stackoom
  简体   繁体   中英

Apache WSS4J Failing to Initialize

 原文  2019-06-27 14:49:17       java/ apache/ spring-boot/ security/ wss4j

Question

I am trying to get the Apache WSS4J library working to validate a BinarySecurityToken in a Spring Boot webservice. We can start up the service just fine, but when we send in a SOAP request, we get the following error: 

No message with ID "invalidSAMLsecurity" found in resource bundle "org/apache/xml/security/resource/xmlsecurity"; nested exception is org.apache.wss4j.common.ext.WSSecurityException: No message with ID "invalidSAMLsecurity" found in resource bundle "org/apache/xml/security/resource/xmlsecurity"

Now, from my understanding, this occurs when you haven't called the WSSec.init() method. However, the only WSSec class in Apache WSS4J is in the org.apache.wss4j.stax package, and it appears that using Maven to download WSS4J 2.2.3 does not give you access to the stax package.

I'm fairly certain I'm just looking in the wrong places, but the current Apache WSS4J API is for 2.3.0-SNAPSHOT , so I'm not even sure if the version I'm using has access to those packages, and I can't seem to find the API for version 2.2.3.

I'm sure that it's just a matter of finding the right initializations, I'm just not sure where those initializations would be configured.

1 answers

solution1
 0  2019-06-28 10:52:00

To be able to validate a signed xml, using the binarySecurityToken which is present in the header - you'd need to ensure that the xml is signed using

"WSHandlerConstants.SIG_KEY_ID" = "DirectReference" 

 List<WSSecurityEngineResult> res = engine.processSecurityHeader(signedDoc, null, null, crypto);

signedDoc - the SOAP envelope as Document

Use this method, to validate the signature. Also, set up an instance of Crypto like below.

Crypto crypto = CryptoFactory.getInstance("validator.properties");

Try the below Maven dependencies (this is out of a working example that I have) 

    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter</artifactId>
        <version>2.1.5.RELEASE</version>
    </dependency>

    <dependency>
        <groupId>org.apache.wss4j</groupId>
        <type>pom</type>
        <artifactId>wss4j</artifactId>
        <version>2.0.0</version>
    </dependency>
    <dependency>
        <groupId>org.apache.wss4j</groupId>
        <artifactId>wss4j-ws-security-dom</artifactId>
        <version>2.0.0</version>
        <type>jar</type>
    </dependency>
    <dependency>
        <groupId>commons-io</groupId>
        <artifactId>commons-io</artifactId>
        <version>2.4</version>
        <type>jar</type>
    </dependency>

    <dependency>
        <groupId>org.apache.axis</groupId>
        <artifactId>axis</artifactId>
        <version>1.4</version>
    </dependency>

    <dependency>
        <groupId>org.apache.ws.security</groupId>
        <artifactId>wss4j</artifactId>
        <version>1.6.19</version>
    </dependency>

    <dependency>
        <groupId>org.apache.wss4j</groupId>
        <artifactId>wss4j-ws-security-common</artifactId>
        <version>2.0.2</version>
    </dependency>

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Apache CXF / WSS4J Certificate Validation Apache CXF web service security issue with wss4j UsernameToken WS-Security with Apache CXF Annotations (WSS4J) How can I use Apache CXF 3.X and WSS4J 2.X as of my ear project and not CXF and WSS4J (older) that is installed in the modules of JBoss 6.3.0 EAP? Apache CXF - configure WSS4J to extract server's x.509 certificate from SOAP header Create Enveloped Signature with CXF and WSS4J Signing SOAP messages using WSS4J Configurable location of keystore in WSS4J WSS4J and PCKS11 keystore How to validate UsernameToken without password in wss4j 1.6?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM