在配置cxf的安全的时候如果使用usertoken,timestamp都可以安全的通过。
而如果使用<entry key="action" value="Timestamp Signature Encrypt"/>的时候将会出现:
org.apache.cxf.binding.soap.SoapFault: Security processing failed (actions mismatch)
错误。
根据网上提供的信息。该错误主要是由于在WSS4J里面,客户端在验证服务端返回的xml
有效性的时候要求:
验证的顺序一定要和服务端设置一致;比如我们服务端对返回xml设置了Timestamp和Signature,
那么客户端设置的InHandler中对应的action也必须是 Timestamp和Signature,并且顺序要一致,
否则就会验证不通过。我把相关的配置文件都修改为<entry key="action" value="Timestamp Signature Encrypt"/>,
还是出现相同的错误。
根据源代码的调试分析,问题主要出现在:WSS4JInInterceptor.java:243中:
if (wsResult.size() != actions.size() || !checkReceiverResults(wsResult, actions)) {
LOG.warning("Security processing failed (actions mismatch)");
throw new SoapFault(new Message("ACTION_MISMATCH", LOG), version.getSender());}也就是说wsResult.size() != actions.size()
|| !checkReceiverResults(wsResult, actions没有满足条件。
于是添加如下调试代码:System.out.println(wsResult.size()+ "="+ actions.size());
Enumeration en= wsResult.elements();
while(en.hasMoreElements()){
System.out.println("===="+en.nextElement()+"====");
}
Enumeration sn= actions.elements();
while(sn.hasMoreElements()){
System.out.println("===="+sn.nextElement()+"====");
}
System.out.println(checkReceiverResults(wsResult, actions));
if (wsResult.size() != actions.size() || !checkReceiverResults(wsResult, actions))
{
LOG.warning("Security processing failed (actions mismatch)");
throw new SoapFault(new Message("ACTION_MISMATCH", LOG), version.getSender());}显示如下:
4=3
===={action=32, timestamp=<wsu:Timestamp wsu:Id="Timestamp-31947169"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401
-wss-wssecurity-utility-1.0.xsd">
<wsu:Created xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/
oasis-200401-wss-wssecurity-utility-1.0.xsd">2008-07-16T08:17:27.484Z</wsu:Created><wsu:Expires
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01
/oasis-200401-wss-wssecurity-utility-1.0.xsd">2008-07-16T08:22:27.484Z
</wsu:Expires></wsu:Timestamp>}
========{action=2, signature-value=[B@14ff81a, x509-certificate=[
[
Version: V1
Subject: CN=alice, OU=NOT FOR PRODUCTION USE, O=apache.org
Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4Key: Sun RSA public key, 1024 bits
modulus: 1263484169177557671263224487187211777310763
23519034413809068168
64389683263383004736860842166508994299056230555639499
214377848416246054130349
86416715293869606997853074959278581977717962624861753
41685021377452978478602394482
8519023328864859046219530934003168257162451809942341
37221539597783517858899316957079193
public exponent: 65537
Validity: [From: Tue Jul 31 10:01:14 CST 2007,
To: Sat Dec 16 10:01:14 CST 2034]
Issuer: CN=alice, OU=NOT FOR PRODUCTION USE, O=apache.org
SerialNumber: [ 46ae97ea]]
Algorithm: [MD5withRSA]
Signature:
0000: 67 3B 0B 20 03 C8 B4 41 8F 20 E6 94 94 93 E8 B6 g;. ...A. ......
0010: 22 E0 4C 35 ED 40 41 6E 09 C0 23 D2 25 F9 77 76 ".L5.@An..#.%.wv
0020: CB 07 87 F1 23 15 BF 09 19 55 BA CA 8D 2C 11 0A ....#....U...,..
0030: B8 02 56 BF 08 78 D4 BC 74 06 26 73 49 AF C5 4F ..V..x..t.&sI..O
0040: 1F 3A 91 CB 0B A0 DD 5A 66 26 9F FD B7 14 8D 2C .:.....Zf&.....,
0050: 9B 23 22 23 96 6E BD 87 DC CC 65 F3 90 A3 1F 5B .#"#.n....e....[
0060: 09 9C 50 23 A2 15 D9 D0 CA B9 55 12 91 D2 C1 1B ..P#......U.....
