AXIS Web svc。，.NET客戶端 - WS安全問題

Question

我正在使用.NET 2.0客戶端與AXIS Web服務進行通信。 Web服務不在我的控制之下，我也不能請求對它進行任何修改。

現在，我正在使用WSE 3.0來實現安全部分，但我有很多問題讓他們互相交流。我現在的問題似乎是這樣的例外 -

Security processing failed; nested exception is: 
    org.apache.ws.security.WSSecurityException: General security error (Unexpected number of X509Data: for decryption (KeyId)) 

我實現了在客戶端自定義WSE策略（創建自定義SecurityPolicyAssertion，推翻CreateClientOutputFilter(FilterCreationContext context)並從中調用自定義SendSecurityFilter在SendSecurityFilter，我推翻的SecureMessage方法和我已經添加了以下 -

public override void SecureMessage(SoapEnvelope envelope, Security security) 
    { 
     clientToken = GetClientToken(); 
     serverToken = GetServerToken(); 
     // Sign the SOAP message with the client's security token. 
     security.Tokens.Add(clientToken); 
     security.Elements.Add(new MessageSignature(clientToken)); 

     // Encrypt the SOAP message with the client's security token. 
     security.Elements.Add(new Microsoft.Web.Services3.Security.EncryptedData(serverToken)); 

     // Store the client and server security tokens in the request state. 
     RequestState state = new RequestState(clientToken, serverToken); 


     // Store the request state in the proxy's operation state. 
     // This makes these tokens accessible when SOAP responses are 
     // verified to have sufficient security requirements. 
     envelope.Context.OperationState.Set(state); 
    } 

