问题
This picture shows my simple ws-security configuration of soapui:
And I apply this configuration to soap request:
Then <arg0> content of soap request is encrypted. This is encrypted soap messsage.
<soapenv:Envelope xmlns:soap="http://soap.aaa.com/" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header><wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"><wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="9C55238F5BB25B8A7214711332555022">MIICxzCCAa+gAwIBAgIECZhGTzANBgkqhkiG9w0BAQsFADAUMRIwEAYDVQQDEwlsb2NhbGhvc3QwHhcNMTYwODEyMDgzMDI5WhcNMTYxMTEwMDgzMDI5WjAUMRIwEAYDVQQDEwlsb2NhbGhvc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCbufayp7O8wye5q8tPKPWRJPzAIHbtFBkepltFAji7U2fWU5ihSP2TRygym6B/UHvvPZ5QsaTog0oMw+vRLxWAemVganoSvTJWRidTYmvm3kqhBLC7+GEM895k/yU7nduKqSFJr3qa4R5eSO/JLGwIvcb3OkhNHTu1/8EEJDcxbGMPwn08W4gn2qnGDkSEsanfXhCaNtS4mZHWvs5vr+C4gYR4is6Z3wSIFQZGkKtPj7Z3wg3E9l9GAAdg+6JegDKRzzSQtSjgUySipYqbHYOBol78Wf7+dqNiHvohiQTRHB3b2AebEdUcQTu65ELUhWGC28eWWaCv5ksL5eL2bJc/AgMBAAGjITAfMB0GA1UdDgQWBBTcHE/ieHAarvD2RC7DiMdPZ6O66TANBgkqhkiG9w0BAQsFAAOCAQEAja62f/8GeKm0XMMMoUo3ayk/WluF89PC71jB28r3M3+1bqkfK7KJaO7yF7DG9zpm6BztKi9Ykz6izg2IktuUnTG4dbg0CY8ZuL8NEmvirCgfJXXur3goEOIfItb8dR9Mi6i4ZV46oJTgX8XliwEoZQVloi3JcTbPeZ3DrSmOyaUppGk//kryx4bhwdazxPQ3H7PcRQjMq+l3e7q9sTJRyYm7PcsvyZt34CgZkhal28p35jQk7U1MKibL8a5FlQejDP4p/6/8qv/3TzHK467zlXr/oFGQGCXFc96j12Cj5Eiv+22C+8ZRMCtMig42uXNamE5YGuQMHDLrsQd9VThkUQ==</wsse:BinarySecurityToken><xenc:EncryptedKey Id="EK-9C55238F5BB25B8A7214711332555001" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"><xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><wsse:SecurityTokenReference><wsse:Reference URI="#9C55238F5BB25B8A7214711332555022" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/></wsse:SecurityTokenReference></ds:KeyInfo><xenc:CipherData><xenc:CipherValue>GudjGW52R0Iu+KnTZARE7nHFwPGvmXRZCuIQqnhz8it9WJs+2Jai7W0dAmhtkNxi2k0/g8IhL1v1EpA6JuJUEzkOnyuCoUttyR5ROLxpbHzD1DtEZT8AEgiOwFmmov7t6UsKDSn2jxL8ftraf44ISxrMCbJ10cuN6gJT9ghT9USdvvT/1vKhuBqm251bn9kgPkqNTDcYntQpwSkRCTZz+yf+pv77DVE5MPMk8FLHE4TeROsqLyNC8YzH8ncITGqOrDM4PY+1/H2XUkWaAeMz9ZcqqseD97Mr86ZpOgwP/V0Z6v9iRSrBYTpnDqPd8TIJ1wJs88sJ6+QIOMA6kySMtQ==</xenc:CipherValue></xenc:CipherData><xenc:ReferenceList><xenc:DataReference URI="#ED-9C55238F5BB25B8A7214711332555093"/></xenc:ReferenceList></xenc:EncryptedKey></wsse:Security></soapenv:Header>
<soapenv:Body>
<soap:sayHello>
<!--Optional:-->
<arg0><xenc:EncryptedData Id="ED-9C55238F5BB25B8A7214711332555093" Type="http://www.w3.org/2001/04/xmlenc#Content" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"><xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><wsse:SecurityTokenReference wsse11:TokenType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd"><wsse:Reference URI="#EK-9C55238F5BB25B8A7214711332555001"/></wsse:SecurityTokenReference></ds:KeyInfo><xenc:CipherData><xenc:CipherValue>CKtrCSg+Q1HqzLQulEi0YmGxGNlrjlANGsgbSirlbXE=</xenc:CipherValue></xenc:CipherData></xenc:EncryptedData></arg0>
</soap:sayHello>
</soapenv:Body>
</soapenv:Envelope>
However the validation of this encrypted soap message throws error fault:
The fault message is
line 6:Element not allowed: EncryptedData@http://www.w3.org/2001/04/xmlenc# in element arg0
I can't find any reference at all.
