手託政策

Question

我開發針對它具有以下政策

<wsp:Policy xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:wsp="http://www.w3.org/ns/ws-policy" xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702" wsu:Id="SecurityServiceSignThenEncryptPolicy"> 
<wsp:ExactlyOne> 
    <wsp:All> 
     <sp:AsymmetricBinding> 
      <wsp:Policy> 
       <sp:InitiatorToken> 
        <wsp:Policy> 
         <sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient"> 
          <wsp:Policy> 
           <sp:WssX509V3Token10/> 
           <sp:WssX509V3Token11/> 
          </wsp:Policy> 
         </sp:X509Token> 
        </wsp:Policy> 
       </sp:InitiatorToken> 
       <sp:RecipientToken> 
        <wsp:Policy> 
         <sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Always"> 
          <wsp:Policy> 
           <sp:WssX509V3Token10/> 
           <sp:WssX509V3Token11/> 
          </wsp:Policy> 
         </sp:X509Token> 
        </wsp:Policy> 
       </sp:RecipientToken> 
       <sp:AlgorithmSuite> 
        <wsp:Policy> 
         <sp:Basic128Rsa15/> 
         <sp:Basic256Rsa15/> 
         <sp:Basic128Sha256Rsa15/> 
         <sp:Basic256Sha256Rsa15/> 
        </wsp:Policy> 
       </sp:AlgorithmSuite> 
       <sp:Layout> 
        <wsp:Policy> 
         <sp:Lax/> 
        </wsp:Policy> 
       </sp:Layout> 
       <sp:IncludeTimestamp/> 
       <sp:ProtectTokens/> 
       <sp:OnlySignEntireHeadersAndBody/> 
      </wsp:Policy> 
     </sp:AsymmetricBinding> 
     <sp:Wss10> 
      <wsp:Policy> 
       <sp:MustSupportRefKeyIdentifier/> 
       <sp:MustSupportRefIssuerSerial/> 
       <sp:MustSupportRefThumbprint/> 
       <sp:MustSupportRefEncryptedKey/> 
      </wsp:Policy> 
     </sp:Wss10> 
     <sp:Wss11> 
      <wsp:Policy> 
       <sp:MustSupportRefKeyIdentifier/> 
       <sp:MustSupportRefIssuerSerial/> 
       <sp:MustSupportRefThumbprint/> 
       <sp:MustSupportRefEncryptedKey/> 
       <sp:RequireSignatureConfirmation/> 
      </wsp:Policy> 
     </sp:Wss11> 
    </wsp:All> 
</wsp:ExactlyOne> 
<wsp:Policy wsu:Id="InputBindingPolicy"> 
    <wsp:ExactlyOne> 
     <wsp:All> 
      <sp:EncryptedParts> 
       <sp:Body/> 
      </sp:EncryptedParts> 
      <sp:SignedParts> 
       <sp:Body/> 
      </sp:SignedParts> 
     </wsp:All> 
    </wsp:ExactlyOne> 
</wsp:Policy> 
<wsp:Policy wsu:Id="OutputBindingPolicy"> 
    <wsp:ExactlyOne> 
     <wsp:All> 
      <sp:EncryptedParts> 
       <sp:Body/> 
      </sp:EncryptedParts> 
      <sp:SignedParts> 
       <sp:Body/> 
      </sp:SignedParts> 
     </wsp:All> 
    </wsp:ExactlyOne> 
</wsp:Policy> 

如果我給使用SOAP UI的請求，我得到

faultstring>These policy alternatives can not be satisfied: 
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}AsymmetricBinding: Received Timestamp does not match the requirements 
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}X509Token: The received token does not match the token inclusion requirement 
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}InitiatorToken 
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}RecipientToken 
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}IncludeTimestamp: Received Timestamp does not match the requirements 
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}EncryptedParts: 
{http://schemas.xmlsoap.org/soap/envelope/}Body not ENCRYPTED 
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}SignedParts: 
{http://schemas.xmlsoap.org/soap/envelope/}Body not SIGNED</faultstring> 

一個WSDL Web服務cliente

所以我開始了一個CXF客戶端，這是我的代碼

public static void main(String[] args) throws MalformedURLException { 
    URL wsdlURL = new URL("http://localhost:8080/pathToWsdl?wsdl"); 
    QName SERVICE_NAME = new QName("http://webservices.provider.com/", "serviceClient"); 
    Service service = Service.create(wsdlURL, SERVICE_NAME); 

    executeCall(service); 
} 

public static void executeCall(Service service) { 
    //code to get clientInterface; 