這將生成以下XML輸出 -

<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/" xmlns:tns="http://b2bsys17-ssl.uhc.com/NASApp/phase2/services/SecureHIPAAService" xmlns:types="http://b2bsys17-ssl.uhc.com/NASApp/phase2/services/SecureHIPAAService/encodedTypes" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"> 
    <soap:Header> 
     <wsa:Action> 
     </wsa:Action> 
     <wsa:MessageID>urn:uuid:e67780b6-dff4-4c41-8587-0a8980fa50ef</wsa:MessageID> 
     <wsa:ReplyTo> 
      <wsa:Address>http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</wsa:Address> 
     </wsa:ReplyTo> 
     <wsa:To>https://www.uhgdirectconnect.uhc.com/NASApp/phase2/services/SecureHIPAAService</wsa:To> 
     <wsse:Security soap:mustUnderstand="1"> 
      <wsu:Timestamp wsu:Id="Timestamp-f6270878-1ad2-4635-9acc-6989f87f35e0"> 
       <wsu:Created>2011-01-21T20:56:44Z</wsu:Created> 
       <wsu:Expires>2011-01-21T21:01:44Z</wsu:Expires> 
      </wsu:Timestamp> 
      <wsse:BinarySecurityToken ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="SecurityToken-3f9b54ee-0048-440a-84ec-d1af150ba35f">MIICGjCCAYMCBEv9XCAwDQYJKoZIhvcNAQEEBQAwVDEaMBgGA1UEChMRcGF0aWVudHBvaW50a2lvc2sxGjAYBgNVBAsTEXBhdGllbnRwb2ludGtpb3NrMRowGAYDVQQDExFwYXRpZW50cG9pbnRraW9zazAeFw0xMDA1MjYxNzM2MzJaFw0yMDA1MjMxNzM2MzJaMFQxGjAYBgNVBAoTEXBhdGllbnRwb2ludGtpb3NrMRowGAYDVQQLExFwYXRpZW50cG9pbnRraW9zazEaMBgGA1UEAxMRcGF0aWVudHBvaW50a2lvc2swgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANEIOOGH+TbllK+Ayz7fEv9RkgrGtQHZNq0ibhwvkRU6Cv6on7pBIwj/jbha0H5U3gKiwyL1JGccHnhq4pWbOvFiR2zZDDXMCi5krwxfaIh7CYHDYOlaEymq+XbppblIefeScVTHoeghyMytESytQ9konB9DMK+rMNNZSLfebGs7AgMBAAEwDQYJKoZIhvcNAQEEBQADgYEAK9hC0wnujuAAILJNPEkfNOeZT6NFvKl2UByo62ejFlhskas4KYBU+D03FR45MJsaMCYa+rQJmAbQc7vrbowy+pN/1N7yap30KpGAhozuIOOI3TJtrMCT0elxzFZ2fktYO8ZnHTudDODODKOv/7kkiCfr+XvEs18OqLKDIA8lRpE=</wsse:BinarySecurityToken> 
      <xenc:EncryptedKey Id="SecurityToken-b29770db-3e56-46fe-8e73-030e1271568e" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"> 
       <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"> 
        <ds:DigestMethod xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /> 
       </xenc:EncryptionMethod> 
       <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"> 
        <wsse:SecurityTokenReference> 
         <wsse:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">YA3uSedFpwuFDpxOeGAudur3kJ0=</wsse:KeyIdentifier> 
        </wsse:SecurityTokenReference> 
       </KeyInfo> 
       <xenc:CipherData> 
        <xenc:CipherValue>bZUxKs60Nrp5VzGGors9R5WZharm4uwSzLsFP6YvKCyHzXen2N/eARM+MVqXnXktncVIlK8wBahZhX6i1Vq6FkaOrOj8bjkXN4gdLrmFsXYD/v2sEFizMfEzhDo1tIItochTAr7ainJ8Hp6Nd/57lgaDzXDqO6Zxk1zK7tmJhaI=</xenc:CipherValue> 
       </xenc:CipherData> 
       <xenc:ReferenceList> 
        <xenc:DataReference URI="#Enc-d07f984f-8a57-4bf5-80c2-ce5d18dfa509" /> 
        <xenc:DataReference URI="#Enc-07efb4f6-d5c4-4deb-b66e-f027b0f4cf00" /> 
       </xenc:ReferenceList> 
      </xenc:EncryptedKey> 
      <xenc:EncryptedData Id="Enc-d07f984f-8a57-4bf5-80c2-ce5d18dfa509" Type="http://www.w3.org/2001/04/xmlenc#Element" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"> 
       <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc" /> 
       <xenc:CipherData> 
        <xenc:CipherValue>9qU0pd9g9YSHarlMHmx8+h+QQJOKvAQYbaktoMpZ0RPjKghp3pLbjps7Sa3MAKwmX6CzXHG2PWM5NBjzlgEDr4/nT5PcSBiPk1xEVdBRSQEjHrP/FmMfFtfMGZUN/O+BhCakNZy3FM8rx6ypo0hzoTHevoCEelT1Qom/mOYyyxqmpSXmLTqEvIxKGuP2IzcU13GBDnastZR1gcu2s2W+/PfQxoguXbluLNr62Pil0nw7Z/DkdPwDht2/1CNwFFB2LTftR650xTc4a/SqSIe3fiFvD7FPa8wqedieh6LEILtGQzG9hf8mz1SKq23rU1UEaW8DyGgxm7i389WGYNPiAhMGyX58pZ0jH939Sdv0Oy6GyjsVQ4wl5cmslJ2A4WZB3yoy2psXQjz6Y/4LUpiuwXryLYSZmeG1v8l+MPo9ijtcsjTHKWSIxHVbC4jqvOxA7R629UtGhh2OB3wiUe7dvtA4c6yrbLJVwiLCkd4LQubbR13xHR41gCC53fhhZWw4kSwh2w0VnmfZAshbsvGsdmXfWVlrwpT6HETz/U2Ue1n79/1hCYYnh4fPlSPrrwXCaG/7STy+t7GIVP1pAwIVtb0TdgFAtgc1xcCfWZl/VfoS8wIHD7raP2UXk51CDk/OdDxQ9ehxOfzr/MCVwM2f3l0oKfVifYQSCFaeKdmPOqm0YQEmbl9SQ/eieNN9dpdZlkkT1bDmakmLY1GoOnN6URy3UjTpXXLsQXlsoDdkdXQCOUqlSkqM2Zw1UJSF+g/QbaDXGKahQy6LtEVP1ZTCLB1DXlm4yiO6gWQUlAsYH0zMaDm0MwAxP6tKfYMQouCBJHXVEe3CY1U3kMPh74uKYjOXZR7EYLUdac0ngwSYKhI7LT2JuCdOSFj1sqXQtRp2FPPZKjNK1WNTlX9lrXksmonDSTwzLmlW48pKRFO6lcFS8yjh0kMOSx7CAnnmatjaXnLb6yRD/TIMq0EShaRTWn4nK9WHXQRkIgexG11hEsTfwxzlnZGDZAFeUgAMU3YMOmaI77IrHr8kdZRaeut5VUa+3zmTlArvn0D0EvHLkCGL28epkZyb9LVgQ/PUrDLUEsFgycrMH9wF4NLwF8EiOfNmfpSB/Lsxcku2zZNHZ7/pvZBLyDMO2nl74BWnCo1wMNVPxcFoFGbA983ghdruiIyBtMvUWLuc886m5Im0Jdz7QK2/Qk0ALAn4A32tyhVjuqnlAjsxBV7g+ePxjGlUKbNieXVxrnG23JpKNH0HtuxpDBab3azcQQbjRTIS18OFQ/Oj6tp81R57oswY7rbqVK4/X5wSU50vTNQeFbeTmlYWZm5fHjdYZ5sKV275CH3IB4BQqADjytOsyKh2uFqFbCovG7i/rq66b8LR5/WQQRQ=</xenc:CipherValue> 