UPDATE 1
SoapUI still throws the same exception. For simplicity I made the single jks file with keytool command –genkeypair option.
keytool –genkeypair -keyalg RSA -alias servicekey –keypass password123 -storepass password123 –validity 365 –keystore serviceKeystore.jks -dname "cn=localhost"
And I modified ws client and service a little like below,
== index.jsp
<body>
<%
String SERVICE_URL = "http://localhost:8080/SOAPEncryptWeb/HelloWorld";
try {
QName serviceName = new QName("http://soap.aaa.com/", "HelloWorldService");
URL wsdlURL;
wsdlURL = new URL(SERVICE_URL + "?wsdl");
Service service = Service.create(wsdlURL, serviceName);
IHelloWorld port = (IHelloWorld) service.getPort(IHelloWorld.class);
((BindingProvider) port).getRequestContext().put(SecurityConstants.CALLBACK_HANDLER, new KeystorePasswordCallback());
((BindingProvider) port).getRequestContext().put(SecurityConstants.ENCRYPT_PROPERTIES,
Thread.currentThread().getContextClassLoader().getResource("META-INF/client.properties"));
((BindingProvider) port).getRequestContext().put(SecurityConstants.ENCRYPT_USERNAME, "servicekey");
((BindingProvider) port).getRequestContext().put(SecurityConstants.RETURN_SECURITY_ERROR, "true");
out.println(port.sayHello("jina"));
} catch (Exception e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
%>
</body>
== server-side configuration
<jaxws-config xmlns="urn:jboss:jbossws-jaxws-config:4.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:javaee="http://java.sun.com/xml/ns/javaee"
xsi:schemaLocation="urn:jboss:jbossws-jaxws-config:4.0 schema/jbossws-jaxws-config_4_0.xsd">
<endpoint-config>
<config-name>Custom WS-Security Endpoint</config-name>
<property>
<property-name>ws-security.encryption.properties</property-name>
<property-value>META-INF/server.properties</property-value>
</property>
<property>
<property-name>ws-security.encryption.username</property-name>
<property-value>servicekey</property-value>
</property>
<property>
<property-name>ws-security.return.security.error</property-name>
<property-value>true</property-value>
</property>
<property>
<property-name>ws-security.callback-handler</property-name>
<property-value>
com.aaa.soap.KeystorePasswordCallback
</property-value>
</property>
</endpoint-config>
</jaxws-config>
However this configuration throws exception, but no exception in wildfly 10.0
17:25:22,588 WARNING [org.apache.cxf.phase.PhaseInterceptorChain] (default task-12) Interceptor for {http://soap.aaa.com/}HelloWorldService has thrown exception, unwinding now: org.apache.cxf.binding.soap.SoapFault: An error was discovered processing the <wsse:Security> header
at org.apache.cxf.ws.security.wss4j.WSS4JUtils.createSoapFault(WSS4JUtils.java:216)
at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessageInternal(WSS4JInInterceptor.java:329)
at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:184)
at org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JInInterceptor.handleMessage(PolicyBasedWSS4JInInterceptor.java:79)
at org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JInInterceptor.handleMessage(PolicyBasedWSS4JInInterceptor.java:66)
at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:308)
at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121)
at org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:251)
at org.jboss.wsf.stack.cxf.RequestHandlerImpl.handleHttpRequest(RequestHandlerImpl.java:108)
at org.jboss.wsf.stack.cxf.transport.ServletHelper.callRequestHandler(ServletHelper.java:134)
at org.jboss.wsf.stack.cxf.CXFServletExt.invoke(CXFServletExt.java:88)
at org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:293)
at org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:212)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:707)
at org.jboss.wsf.stack.cxf.CXFServletExt.service(CXFServletExt.java:136)
at org.jboss.wsf.spi.deployment.WSFServlet.service(WSFServlet.java:140)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284)
at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263)
at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174)
at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
Caused by: org.apache.wss4j.common.ext.WSSecurityException: An error was discovered processing the <wsse:Security> header
at org.apache.wss4j.common.crypto.AlgorithmSuiteValidator.checkSymmetricEncryptionAlgorithm(AlgorithmSuiteValidator.java:149)
at org.apache.wss4j.dom.processor.EncryptedKeyProcessor.decryptDataRef(EncryptedKeyProcessor.java:550)
at org.apache.wss4j.dom.processor.EncryptedKeyProcessor.decryptDataRefs(EncryptedKeyProcessor.java:481)
at org.apache.wss4j.dom.processor.EncryptedKeyProcessor.handleToken(EncryptedKeyProcessor.java:199)
at org.apache.wss4j.dom.processor.EncryptedKeyProcessor.handleToken(EncryptedKeyProcessor.java:76)
at org.apache.wss4j.dom.engine.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:344)
at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessageInternal(WSS4JInInterceptor.java:280)
... 42 more
回答1:
Don't hesitate about the Validate option in the testStep request.
This option validates the request against the xsd schema of your request located in the wsdl which you use to load the project in SOAPUI
Probably your wsdl lacks on the definition of the [ws security policy] which tells you the security requeriments implemented in your WS.
For your case your wsdl must have something like:
<wsdl:definitions xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/"
xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/"
xmlns:wsp="http://www.w3.org/ns/ws-policy"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200802">
...
<wsp:Policy>
...
<sp:EncryptedParts>...</sp:EncryptedParts>
...
</wsp:Policy>
</wsdl:definitions>
So since this is missing the request doesn't validate against your wsdl.
Anywise, the thing is that the wsdl you load on SOAPUI could be different from the WS implementation (since it's not up to date or something like that). So simply try to send the request (although it does not meet the wsdl validation) and see what your WS respond.
Hope this helps,
回答2:
You have the already encrypted message in the xml-tab of SoapUI and try to validate it against the xsd. That will never work as the xsd doesn't know anything about "xenc:EncryptedData"!
The encrypted message will be shown in the "Raw"-tab after you send the request as SoapUI will do the encryption while sending. You should not "apply outgoing" by yourself!
来源:https://stackoverflow.com/questions/38938239/validation-of-encrypted-soap-request-throws-the-error-fault