1. ホーム
  2. 質問と答え
  3. SOAP応答の検証xmlタイムスタンプと署名X509 spring-ws-security

SOAP応答の検証xmlタイムスタンプと署名X509 spring-ws-security

2017-10-09 62 views
0

私はspring-ws-securityの新機能で、ほとんどすべての記事をGoogleとstacktraceで読み込んでいますが、
私は応答XML署名、タイムスタンプを検証してからデータを取得する必要があります。検証をスキップしても問題はありませんが、検証コードを追加するとエラーが発生します。SOAP応答の検証xmlタイムスタンプと署名X509 spring-ws-security

警告:署名または復号化が無効でした。ネストされた例外はorg.apache.ws.security.WSSecurityExceptionです:署名または復号が無効だった

@Configuration 
public class SoapClientConfig { 

final String generatedResource = "packageName"; 

@Bean 
public KeyStoreCallbackHandler securityCallbackHandler() { 
    KeyStoreCallbackHandler callbackHandler = new KeyStoreCallbackHandler(); 
    callbackHandler.setPrivateKeyPassword("serverkeystorepassword"); 
    return callbackHandler; 
} 

@Bean 
public Wss4jSecurityInterceptor securityInterceptor() throws Exception { 
    Wss4jSecurityInterceptor securityInterceptor = new Wss4jSecurityInterceptor(); 

    // set security actions 
    securityInterceptor.setSecurementActions("Timestamp Signature"); 
    securityInterceptor.setSecurementUsername("clientkeystoreusername"); 
    securityInterceptor.setSecurementPassword("clientkeystorepassword"); 

    //sign both body and timestamp - default body will be signed 
    securityInterceptor.setSecurementSignatureParts("{}{http://schemas.xmlsoap.org/soap/envelope/}Body;{}{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd}Timestamp"); 

    //This will generate binarySecurityToken in header 
    securityInterceptor.setSecurementSignatureKeyIdentifier("DirectReference"); 
    securityInterceptor.setSecurementSignatureCrypto(getRequestCryptoBean().getObject()); 

    //This is validation code, which is not validating response. 
    securityInterceptor.setValidationActions("Timestamp Signature"); 
    securityInterceptor.setValidationSignatureCrypto(getResponseCryptoBean().getObject()); 
    securityInterceptor.setValidationCallbackHandler(securityCallbackHandler()); 

    return securityInterceptor; 
} 

@Bean 
public CryptoFactoryBean getRequestCryptoBean() throws IOException, URISyntaxException { 

    CryptoFactoryBean cryptoFactoryBean = new CryptoFactoryBean(); 
    cryptoFactoryBean.setKeyStorePassword("clientkeystorepassword"); 
    cryptoFactoryBean.setKeyStoreLocation("client.jks"); 
    return cryptoFactoryBean; 
} 

@Bean 
public CryptoFactoryBean getResponseCryptoBean() throws Exception { 

    CryptoFactoryBean cryptoFactoryBean = new CryptoFactoryBean(); 
    cryptoFactoryBean.setDefaultX509Alias("1"); 
    cryptoFactoryBean.setKeyStorePassword("serverkeystorepassword"); 
    cryptoFactoryBean.setKeyStoreLocation("server.jks"); 
    cryptoFactoryBean.afterPropertiesSet(); 
    return cryptoFactoryBean; 
} 

@Bean 
public Jaxb2Marshaller getMarshaller() { 
    Jaxb2Marshaller marshaller = new Jaxb2Marshaller(); 
    marshaller.setContextPath(generatedResource); 
    return marshaller; 
} 

@Bean 
public Card getAvailableCardsClient() throws Exception { 
    Card memberCard = new Card(); 
    memberCard.setMarshaller(getMarshaller()); 
    memberCard.setUnmarshaller(getMarshaller()); 

    //Set timeout for soap service 
    HttpComponentsMessageSender sender = new HttpComponentsMessageSender(); 
    sender.setConnectionTimeout(2000); 
    sender.setReadTimeout(2000); 
    memberCard.setMessageSender(sender); 
    //end timeout 

    memberCard.setDefaultUri("url"); 

    //add interceptor for adding and validating signature 
    ClientInterceptor[] interceptors = new ClientInterceptor[]{securityInterceptor()}; 
    memberCard.setInterceptors(interceptors); 

    return memberCard; 
}

}

** server.jksは、サーバの公開鍵が含まれています。また、この認証はX509証明書です。 回答を検証する方法を理解してください。

出典

2017-10-09 Shikha A

答えて

0

同じボートにいる他の人のために私の解決策と投稿を見つけました。

私のシナリオでは、要求と応答の検証に2つの異なる証明書(server.jks、client.jks)を使用しなければならなかったので、私はこのために同じインターセプターを使用することができませんでした。私はリクエストとレスポンスの2種類のインターセプタを作成しました。ここで

働いているコードのコピー:

@Configuration 
public class SoapClientConfig { 

    @Bean 
    public KeyStoreCallbackHandler securityCallbackHandler() throws Exception { 
     KeyStoreCallbackHandler callbackHandler = new KeyStoreCallbackHandler(); 
     callbackHandler.setSymmetricKeyPassword("serverPassword"); 
     return callbackHandler; 
    } 

    @Bean 
    public Wss4jSecurityInterceptor securityInterceptor() throws IOException, Exception { 

     Wss4jSecurityInterceptor securityInterceptor = new Wss4jSecurityInterceptor(); 

     // set security actions 
     securityInterceptor.setSecurementActions("Timestamp Signature"); 
     securityInterceptor.setSecurementUsername("clientAias"); 
     securityInterceptor.setSecurementPassword("clientPassword"); 

     //sign both body and timestamp - default body will be signed 
     securityInterceptor.setSecurementSignatureParts("{}{http://schemas.xmlsoap.org/soap/envelope/}Body;{}{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd}Timestamp"); 

     //This will generate binarySecurityToken in header 
     securityInterceptor.setSecurementSignatureKeyIdentifier("DirectReference"); 
     securityInterceptor.setSecurementSignatureCrypto(getRequestCryptoBean().getObject()); 

     return securityInterceptor; 
    } 

    @Bean 
    public CryptoFactoryBean getRequestCryptoBean() throws IOException { 

     CryptoFactoryBean cryptoFactoryBean = new CryptoFactoryBean(); 
     cryptoFactoryBean.setKeyStorePassword("clientPassword"); 
     cryptoFactoryBean.setKeyStoreLocation("clientCertLoc"); 
     return cryptoFactoryBean; 
    } 

    @Bean 
    public Wss4jSecurityInterceptor responseSecurityInterceptor() throws IOException, Exception { 

     Wss4jSecurityInterceptor securityInterceptor = new Wss4jSecurityInterceptor(); 
     securityInterceptor.setValidationActions("Timestamp Signature"); 
     securityInterceptor.setValidationSignatureCrypto(getResponseCryptoBean().getObject()); 
     securityInterceptor.setValidationCallbackHandler(securityCallbackHandler()); 

     return securityInterceptor; 
    } 

    @Bean 
    public CryptoFactoryBean getResponseCryptoBean() throws Exception { 

     CryptoFactoryBean cryptoFactoryBean = new CryptoFactoryBean(); 
     cryptoFactoryBean.setKeyStoreLocation("serverCertLoc"); 
     cryptoFactoryBean.setDefaultX509Alias("serverAlias"); 
     cryptoFactoryBean.setKeyStorePassword("serverPassword"); 
     cryptoFactoryBean.afterPropertiesSet(); 
     return cryptoFactoryBean; 
    } 

    @Bean 
    public Jaxb2Marshaller getMarshaller() { 
     Jaxb2Marshaller marshaller = new Jaxb2Marshaller(); 
     marshaller.setContextPath(generatedResource); 
     return marshaller; 
    } 

    @Bean 
    public WebServiceClass getPojoClassMethod() throws ConnectException, Exception { 

     WebServiceClass pClass= new WebServiceClass(); 
     pClass.setMarshaller(getMarshaller()); 
     pClass.setUnmarshaller(getMarshaller()); 

     //Set timeout for soap service 
     HttpComponentsMessageSender sender = new HttpComponentsMessageSender(); 
     int timeout; 
     if (null == stringFromEnvironmentOrIllegalStateException(env, timeoutInMs)) { 
      timeout = 10000; 
     } else { 
      timeout = Integer.parseInt(stringFromEnvironmentOrIllegalStateException(env, timeoutInMs)); 
     } 
     sender.setConnectionTimeout(timeout); 
     sender.setReadTimeout(timeout); 
     pClass.setMessageSender(sender); 
     //end timeout config 

     pClass.setDefaultUri("actionURL"); 
     ClientInterceptor[] interceptors = new ClientInterceptor[]{securityInterceptor(), responseSecurityInterceptor()}; 
     pClass.setInterceptors(interceptors); 

     return pClass; 
    } 

}

出典

2017-12-20 18:59:17

関連する問題

 関連する問題