    Client client = ClientProxy.getClient(clientInterface); 
    Endpoint cxfEndpoint = client.getEndpoint(); 

    Map<String, Object> inProps = new HashMap<String, Object>(); 
    WSS4JInInterceptor wssIn = new WSS4JInInterceptor(inProps); 
    cxfEndpoint.getInInterceptors().add(wssIn); 
    Map<String, Object> outProps = new HashMap<String, Object>(); 

    outProps.put(WSHandlerConstants.ACTION, 
      WSHandlerConstants.TIMESTAMP + " " + WSHandlerConstants.SIGNATURE + " " + WSHandlerConstants.ENCRYPT); 

    outProps.put(WSHandlerConstants.USER, "keycliente"); 
    outProps.put(WSHandlerConstants.PW_CALLBACK_CLASS, KeystorePasswordCallback.class.getName()); 

    outProps.put(WSHandlerConstants.SIG_PROP_FILE, "client-crypto.properties"); 
    outProps.put(WSHandlerConstants.ENC_PROP_FILE, "client-crypto.properties"); 
    outProps.put(WSHandlerConstants.SIG_KEY_ID, "DirectReference"); 
    outProps.put(WSHandlerConstants.ENCRYPTION_USER, "tobias"); 

    outProps.put(WSHandlerConstants.ENC_KEY_TRANSPORT, WSConstants.KEYTRANSPORT_RSA15); 

    WSS4JOutInterceptor wssOut = new WSS4JOutInterceptor(outProps); 

    cxfEndpoint.getOutInterceptors().add(wssOut); 

    ServiceRequest request= buildRequest(); 
    serviceInterface.method(request); 
} 

執行這個客戶端後，我能夠更進一步，我現在的問題與我無法滿足的剩餘策略有關。

{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}AsymmetricBinding: Received Timestamp does not match the requirements 
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}InitiatorToken 
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}RecipientToken 
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}IncludeTimestamp: Received Timestamp does not match the requirements 

有了這些誤差修改至少我知道的是，簽名和加密部分工作，但我不知道如何建立收件人標記和其他東西。

Answer 1

我得到了這個工作。 這個問題與我如何編寫客戶端有關。當策略在WSDL中配置時，最好的方法是加載它並讓CXF去做魔術。 如果我添加一個intercetptor，它似乎會覆蓋CXF步驟，或者CXF不會執行一些步驟。有了這段代碼，我能夠使它工作。

public static void main(String[] args) throws MalformedURLException, DatatypeConfigurationException { 

    URL wsdlURL = new File("ApiBancosClients.wsdl").toURI().toURL(); 
    QName SERVICE_NAME = new QName("http://webservices.apibancos.debin.com/", "ApiBancosClient"); 
    Service service = Service.create(wsdlURL, SERVICE_NAME); 

    callApiBancosClientService(service); 
} 

public static void callApiBancosClientService(Service service) throws DatatypeConfigurationException { 
    ApiBancosClientInterface apiBancosClientInterface = service.getPort(ApiBancosClientInterface.class); 

    Client client = ClientProxy.getClient(apiBancosClientInterface); 
    client.getRequestContext().put(SecurityConstants.ENCRYPT_PROPERTIES, "client-crypto.properties"); 
    client.getRequestContext().put(SecurityConstants.SIGNATURE_PROPERTIES, "client-crypto.properties"); 
    client.getRequestContext().put(SecurityConstants.CALLBACK_HANDLER, "com.bp.KeystorePasswordCallback"); 
    client.getRequestContext().put(SecurityConstants.SIGNATURE_USERNAME, "keycliente"); 
    client.getRequestContext().put(SecurityConstants.ENCRYPT_USERNAME, "keyserver"); 

    client.getResponseContext().put(SecurityConstants.ENCRYPT_PROPERTIES, "client-crypto.properties"); 
    client.getResponseContext().put(SecurityConstants.SIGNATURE_PROPERTIES, "client-crypto.properties"); 
    client.getResponseContext().put(SecurityConstants.CALLBACK_HANDLER, "com.bp.KeystorePasswordCallback"); 

    Endpoint cxfEndpoint = client.getEndpoint(); 
    Map<String, Object> inProps = new HashMap<String, Object>(); 
    AvisoNuevoDebinRequest avisoDeNuevoDebin = buildRequest(); 
    apiBancosClientInterface.avisoDeNuevoDebin(avisoDeNuevoDebin); 
    System.out.println("FINISH"); 
}