如何获得 Java 应用程序接受的 WS-Security 证书
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/6584569/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
How to get WS-Security certificate to be accepted by Java application
提问by VHristov
So I've been struggling with WS-Security for some time now, slowly making progress. First let me briefly describe my setup. I have Java application running in a tomcat, which offers a webservice endpoint (using Spring). I want incoming messages to be signed. I am testing with SoapUI. So after a long struggle, I got the server as far as checking incoming messages for a signature and I also got SoapUI, to sign outgoing messages. However, the server keeps rejecting the certificate and I'm not sure where I'm doing something wrong, i.e. am I sending the wrong certificate information with my test requests, or have I not correctly maintained the certificate in the truststore. Following is an example of a request:
所以我一直在与 WS-Security 斗争一段时间,慢慢取得进展。首先让我简要描述一下我的设置。我有一个在 tomcat 中运行的 Java 应用程序,它提供了一个 web 服务端点(使用 Spring)。我希望对传入的消息进行签名。我正在使用 SoapUI 进行测试。所以经过长时间的努力,我得到了服务器来检查传入消息的签名,我还获得了 SoapUI,用于对传出消息进行签名。但是,服务器一直拒绝该证书,我不确定我哪里做错了,即我是否在测试请求中发送了错误的证书信息,或者我没有在信任库中正确维护证书。以下是一个请求示例:
<soapenv:Envelope xmlns="http://movilitas.com/movilizer/v7" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<wsu:Timestamp wsu:Id="Timestamp-7" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsu:Created>2011-06-30T12:51:33.407Z</wsu:Created>
<wsu:Expires>2011-06-30T12:53:13.407Z</wsu:Expires>
</wsu:Timestamp>
<ds:Signature Id="Signature-6" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#id-2">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>theitroadQ2oXbajnnrSGsbOALT2i6brs=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
fmtFMSccFcwEfL1M8qgQ...
</ds:SignatureValue>
<ds:KeyInfo Id="KeyId-C3B38A939F7D63D51F13094382933988">
<wsse:SecurityTokenReference wsu:Id="STRId-C3B38A939F7D63D51F13094382933989" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsse:KeyIdentifier EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3SubjectKeyIdentifier">
MIICbzCCAdgCAQEwDQ...
</wsse:KeyIdentifier>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
</wsse:Security>
</soapenv:Header>
<soapenv:Body wsu:Id="id-2" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
[...]
</soapenv:Body>
</soapenv:Envelope>
Now the content I have in is the same as the one I get, when I export the certificate from my truststore (the base64 encoded version of the certificate). The error I get when I send the request is the following:
现在,当我从信任库中导出证书(证书的 base64 编码版本)时,我所拥有的内容与我得到的内容相同。发送请求时出现的错误如下:
Jul 5, 2011 4:42:23 PM com.sun.xml.wss.impl.dsig.KeySelectorImpl resolve
SEVERE: WSS1353: Error occurred while resolving key information
com.sun.xml.wss.XWSSecurityException: No Matching public key for MIICbzCCAdgCAQEwDQ... subject key identifier found
at com.sun.xml.wss.impl.misc.DefaultSecurityEnvironmentImpl.getCertificate(DefaultSecurityEnvironmentImpl.java:617)
at com.sun.xml.wss.impl.dsig.KeySelectorImpl.resolve(KeySelectorImpl.java:385)
at com.sun.xml.wss.impl.dsig.KeySelectorImpl.select(KeySelectorImpl.java:232)
...
Am I missing something? Something big? Or small? Is this what I am actually supposed to send as KeyIdentifier? Any help will be greatly appreciated!
我错过了什么吗?有什么大不了的?还是小?这是我实际上应该作为 KeyIdentifier 发送的吗?任何帮助将不胜感激!
回答by home
You do not send along the certificate itself, only the reference to the certificate - the Subject Key identifier. You either have to store your partners' public certificates in a truststore (keystore) or you must include the binary security token inside your message. See http://www.oasis-open.org/committees/download.php/16785/wss-v1.1-spec-os-x509TokenProfile.pdfsection 3.3.2 for details.
您不随证书本身一起发送,只发送对证书的引用 - 主题密钥标识符。您要么必须将合作伙伴的公共证书存储在信任库(密钥库)中,要么必须在消息中包含二进制安全令牌。有关详细信息,请参阅http://www.oasis-open.org/committees/download.php/16785/wss-v1.1-spec-os-x509TokenProfile.pdf部分 3.3.2。
