[英]Apache CXF Policy Exception (WS Security)- Security configuration could not be detected
我已經將頭撞在磚牆上好幾天了,對此確實可以提供一些幫助。
我已經使用Apache CXF實現了一個非常簡單的JAX-WS服務,我試圖添加WS-SecurityPolicies來加密和簽名消息正文,但是客戶端卻收到以下異常:
org.apache.cxf.ws.policy.PolicyException: Security configuration could not be detected. Potential cause: Make sure jaxws:client element with name attribute value matching endpoint port is defined as well as a security.signature.properties element within it.
at org.apache.cxf.ws.security.wss4j.policyhandlers.AbstractCommonBindingHandler.unassertPolicy(AbstractCommonBindingHandler.java:92)
at org.apache.cxf.ws.security.wss4j.policyhandlers.AbstractBindingBuilder.getSignatureBuilder(AbstractBindingBuilder.java:1797)
at org.apache.cxf.ws.security.wss4j.policyhandlers.AsymmetricBindingHandler.doSignature(AsymmetricBindingHandler.java:693)
at org.apache.cxf.ws.security.wss4j.policyhandlers.AsymmetricBindingHandler.doSignBeforeEncrypt(AsymmetricBindingHandler.java:171)
at org.apache.cxf.ws.security.wss4j.policyhandlers.AsymmetricBindingHandler.handleBinding(AsymmetricBindingHandler.java:110)
at org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JOutInterceptor$PolicyBasedWSS4JOutInterceptorInternal.handleMessageInternal(PolicyBasedWSS4JOutInterceptor.java:190)
at org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JOutInterceptor$PolicyBasedWSS4JOutInterceptorInternal.handleMessage(PolicyBasedWSS4JOutInterceptor.java:109)
at org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JOutInterceptor$PolicyBasedWSS4JOutInterceptorInternal.handleMessage(PolicyBasedWSS4JOutInterceptor.java:96)
at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:308)
at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:514)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:423)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:324)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:277)
at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:96)
at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:139)
這是我的applicationContext.xml客戶端:
<bean id="passwordCallback"
class="com.example.payment.engine.soap.service.ClientPasswordCallback"></bean>
<jaxws:client
name="{http://service.soap.engine.payment.example.com/}HelloWorldImplService"
createdFromAPI="true" id="helloClient"
serviceClass="com.example.payment.engine.soap.service.HelloWorld"
address="http://localhost:8080/payment-engine/api/soap/hello">
<jaxws:properties>
<entry key="ws-security.callback-handler" value-ref="passwordCallback" />
<entry key="ws-security.encryption.properties" value="crypto.properties" />
<entry key="ws-security.signature.properties" value="crypto.properties" />
<entry key="ws-security.encryption.username" value="server" />
</jaxws:properties>
</jaxws:client>
這是客戶端crypto.properties
org.apache.ws.security.crypto.merlin.keystore.file=client-keystore.jks
org.apache.ws.security.crypto.merlin.keystore.password=client-pass
org.apache.ws.security.crypto.merlin.keystore.private.password=key-pass
org.apache.ws.security.crypto.merlin.keystore.alias=client
最后是WSDL:
<wsdl:definitions xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/"
xmlns:tns="http://service.soap.engine.payment.example.com/" xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/"
xmlns:ns1="http://schemas.xmlsoap.org/soap/http" xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy" xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" name="HelloWorldImplService"
targetNamespace="http://service.soap.engine.payment.example.com/">
<wsdl:types>
<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:tns="http://service.soap.engine.payment.example.com/"
elementFormDefault="unqualified" targetNamespace="http://service.soap.engine.payment.example.com/" version="1.0">
<xs:element name="sayHello" type="tns:sayHello" />
<xs:element name="sayHelloResponse" type="tns:sayHelloResponse" />
<xs:complexType name="sayHello">
<xs:sequence />
</xs:complexType>
<xs:complexType name="sayHelloResponse">
<xs:sequence>
<xs:element minOccurs="0" name="return" type="xs:string" />
</xs:sequence>
</xs:complexType>
</xs:schema>
</wsdl:types>
<wsdl:message name="sayHelloResponse">
<wsdl:part element="tns:sayHelloResponse" name="parameters"></wsdl:part>
</wsdl:message>
<wsdl:message name="sayHello">
<wsdl:part element="tns:sayHello" name="parameters"></wsdl:part>
</wsdl:message>
<wsdl:portType name="HelloWorld">
<wsdl:operation name="sayHello">
<wsdl:input message="tns:sayHello" name="sayHello"></wsdl:input>
<wsdl:output message="tns:sayHelloResponse" name="sayHelloResponse"></wsdl:output>
</wsdl:operation>
</wsdl:portType>
<wsdl:binding name="HelloWorldImplServiceSoapBinding" type="tns:HelloWorld">
<wsp:PolicyReference URI="#HelloWorldBindingPolicy"/>
<soap:binding style="document" transport="http://schemas.xmlsoap.org/soap/http" />
<wsdl:operation name="sayHello">
<soap:operation soapAction="" style="document" />
<wsdl:input name="sayHello">
<wsp:PolicyReference URI="#HelloWorldInputBindingPolicy" />
<soap:body use="literal" />
</wsdl:input>
<wsdl:output name="sayHelloResponse">
<wsp:PolicyReference URI="#HelloWorldOutputBindingPolicy" />
<soap:body use="literal" />
</wsdl:output>
</wsdl:operation>
</wsdl:binding>
<wsdl:service name="HelloWorldImplService">
<wsdl:port binding="tns:HelloWorldImplServiceSoapBinding" name="HelloWorldImplPort">
<soap:address location="http://localhost:8080/payment-engine/api/soap/hello" />
</wsdl:port>
</wsdl:service>
<wsp:Policy wsu:Id="HelloWorldBindingPolicy">
<wsp:ExactlyOne>
<wsp:All>
<sp:AsymmetricBinding>
<wsp:Policy>
<sp:InitiatorToken>
<wsp:Policy>
<sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:WssX509V3Token11 />
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:InitiatorToken>
<sp:RecipientToken>
<wsp:Policy>
<sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never">
<wsp:Policy>
<sp:WssX509V3Token11 />
<sp:RequireIssuerSerialReference />
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:RecipientToken>
<sp:Layout>
<wsp:Policy>
<sp:Strict />
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp />
<sp:OnlySignEntireHeadersAndBody />
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic128 />
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:EncryptSignature />
</wsp:Policy>
</sp:AsymmetricBinding>
<sp:Wss11>
<wsp:Policy>
<sp:MustSupportRefIssuerSerial />
</wsp:Policy>
</sp:Wss11>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
<wsp:Policy wsu:Id="HelloWorldInputBindingPolicy">
<wsp:ExactlyOne>
<wsp:All>
<sp:EncryptedParts>
<sp:Body />
</sp:EncryptedParts>
<sp:SignedParts>
<sp:Body />
</sp:SignedParts>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
<wsp:Policy wsu:Id="HelloWorldOutputBindingPolicy">
<wsp:ExactlyOne>
<wsp:All>
<sp:EncryptedParts>
<sp:Body />
</sp:EncryptedParts>
<sp:SignedParts>
<sp:Body />
</sp:SignedParts>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
</wsdl:definitions>
任何幫助將非常感激!
我花了幾天的時間解決Apache CXF 3.1.4的這一問題和其他問題。 事實是,CXF中的錯誤消息很少能提供有關修復內容的真實線索。 危在旦夕的事情很典型:它講述了一個找不到的名字,但沒有提供要查找的實際值,其次,在我看來,這並不是問題所在。
我從一個基於XML / Spring的CXF總線/策略配置開始,從事了超過一年的測試和生產工作,例如:
SpringBusFactory bf = new SpringBusFactory();
URL busFile = MyClient.class.getResource("/wssec_policy.xml");
Bus bus = bf.createBus(busFile);
BusFactory.setDefaultBus(bus);
wssec_policy.xml包含jaxws:client定義,如下所示:
<beans xmlns="http://www.springframework.org/schema/beans" xmlns:cxf="http://cxf.apache.org/core" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:jaxws="http://cxf.apache.org/jaxws" xsi:schemaLocation="...etc...">
<bean id="logOutbound" class="MyLoggingOutInterceptor"/>
<bean id="logInbound" class="MyLoggingInInterceptor"/>
<cxf:bus>
<cxf:outInterceptors><ref bean="logOutbound"/></cxf:outInterceptors>
<cxf:inInterceptors><ref bean="dumpMessageInterceptor"/><ref bean="logInbound"/></cxf:inInterceptors>
<cxf:features><cxf:logging/></cxf:features>
</cxf:bus>
<jaxws:client name="{http://some.domain/webservices}servicioSoap" createdFromAPI="true">
<jaxws:properties>
<entry key="security.encryption.properties" value="etc/Client_Encrypt.properties"/>
<entry key="security.signature.properties" value="etc/Client_Sign.properties"/>
</jaxws:properties>
</jaxws:client>
</beans>
以及加密和signature.properties包含WSS4J屬性的地方 。
我的挑戰只是要在JRE 8上與CXF 3.1.4,BouncyCastle 1.52,Spring 4.2.4一起工作。 並沒有,首先敲打您引用的錯誤。
我在POJO客戶端中匯編了代碼,並開始深入研究CXF源代碼以找到真正的原因,並發現上述默認總線設置(之前確實有效)不再向WSS4J層提供jaxws:client元數據。 沒有數據,因此出現錯誤。 Apache CXF提供了三種配置WS- *堆棧的方式(顯式攔截器,基於XML的策略和基於Java API的策略)。 為了解決您的問題,我通過java API切換到基於策略的配置,如下所示:
serviceGDS = new WSDL2Java_generated_Service();
portGDS = serviceGDS.getServiceGdsSoap();
Map<String, Object> ctx = ((javax.xml.ws.BindingProvider)portGDS).getRequestContext();
Properties encProps = new Properties();
encProps.load(new FileInputStream("etc/Client_Encrypt.properties"));
ctx.put("security.encryption.properties", encProps);
Properties signProps = new Properties();
signProps.load(new FileInputStream("etc/Client_Sign.properties"));
ctx.put("security.signature.properties", signProps);
// setting the props below once helped solving the error at stake
ctx.put("security.signature.username","test_keypair");
ctx.put("security.encryption.username","gds_test_cert");
最后兩個屬性曾經需要進行調試,以解決由於缺少密鑰別名而導致的錯誤的密鑰長度錯誤! 但最后,我指出如果沒有他們,它可以奏效! (它們實際上在Client_Encrypt和Client_Sign屬性中重復了密鑰庫別名)。
然后,我通過抑制Client_Encrypt和Client_Sign屬性中的“ org.apache.ws.security.crypto.merlin.keystore.provider = BC”解決了未發現的加密錯誤證書 (至今仍在過去的版本中工作)。
我通過將pkcs12密鑰庫類型切換為jks來解決了丟失的證書錯誤。 我發現keystore.load()不會獲取所有包含的證書...使用相同的p12密鑰庫,根據調用上下文的不同,我得到的結果也有所不同。
我通過觀察實時服務器(在我的情況下為JBoss EAP7)中的重新部署從未奏效,從而解決了不支持AsymmetricBinding的問題,但是當已部署的應用與服務器一起啟動時(因此在服務器重啟后),它可以正常工作。 我強烈懷疑類加載器問題。
讓我補充一下,我曾經切換回JRE 7(舊版運行正常),並且錯誤明顯不同(我懷疑JRE中的策略配置文件)。
另一個主要的困難是,所有錯誤(無論是處理請求乃至響應的客戶端異常,還是服務器端錯誤)都由CXF封裝為肥皂錯誤,並帶有簡潔的錯誤消息,這使得很難理解實際發生的情況。 讓我前進的唯一途徑是在POJO中組裝所需的客戶端代碼,並借助CXF和WSS4J源代碼庫對其進行調試(當您使用調試器並向下鑽取時,Eclipse / Maven會為您獲取源代碼。高效!)
通過使用以下內容設法使這一半工作
HelloWorldImplService service = new HelloWorldImplService();
HelloWorld port = service.getHelloWorldImplPort();
Map<String, Object> ctx = ((BindingProvider) port).getRequestContext();
ctx.put("ws-security.callback-handler", "com.example.payment.engine.soap.service.ClientPasswordCallback");
ctx.put("ws-security.encryption.properties", "config/crypto.properties");
ctx.put("ws-security.signature.properties", "config/crypto.properties");
ctx.put("ws-security.encryption.username", "server");
System.out.println(port.sayHello());
Apache CXF策略:無法檢測到安全配置(外部策略)
[英]Apache CXF Policy: Security configuration could not be detected (external policies)
使用Apache CXF注釋的UsernameToken WS-Security(WSS4J)
[英]UsernameToken WS-Security with Apache CXF Annotations (WSS4J)
“未找到用於解密的證書”(Apache CXF,WS-Security)
[英]“No certificates were found for decryption” (Apache CXF, WS-Security)
如何連接到托管在 Apache Tomcat 上的 Apache Cxf Web 服務(啟用 Ws 安全性)?
[英]How can i connect to Apache Cxf web service hosted on Apache Tomcat(Ws security enabled )?
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.