       </xenc:CipherData> 
      </xenc:EncryptedData> 
      <Signature xmlns="http://www.w3.org/2000/09/xmldsig#"> 
       <SignedInfo> 
        <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" /> 
        <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" /> 
        <Reference URI="#Sig-1f8972b5-c8ca-40cb-a3b9-73b77907a16f"> 
         <Transforms> 
          <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> 
         </Transforms> 
         <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /> 
         <DigestValue>BqLTeIy97kFa+tO+gxVqVycpoNo=</DigestValue> 
        </Reference> 
       </SignedInfo> 
       <SignatureValue>xR4sJyQV0D05l4LAlDhV3BITnogNS1MwTv+Y6RBE4viKqYEywikx0fjhxOK+URZNXVRHkvzwSD8VhEHkG7SOqkF1ja5uixgRlyYQ/bMPOQGqTKrypdVhvJOvniNXV5Rk9Kw9QfGwUoIrj80CMgT/i1CMJcTzv4bknKV+/pyGLdo=</SignatureValue> 
       <KeyInfo> 
        <wsse:SecurityTokenReference> 
         <wsse:Reference URI="#SecurityToken-3f9b54ee-0048-440a-84ec-d1af150ba35f" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" /> 
        </wsse:SecurityTokenReference> 
       </KeyInfo> 
      </Signature> 
     </wsse:Security> 
    </soap:Header> 
    <soap:Body soap:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/" wsu:Id="Id-ea44fad0-920a-4a3f-b4d0-39a7e7e510fa"> 
     <xenc:EncryptedData Id="Enc-07efb4f6-d5c4-4deb-b66e-f027b0f4cf00" Type="http://www.w3.org/2001/04/xmlenc#Content" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"> 
      <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc" /> 
      <xenc:CipherData> 
       <xenc:CipherValue>uEvS6L3N0hNJJnKwXHfBhHqGhx9EjdKCtMmQ6afhvUmApaXvtNLjfQQMdD1QeFiLAtl5MIM4eL2zbabW9wkJL9LXal927uv/gDCoQTRy2wkDLtfpOD0KpueobvVDgUDNQ4T/80tdUbDrTAVU54Omk5G5V2Ib3jxhXe3gqLt3rBtwh7gQlRKiU+bz265bW2wl+jaI5E91QmNEpdnICp3kGwabXOmnO4RCu9571Qj+7h/Y9ZOd8kfV0dGDQ1uNva9uW7lnuZtweghQ1IAzKDfaGT83byagTYZxq9zUJ1kJXWJMrpGjSTSonv78BvQ+O6AAVXJmwALWoz+kNhob+SDJRMqefEk9GH++s7v10KKUA8mzcwz6J1/HfxGgSTJHWcAkctynos2hegwYP3cXNj6ODHwr6nsIcvVhZsDXo6CS5ffYBrBlA5PVabW2tPFlfm7AytpZsF67A8pkwSDXTPzMpjUOJL+BUDYln2kcgjJ+MQ7eiRzCfsMMZ54FHmLDlCjfpp1h6lkN3QWQjgp7oXsKo1dZKdo7o0V5YmZT+6LZYzpN5nySAu3mLo40paxb4+PsBXDlvUyUqnOKtuFmDFwwR+dp4Kf+MD6Jy1uHE8Z00z/x43jUKlxdNzcrlN/UJ6kXcOez6j+1JV13yWNGK3U9aDkp9urYUphl3oqtlvmi4pC9CJqC+EKs8a0vKLNKWzjRVt5RIbrRlOd6qH4XYgQp/qnQV8/pEHLQt8+S8u4pjrryDJ9JDjbixi5KPwFGjZlsHmMf1pvnex/bvribGdWF3v29zejI8kNerXe5H2BKSuBGrViVQ/1kcgwjejjrqX4junCLVbbjgBQmUAToxkpu/gzBi02O/CW4GbUzjhI8n4Et+nQiBSyhunlI1PNU3OfdooZ1aS0iPYmYoWpvSkiORazXwsn4nVhXYrm8gNEKvHCk3Ed3lI25i6vMnxBYSUJMDV5lvEgUaYsrwy32t/COpylKOzNL2pk15DGbfM+zzRgJmT2EYWkJbNX0nN9rV0il8MTjPOaQmw6Hwo4GU4AMBJXih1xwO+v1+sx9taGwlGBPzmxEO2dPJAlBu+OdpZsk2nMEwWo1dF3FSpEmKTEhnBm2t0e3miOno0bMBP3xBy3gllEKOTJ80wd65Fg5fgjKaCbz+CJY5EnoGz6CyWhjKErnYrq/jzkdBOuA/TV+ZAHg53+PTi31ZdYPtnX7fDAFl3SxUjc8h8cKtILNpC9kWSgmK6cfvojLFifphdZmbSXL1b6P40XMVftK1oHItmtH3a73Ud0SAm6Bunyz/x6DrX+0fwOIevBLNTPy7sfNXhmS+YgulSyPTHpH0ip4mGomJEjjaWCGj+5tH9AX3Sd9Omd0jqmjYeTvAsu3071neSMrsPzTpRVOcOe+tOyWK1kTxk7ZE6qnrFup36Cpahd3+pa+eA2aVYcKz0Z4PPj1orNtoL20dwfSVGCq5xaux+mGAX45gNgZemPEq7v8C4G58Lk/UxqIWIrwEiSHmw+drTQ9QEixaY1ZBPftIGVOOJJT5XhfNvXy3LzoCMBUa775K57nfUqrxVgorETyzXhCGmzpkkWeEjBKH3W/UVd+aHX5Umo+9xe+82kpQLv3HvHRcodNq+2QtoEwLUrTD+D9t5rboJT/X7u6faaZqYbePEpgEKfX9O0ErBnpBUYUcEiUg/QQ8vKXGpZk+K6kOdjOxR20JFDkcULXmya1FM6AwWS4DMfINVtADWE7xd7nLjlhtDzWOj0wbFRQ95qaqgHfAqlUNTcpVobibVJZ75XeZsWt+o+dkvgA3wAQTfEOa6iyvpUsv3JXY2DKe8Sr1DFY31g9uZdvqaRIX8ALLymebVnAKq0FL45R13Ffp1VSep+FXly4Gm9cHBIknQNfyegsd1mi4r5qEoeZLTIlybsG5qHLrWlOTp16qRZU+0XvdXj8QK8mOy9LiVnXVdP94ehYIj1sgWIKpfsUDHFj2Xm6xPll</xenc:CipherValue> 
      </xenc:CipherData> 
     </xenc:EncryptedData> 
    </soap:Body> 
</soap:Envelope> 

和AXIS返回讀取錯誤信息 -

Security processing failed; nested exception is: 
    org.apache.ws.security.WSSecurityException: General security error (Unexpected number of X509Data: for decryption (KeyId)) 

的錯誤信息是特別無益的，我甚至不知道這意味着什麼，所以有這方面的幫助深表感謝！

謝謝，
Teja。

Answer 1

經過一段時間後回答我的問題。事實證明Unexpected Number of X509 Data意味着什麼 - 服務器正在接收它不喜歡的Soap消息的一部分。就我而言，原來是wsa:標籤。我動態地刪除了服務器與製作Web服務的人一起工作時不喜歡的各種標籤，但這似乎沒有幫助。

以Java編寫客戶端。

Answer 2

我正在爲此解釋Java個案，但它幾乎相同。對於我個人的經驗，錯誤：

Could not secure response: WSHandler: Signature: error during message 
processingorg.apache.ws.security.WSSecurityException: 
General security error (Unexpected number of X509Data: for Signature); ... 

它採用P12密鑰庫時拋出，但與錯誤的別名。

<bean id="wssInterceptor" class="org.springframework.ws.soap.security.wss4j.Wss4jSecurityInterceptor"> 
    <property name="securementActions" value="Signature Timestamp"/>   
    <property name="securementUsername" value="HERE_THE_ALIAS"/> 
    <property name="securementPassword" value="XXXXX"/> 
    <property name="securementSignatureCrypto" ref="crypto"/> 
    <property name="securementSignatureKeyIdentifier" value="DirectReference"/> 
    <property name="securementSignatureParts"> 
     <value>{}{http://schemas.xmlsoap.org/soap/envelope/}Body;{}{http://soap.iarxiu/headers}Context;</value> 
    </property> 
</bean> 

要提取德實際別名從P12：

keytool -list -v -keystore path\YOUR_KEY.p12 -storepass YOUR_P12_PASSWORD -storetype 
pkcs12 

在我的情況下，別名不是任何明顯的，而不是tipical格式 「CN = LALALA，OU = LALALA，O = Yhrns」 。這是類似於「{44d796​​7d-bb0c-4b59-98e1-d23cbadaf3a4}」

在更改此設置後，它正確地標記了SAML標頭。