2. 질의 응답
  3. SOAP 응답 xml 타임 스탬프 및 서명 확인 x509 spring-ws-security

SOAP 응답 xml 타임 스탬프 및 서명 확인 x509 spring-ws-security

2017-10-09 71 views
0

저는 spring-ws-security를 ​​처음 사용하고 있으며 google 및 stacktrace에서 거의 모든 기사를 읽었지만 제대로 작동하지 않았습니다.
응답 XML 서명, 타임 스탬프를 확인한 다음 데이터를 검색해야합니다. 유효성 검사를 건너 뛰고 아무런 문제가 없지만 유효성 검사 코드를 추가하면 오류가 발생합니다.SOAP 응답 xml 타임 스탬프 및 서명 확인 x509 spring-ws-security

경고 : 요청의 유효성을 검사 할 수 없습니다 : 서명 또는 암호 해독이 잘못되었습니다. 상자의 예외는 org.apache.ws.security.WSSecurityException입니다 : 서명 또는 암호 해독이

@Configuration 
public class SoapClientConfig { 

final String generatedResource = "packageName"; 

@Bean 
public KeyStoreCallbackHandler securityCallbackHandler() { 
    KeyStoreCallbackHandler callbackHandler = new KeyStoreCallbackHandler(); 
    callbackHandler.setPrivateKeyPassword("serverkeystorepassword"); 
    return callbackHandler; 
} 

@Bean 
public Wss4jSecurityInterceptor securityInterceptor() throws Exception { 
    Wss4jSecurityInterceptor securityInterceptor = new Wss4jSecurityInterceptor(); 

    // set security actions 
    securityInterceptor.setSecurementActions("Timestamp Signature"); 
    securityInterceptor.setSecurementUsername("clientkeystoreusername"); 
    securityInterceptor.setSecurementPassword("clientkeystorepassword"); 

    //sign both body and timestamp - default body will be signed 
    securityInterceptor.setSecurementSignatureParts("{}{http://schemas.xmlsoap.org/soap/envelope/}Body;{}{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd}Timestamp"); 

    //This will generate binarySecurityToken in header 
    securityInterceptor.setSecurementSignatureKeyIdentifier("DirectReference"); 
    securityInterceptor.setSecurementSignatureCrypto(getRequestCryptoBean().getObject()); 

    //This is validation code, which is not validating response. 
    securityInterceptor.setValidationActions("Timestamp Signature"); 
    securityInterceptor.setValidationSignatureCrypto(getResponseCryptoBean().getObject()); 
    securityInterceptor.setValidationCallbackHandler(securityCallbackHandler()); 

    return securityInterceptor; 
} 

@Bean 
public CryptoFactoryBean getRequestCryptoBean() throws IOException, URISyntaxException { 

    CryptoFactoryBean cryptoFactoryBean = new CryptoFactoryBean(); 
    cryptoFactoryBean.setKeyStorePassword("clientkeystorepassword"); 
    cryptoFactoryBean.setKeyStoreLocation("client.jks"); 
    return cryptoFactoryBean; 
} 

@Bean 
public CryptoFactoryBean getResponseCryptoBean() throws Exception { 

    CryptoFactoryBean cryptoFactoryBean = new CryptoFactoryBean(); 
    cryptoFactoryBean.setDefaultX509Alias("1"); 
    cryptoFactoryBean.setKeyStorePassword("serverkeystorepassword"); 
    cryptoFactoryBean.setKeyStoreLocation("server.jks"); 
    cryptoFactoryBean.afterPropertiesSet(); 
    return cryptoFactoryBean; 
} 

@Bean 
public Jaxb2Marshaller getMarshaller() { 
    Jaxb2Marshaller marshaller = new Jaxb2Marshaller(); 
    marshaller.setContextPath(generatedResource); 
    return marshaller; 
} 

@Bean 
public Card getAvailableCardsClient() throws Exception { 
    Card memberCard = new Card(); 
    memberCard.setMarshaller(getMarshaller()); 
    memberCard.setUnmarshaller(getMarshaller()); 

    //Set timeout for soap service 
    HttpComponentsMessageSender sender = new HttpComponentsMessageSender(); 
    sender.setConnectionTimeout(2000); 
    sender.setReadTimeout(2000); 
    memberCard.setMessageSender(sender); 
    //end timeout 

    memberCard.setDefaultUri("url"); 

    //add interceptor for adding and validating signature 
    ClientInterceptor[] interceptors = new ClientInterceptor[]{securityInterceptor()}; 
    memberCard.setInterceptors(interceptors); 

    return memberCard; 
}

}

** server.jks 서버의 공개 키가 포함 잘못되었습니다. 또한이 인증은 X509 인증서입니다. 답변을 확인하는 방법을 알아보세요.

출처

2017-10-09 Shikha A

답변

0

동일한 보트에있는 다른 사용자를 위해 내 솔루션과 게시글을 찾았습니다.

