[英]WSO2 WS Security Password only without certificate possible?
we want to create a PHP WSO2 Webservice Client which uses WS Security, but without signature nor encryption. 我们想要创建一个使用WS安全性但没有签名或加密的PHP WSO2 Web服务客户端。 Instead we want to use a simple Password. 相反,我们想使用一个简单的密码。 Problem is: we always get an certificate error (see below). 问题是:我们总是会收到证书错误(请参阅下文)。 Do we really have to install a certificate, and if so: where ? 我们真的必须安装证书吗? Java Keystore ? Java Keystore?
Environment: PHP 5.3.10, WSO2 PHP 2.10, Apache 2.2.x 环境:PHP 5.3.10,WSO2 PHP 2.10,Apache 2.2.x
wfs_client_log: wfs_client_log:
[error] key_mgr.c(295) [rampart][rampart_signature] Public key certificate file is not specified. [错误] key_mgr.c(295)[rampart] [rampart_signature]未指定公共密钥证书文件。 [error] rampart_signature.c(856) [rampart][rampart_signature] Cannot get certificate [error] rampart_sec_header_builder.c(131) [rampart][shb] Signing failed. [错误] rampart_signature.c(856)[rampart] [rampart_signature]无法获取证书[错误] rampart_sec_header_builder.c(131)[rampart] [shb]签名失败。 ERROR [error] rampart_sec_header_builder.c(601) [rampart][shb] Asymmetric Binding failed [error] rampart_out_handler.c(130) [rampart]Security header building failed. 错误[错误] rampart_sec_header_builder.c(601)[rampart] [shb]不对称绑定失败[错误] rampart_out_handler.c(130)[rampart]安全标头构建失败。 [error] phase.c(224) Handler RampartOutHandler invoke failed within phase Security [error] engine.c(657) Invoking phase Security failed [错误] phase.c(224)处理程序RampartOutHandler调用在阶段安全性内失败[错误] engine.c(657)调用阶段安全性失败
PHP Code is: PHP代码是:
<?php
// Endpoint WebService
$endPoint = 'http://xxx.xxxx.xxx:7000/orabpel/selfservice/passwortAendernMBE/1.0';
// Security-Payload
$user = 'mustermann123';
$passwortAlt = 'foo';
$passwortNeu = 'bar';
// create Security-Token
$secToken = new WSSecurityToken(array(
"user" => $user,
"password" => $passwortAlt,
"passwordType" => "PlainText"));
// create SecurityPolicy
$policy = new WSPolicy(array(
"security" => array(
"useUsernameToken" => TRUE)));
// create WS-Client
$client = new WSClient( array(
"to" => $endPoint,
"useSOAP" => "1.1",
"action" => "process",
"policy" => $policy,
"securityToken" => $secToken));
// create SOAP-Payload
$soapPayload = '
<ns1:passwortAendern_processElement xmlns:ns1="http://xxxx.xxxx.xxxxxe/Integration/prozesse/xxxxxxSchema"
xmlns:ns2="http://xxxx.xxxx.xxx/types/xx.xxx.xxxx.selfService.prozesse.xxx.xxxxMessage">
<ns1:passwortAendernMessage>
<ns2:benutzerkennung>' . $user . '</ns2:benutzerkennung>
<ns2:passwortAlt>' . $passwortAlt . '</ns2:passwortAlt>
<ns2:passwortNeu>' . $passwortNeu . '</ns2:passwortNeu>
</ns1:passwortAendernMessage>
</ns1:passwortAendern_processElement>';
// Request
$soapResponse = null;
try {
// soap Request
$soapResponse = $client->request( $soapPayload );
// print out Response
echo '<pre>';
print_r(htmlspecialchars( str_replace('>','>'.PHP_EOL,$soapResponse->str ) ));
echo '</pre>';
} catch(Exception $e) {
echo '<h1>Error:</h1>' . PHP_EOL;
var_dump($e);
}
// dump Soap-Parameters
echo '<h1>Soap-Parameter</h1>' . PHP_EOL;
var_dump($soapPayload);
// dump Soap-Response
echo '<h1>Soap-Response</h1>' . PHP_EOL;
var_dump($soapResponse);
Finally successful! 终于成功了! Calling the Webservice (with above mentioned vector/intent) now works. 现在可以调用Web服务(具有上述向量/意图)。
Many attempts and another example by Nandika later we've found out that for us (Matthias and I) changing the creation of the WS-SecurityPolicy -object did the trick. 后来,Nandika进行了许多尝试和另一个示例,我们发现,对我们(Matthias和我)而言,更改WS-SecurityPolicy -object的创建确实成功了。
Instead of using above array as initialisation-parameter: 而不是使用上面的数组作为初始化参数:
// create SecurityPolicy
$policy = new WSPolicy(array(
"security" => array(
"useUsernameToken" => TRUE)));
...we now use a xml-policy-file like so: ...我们现在像这样使用xml-policy-file:
// load Policy (xml) file...
$policy_file = file_get_contents("policy.xml");
// ...and create SecurityPolicy
$policy = new WSPolicy($policy_file);
Content of "policy.xml": “ policy.xml”的内容:
<wsp:Policy xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
<wsp:ExactlyOne>
<wsp:All>
<sp:TransportBinding>
<wsp:Policy>
</wsp:Policy>
</sp:TransportBinding>
<sp:SignedSupportingTokens>
<wsp:Policy>
<sp:UsernameToken
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:WssUsernameToken10 />
</wsp:Policy>
</sp:UsernameToken>
</wsp:Policy>
</sp:SignedSupportingTokens>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
Beginning to use WSO2 with WS-Security WSF/PHP 2.1 feels rather touchy. 开始将WSO2与WS-Security WSF / PHP 2.1结合使用时,会感到有些棘手。 Therefore I'll try to list some thoughts that knowing (would have) helped me save time: 因此,我将尝试列出一些想法,这些想法可以帮助我节省时间:
most common error reflected to me by wsf/php is (an exception-object with the message): "Error , NO Response Received". wsf / php向我反映的最常见错误是(带有消息的异常对象):“错误,未收到响应”。 This now happens almost whenever anything goes wrong, for example: 现在几乎在任何出错的情况下都会发生这种情况,例如:
sometimes I do get a WS-Fault -ojbect (in a resopnse envelope) which I can check for my client-code [$e typeof WSFault] 有时我确实得到了一个WS-Fault -ojbect(位于reopnse信封中),可以检查我的客户端代码[$ e typeof WSFault]
always have a tool with proxy-capabilities nearby to route through + inspect your request and response. 总是有附近具有代理功能的工具可以通过+检查您的请求和响应。 At the moment I use Oracles JDeveloper 10 and 11 which both have a neat little "HTTP Analyzer" inside (but there sure are smaller and/or better tools out there for this purpose). 目前,我使用的Oracle JDeveloper 10和11都内置了一个小巧的“ HTTP分析器”(但是肯定有较小和/或较好的工具可用于此目的)。
Playing around with the settings in policy.xml a comrad and I found out that: 玩弄了policy.xml中的设置,我发现:
Thanks everyone (especially Nandika) for your help! 感谢大家(尤其是Nandika)的帮助!
The default generated policy is failing because, wsf/php 2.1.0 version is expecting signed messages for default generated policy for $policy = new WSPolicy(array( "security" => array("useUsernameToken" => TRUE))); 默认生成的策略失败,因为wsf / php 2.1.0版本期望$ policy = new WSPolicy(array(“ security” => array(“ useUsernameToken” => TRUE)))的默认生成策略的签名消息。
Try with the following policy file. 尝试使用以下策略文件。 https://svn.wso2.org/repos/wso2/trunk/wsf/php/samples/security/username_token/call_back/policy.xml https://svn.wso2.org/repos/wso2/trunk/wsf/php/samples/security/username_token/call_back/policy.xml
You can load the policy as $policy_file = file_get_contents("policy.xml"); 您可以将策略加载为$ policy_file = file_get_contents(“ policy.xml”);。 $policy = new WSPolicy($policy_file); $ policy =新的WSPolicy($ policy_file);
I've encountered the same issue once, but it was concerning WSServer, not WSClient. 我曾经遇到过相同的问题,但它涉及的是WSServer,而不是WSClient。 Since version 2.1 (or even earlier) WSF consideres WS-Policy signed by default, you need a WSPolicy file which declared signatureless behaviour. 由于版本2.1(或更早版本)的WSF缺省认为WS-Policy已签名,因此您需要一个WSPolicy文件,该文件声明了无签名行为。 I've posted an article on this topic, but it's in Russian. 我已经发布了有关该主题的文章,但是它是俄语的。 Use Google Translate. 用谷歌翻译。
http://habrahabr.ru/post/132353/ http://habrahabr.ru/post/132353/
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.