目前,我已经使用CXF(3.0.6)实现了一项Web服务,该服务允许通过WS-SecurityPolicy上传经过验证的XML数据;通过UsernameToken执行身份验证,并通过对称加密保护数据。 我有关于附件的问题,当我以base64编码启用上传图像时,服务器收到错误“签名或解密无效”,但是当我禁用base64时,一切都与其余数据相符。 这是我的cxf-servlet.xml:
<jaxws:endpoint id="CaricamentoAPE"
address="/CaricamentoAPE"
implementor="it.enea.siape.ws.soap.CaricamentoAPE_Impl">
<jaxws:features>
<wsa:addressing/>
</jaxws:features>
<jaxws:properties>
<entry key="mtom-enabled" value="true" />
<entry key="ws-security.store.bytes.in.attachment" value="true" />
<entry key="exceptionMessageCauseEnabled" value="false" />
<!-- Test X.509 + UsernameTokenValidator -->
<entry key="ws-security.ut.validator" value-ref="LDAPUsernameTokenValidator" />
<entry key="ws-security.callback-handler" value-ref="ServiceKeystorePasswordCallback"/>
<entry key="ws-security.signature.properties" value="serviceKeystore.properties"/>
<entry key="ws-security.encryption.properties" value="serviceKeystore.properties"/>
<entry key="ws-security.encryption.username" value="useReqSigCert"/>
</jaxws:properties>
</jaxws:endpoint>
我使用的安全策略是这样的(还有输入和输出绑定,如果需要,我可以在这里复制它们):
<?xml version='1.0' encoding='UTF-8' ?>
<!DOCTYPE xml>
<wsp:Policy wsu:Id="SiapeBindingPolicy" xmlns:wsp="http://www.w3.org/ns/ws-policy"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"
xmlns:wsam="http://www.w3.org/2007/05/addressing/metadata">
<sp:SignedEncryptedSupportingTokens>
<wsp:Policy>
<sp:UsernameToken
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:WssUsernameToken10 />
</wsp:Policy>
</sp:UsernameToken>
</wsp:Policy>
</sp:SignedEncryptedSupportingTokens>
<sp:SymmetricBinding>
<wsp:Policy>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic128 />
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:IncludeTimestamp />
<sp:Layout>
<wsp:Policy>
<sp:Strict />
</wsp:Policy>
</sp:Layout>
<sp:OnlySignEntireHeadersAndBody />
<sp:ProtectionToken>
<wsp:Policy>
<sp:X509Token
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never">
<wsp:Policy>
<sp:RequireIssuerSerialReference />
<sp:WssX509V3Token10 />
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:ProtectionToken>
</wsp:Policy>
</sp:SymmetricBinding>
<sp:Wss11>
<wsp:Policy>
<sp:MustSupportRefEncryptedKey />
<sp:MustSupportRefIssuerSerial />
<sp:MustSupportRefThumbprint />
</wsp:Policy>
</sp:Wss11>
<ns1:OptimizedMimeSerialization
xmlns:ns1="http://schemas.xmlsoap.org/ws/2004/09/policy/optimizedmimeserialization" />
<wsam:Addressing />
通过DEBUG,我注意到了这一点:
25-05-2016 18:28:32 DEBUG dom.DOMReference: 391 - Expected digest: 1FXanAzDZgOhiAgrIp7+8BrGqG4=
25-05-2016 18:28:32 DEBUG dom.DOMReference: 392 - Actual digest: GZCpbCx1dywGJIjTYooD2vn5Wi4=
25-05-2016 18:28:32 DEBUG dom.DOMXMLSignature: 268 - Reference[#_74e28a15-9fbc-412b-b9db-669f52cf767f] is valid: false
25-05-2016 18:28:32 DEBUG dom.DOMXMLSignature: 274 - Couldn't validate the References
25-05-2016 18:28:32 DEBUG processor.SignatureProcessor: 428 - XML Signature verification has failed
25-05-2016 18:28:32 DEBUG processor.SignatureProcessor: 431 - Signature Validation check: true
25-05-2016 18:28:32 DEBUG processor.SignatureProcessor: 441 - Reference #TS-6c94d844-7455-4c4a-8397-3b064269c735 check: true
25-05-2016 18:28:32 DEBUG processor.SignatureProcessor: 441 - Reference #UsernameToken-b87ccaae-3888-44cf-a951-4f5f066e9556 check: true
25-05-2016 18:28:32 DEBUG processor.SignatureProcessor: 441 - Reference #_74e28a15-9fbc-412b-b9db-669f52cf767f check: false
通过使用“ws-security.store.bytes.in.attachment”现在我通过调试看到SOAP被正确解密但它被拆分为两行“DEBUG internal.DigesterOutputStream:88 - 预先消化的输入:” ,我认为记录是一个限制。
我读到了第二种方法,它暗示了WSS4J的“storeBytesInAttachment”属性,但我没有看到任何关于它的例子。
任何人都可以帮助我吗?