0070: 84 02 CF CA F4 C0 DA 50 1E AC 4B 15 1D ED E3 B2 .......P..K.....], principal=CN=alice, OU=NOT FOR PRODUCTION USE,
O=apache.org, protected-elements=[],
signed-element-ids=[Timestamp-31947169, id-8041484]}
====
===={binary-security-token=<wsse:BinarySecurityToken
EncodingType="http://docs.oasis-open.org/wss/2004/01
/oasis-200401-wss-soap-message-security-1.0
#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/
oasis-200401-wss-x509-token-profile-1.0#X509v1"
wsu:Id="CertId-93751" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01
/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401
-wss-wssecurity-utility-1.0.xsd">
MIIB/jCCAWcCBEaul+owDQYJKoZIhvcNAQEEBQAwRjETMBEGA1UEChMKYXBhY2hlLm9yZzEfM
Jr8VPHzqRywug3VpmJp/9txSNLJsjIiOWbr2H3Mxl85CjH1sJnFAjohXZ0Mq5VRKR0sEbhALPyv
TA2lAerEsVHe3jsg==</wsse:BinarySecurityToken>,
action=4096, x509-certificates=[Ljava.security.cert.X509Certificate;@1298826}
====
===={action=4, data-ref-uris=[org.apache.ws.security.WSDataRef@1a
99836, org.apache.ws.security.WSDataRef@148083b], encrypted-key-id=E
ncKeyId-urn:uuid:F12D1E3C6CEA04CA4512161962491252, decrypted-key=[B@149
7b1, encrypted-ephemeral-key-bytes=[B@1f31ad9}
====
====32====
====2====
====4====根据以上信息我们可以得出:
系统生成的安全头信息比配置的<entry key="action" value="Timestamp Signature Encrypt"/>
多了一个{binary-security-token=<wsse:BinarySecurityToken EncodingType=
"http://docs.oasis-open.org/wss/2004/01/oasis-200401
-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org
信息,所以造成actions的不匹配。各位该问题是如此造成的?
而如果使用<entry key="action" value="Timestamp Signature Encrypt"/>的时候将会出现:
org.apache.cxf.binding.soap.SoapFault: Security processing failed (actions mismatch)
错误。
根据网上提供的信息。该错误主要是由于在WSS4J里面,客户端在验证服务端返回的xml
有效性的时候要求:
验证的顺序一定要和服务端设置一致;比如我们服务端对返回xml设置了Timestamp和Signature,
那么客户端设置的InHandler中对应的action也必须是 Timestamp和Signature,并且顺序要一致,
否则就会验证不通过。我把相关的配置文件都修改为<entry key="action" value="Timestamp Signature Encrypt"/>,
还是出现相同的错误。
根据源代码的调试分析,问题主要出现在:WSS4JInInterceptor.java:243中:
if (wsResult.size() != actions.size() || !checkReceiverResults(wsResult, actions)) {
LOG.warning("Security processing failed (actions mismatch)");
throw new SoapFault(new Message("ACTION_MISMATCH", LOG), version.getSender());}也就是说wsResult.size() != actions.size()
|| !checkReceiverResults(wsResult, actions没有满足条件。
于是添加如下调试代码:System.out.println(wsResult.size()+ "="+ actions.size());
Enumeration en= wsResult.elements();
while(en.hasMoreElements()){
System.out.println("===="+en.nextElement()+"====");
}
Enumeration sn= actions.elements();
while(sn.hasMoreElements()){
System.out.println("===="+sn.nextElement()+"====");
}
System.out.println(checkReceiverResults(wsResult, actions));
if (wsResult.size() != actions.size() || !checkReceiverResults(wsResult, actions))
{
LOG.warning("Security processing failed (actions mismatch)");
throw new SoapFault(new Message("ACTION_MISMATCH", LOG), version.getSender());}显示如下:
4=3
===={action=32, timestamp=<wsu:Timestamp wsu:Id="Timestamp-31947169"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401
-wss-wssecurity-utility-1.0.xsd">
<wsu:Created xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/
oasis-200401-wss-wssecurity-utility-1.0.xsd">2008-07-16T08:17:27.484Z</wsu:Created><wsu:Expires
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01
/oasis-200401-wss-wssecurity-utility-1.0.xsd">2008-07-16T08:22:27.484Z
</wsu:Expires></wsu:Timestamp>}
========{action=2, signature-value=[B@14ff81a, x509-certificate=[
[
Version: V1
Subject: CN=alice, OU=NOT FOR PRODUCTION USE, O=apache.org
Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4Key: Sun RSA public key, 1024 bits
modulus: 1263484169177557671263224487187211777310763
23519034413809068168
64389683263383004736860842166508994299056230555639499
214377848416246054130349
86416715293869606997853074959278581977717962624861753
41685021377452978478602394482
8519023328864859046219530934003168257162451809942341
37221539597783517858899316957079193
public exponent: 65537
Validity: [From: Tue Jul 31 10:01:14 CST 2007,
To: Sat Dec 16 10:01:14 CST 2034]
Issuer: CN=alice, OU=NOT FOR PRODUCTION USE, O=apache.org
SerialNumber: [ 46ae97ea]]
Algorithm: [MD5withRSA]
Signature:
0000: 67 3B 0B 20 03 C8 B4 41 8F 20 E6 94 94 93 E8 B6 g;. ...A. ......