내 시나리오에서는 요청 및 응답 유효성 검사를 위해 두 개의 다른 인증서 (server.jks, client.jks)를 사용해야했기 때문에; 나는 이것을 위해 같은 인터셉터를 사용할 수 없었다. 요청과 응답을위한 두 가지 인터셉터를 만들었습니다. 여기

노력 코드 복사 :

@Configuration 
public class SoapClientConfig { 

    @Bean 
    public KeyStoreCallbackHandler securityCallbackHandler() throws Exception { 
     KeyStoreCallbackHandler callbackHandler = new KeyStoreCallbackHandler(); 
     callbackHandler.setSymmetricKeyPassword("serverPassword"); 
     return callbackHandler; 
    } 

    @Bean 
    public Wss4jSecurityInterceptor securityInterceptor() throws IOException, Exception { 

     Wss4jSecurityInterceptor securityInterceptor = new Wss4jSecurityInterceptor(); 

     // set security actions 
     securityInterceptor.setSecurementActions("Timestamp Signature"); 
     securityInterceptor.setSecurementUsername("clientAias"); 
     securityInterceptor.setSecurementPassword("clientPassword"); 

     //sign both body and timestamp - default body will be signed 
     securityInterceptor.setSecurementSignatureParts("{}{http://schemas.xmlsoap.org/soap/envelope/}Body;{}{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd}Timestamp"); 

     //This will generate binarySecurityToken in header 
     securityInterceptor.setSecurementSignatureKeyIdentifier("DirectReference"); 
     securityInterceptor.setSecurementSignatureCrypto(getRequestCryptoBean().getObject()); 

     return securityInterceptor; 
    } 

    @Bean 
    public CryptoFactoryBean getRequestCryptoBean() throws IOException { 

     CryptoFactoryBean cryptoFactoryBean = new CryptoFactoryBean(); 
     cryptoFactoryBean.setKeyStorePassword("clientPassword"); 
     cryptoFactoryBean.setKeyStoreLocation("clientCertLoc"); 
     return cryptoFactoryBean; 
    } 

    @Bean 
    public Wss4jSecurityInterceptor responseSecurityInterceptor() throws IOException, Exception { 

     Wss4jSecurityInterceptor securityInterceptor = new Wss4jSecurityInterceptor(); 
     securityInterceptor.setValidationActions("Timestamp Signature"); 
     securityInterceptor.setValidationSignatureCrypto(getResponseCryptoBean().getObject()); 
     securityInterceptor.setValidationCallbackHandler(securityCallbackHandler()); 

     return securityInterceptor; 
    } 

    @Bean 
    public CryptoFactoryBean getResponseCryptoBean() throws Exception { 

     CryptoFactoryBean cryptoFactoryBean = new CryptoFactoryBean(); 
     cryptoFactoryBean.setKeyStoreLocation("serverCertLoc"); 
     cryptoFactoryBean.setDefaultX509Alias("serverAlias"); 
     cryptoFactoryBean.setKeyStorePassword("serverPassword"); 
     cryptoFactoryBean.afterPropertiesSet(); 
     return cryptoFactoryBean; 
    } 

    @Bean 
    public Jaxb2Marshaller getMarshaller() { 
     Jaxb2Marshaller marshaller = new Jaxb2Marshaller(); 
     marshaller.setContextPath(generatedResource); 
     return marshaller; 
    } 

    @Bean 
    public WebServiceClass getPojoClassMethod() throws ConnectException, Exception { 

     WebServiceClass pClass= new WebServiceClass(); 
     pClass.setMarshaller(getMarshaller()); 
     pClass.setUnmarshaller(getMarshaller()); 

     //Set timeout for soap service 
     HttpComponentsMessageSender sender = new HttpComponentsMessageSender(); 
     int timeout; 
     if (null == stringFromEnvironmentOrIllegalStateException(env, timeoutInMs)) { 
      timeout = 10000; 
     } else { 
      timeout = Integer.parseInt(stringFromEnvironmentOrIllegalStateException(env, timeoutInMs)); 
     } 
     sender.setConnectionTimeout(timeout); 
     sender.setReadTimeout(timeout); 
     pClass.setMessageSender(sender); 
     //end timeout config 

     pClass.setDefaultUri("actionURL"); 
     ClientInterceptor[] interceptors = new ClientInterceptor[]{securityInterceptor(), responseSecurityInterceptor()}; 
     pClass.setInterceptors(interceptors); 

     return pClass; 
    } 

}

출처

2017-12-20 18:59:17

 관련 문제

  • 관련 문제 없음^_^