wsu:Created>2015-06-13T03:07:55Z</wsu:Created>
</wsu:Timestamp>
<wsse:UsernameToken wsu:Id="UsernameToken-22">
<wsse:Username>admin</wsse:Username>
<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">admin</wsse:Password>
<wsse:Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">95euUDNp5wT7nT3BadS9Tw==</wsse:Nonce>
<wsu:Created>2015-06-13T03:07:55.091Z</wsu:Created>
</wsse:UsernameToken>
</wsse:Security>
</header>
<property name="Authorization"
value="Basic YWRtaW46YWRtaW4="
scope="transport"
type="STRING"/>
</inSequence>
<outSequence>
<send/>
</outSequence>
<endpoint>
<address uri="https://localhost:8243/services/InsuranceServiceBEProxy2"/>
</endpoint>
</target>
<description/>
</proxy>
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.