0010: 22 E0 4C 35 ED 40 41 6E 09 C0 23 D2 25 F9 77 76 ".L5.@An..#.%.wv
0020: CB 07 87 F1 23 15 BF 09 19 55 BA CA 8D 2C 11 0A ....#....U...,..
0030: B8 02 56 BF 08 78 D4 BC 74 06 26 73 49 AF C5 4F ..V..x..t.&sI..O
0040: 1F 3A 91 CB 0B A0 DD 5A 66 26 9F FD B7 14 8D 2C .:.....Zf&.....,
0050: 9B 23 22 23 96 6E BD 87 DC CC 65 F3 90 A3 1F 5B .#"#.n....e....[
0060: 09 9C 50 23 A2 15 D9 D0 CA B9 55 12 91 D2 C1 1B ..P#......U.....
0070: 84 02 CF CA F4 C0 DA 50 1E AC 4B 15 1D ED E3 B2 .......P..K.....], principal=CN=alice, OU=NOT FOR PRODUCTION USE,
O=apache.org, protected-elements=[],
signed-element-ids=[Timestamp-31947169, id-8041484]}
====
===={binary-security-token=<wsse:BinarySecurityToken
EncodingType="http://docs.oasis-open.org/wss/2004/01
/oasis-200401-wss-soap-message-security-1.0
#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/
oasis-200401-wss-x509-token-profile-1.0#X509v1"
wsu:Id="CertId-93751" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01
/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401
-wss-wssecurity-utility-1.0.xsd">
MIIB/jCCAWcCBEaul+owDQYJKoZIhvcNAQEEBQAwRjETMBEGA1UEChMKYXBhY2hlLm9yZzEfM
Jr8VPHzqRywug3VpmJp/9txSNLJsjIiOWbr2H3Mxl85CjH1sJnFAjohXZ0Mq5VRKR0sEbhALPyv
TA2lAerEsVHe3jsg==</wsse:BinarySecurityToken>,
action=4096, x509-certificates=[Ljava.security.cert.X509Certificate;@1298826}
====
===={action=4, data-ref-uris=[org.apache.ws.security.WSDataRef@1a
99836, org.apache.ws.security.WSDataRef@148083b], encrypted-key-id=E
ncKeyId-urn:uuid:F12D1E3C6CEA04CA4512161962491252, decrypted-key=[B@149
7b1, encrypted-ephemeral-key-bytes=[B@1f31ad9}
====
====32====
====2====
====4====根据以上信息我们可以得出:
系统生成的安全头信息比配置的<entry key="action" value="Timestamp Signature Encrypt"/>
多了一个{binary-security-token=<wsse:BinarySecurityToken EncodingType=
"http://docs.oasis-open.org/wss/2004/01/oasis-200401
-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org
信息,所以造成actions的不匹配。各位该问题是如此造成的?
解决方案 »
- 用axis2发布webservice,生成的wsdl不能把所有的数据结构生成出来,生成的数据的type也为anyType
- 现在开发javaweb使用哪个版本的eclipse和myeclipse
- EXT动态树添加删除节点
- ibatis 多个数据库如何手动控制事务?
- 新手整合apache和tomcat的问题
- Null property value for "dept"的问题
- 关于MINA问题-- 在线等
- 高分请大家一起讨论一下基于EJB/JSP的WEB应用的安全是怎么实现的,来者有分,不够再加。
- 请问:weblogic7的admin的密码?要发布ejb用的吧,刚开始运用
- 大家做java webservice的时候,客户端用什么做啊?是Application还是jsp还是别的什么的?
- 远程屏幕监控系统,图像显示不出来啊~~
- org.springframework.core.io.support.PropertiesLoaderUtils
楼主【friskytony】截止到2008-07-16 16:48:35的历史汇总数据(不包括此帖):
发帖的总数量:1 发帖的总分数:0 每贴平均分数:0
回帖的总数量:0 得分贴总数量:0 回帖的得分率:0%
结贴的总数量:0 结贴的总分数:0
无满意结贴数:0 无满意结贴分:0
未结的帖子数:1 未结的总分数:0
结贴的百分比:0.00 % 结分的百分比:---------------------
无满意结贴率:---------------------无满意结分率:---------------------
如何结贴请参考这里:http://topic.csdn.net/u/20080501/09/ef7ba1b3-6466-49f6-9d92-36fe6d471dd1.html