我正在将SOAP Web服务客户端升级到JDK 11和WSS4J 2.2.3(不带CXF / Spring)。 Java代码使用“独立”方法来处理加密,并且由于使用RSA15对其进行了加密,因此无法解密传入的响应。从2.0.0版开始,默认情况下禁用该算法,但是迁移指南建议可以通过将WSHandlerConstants.ALLOW_RSA15_KEY_TRANSPORT_ALGORITHM属性设置为“ true”来启用该算法。我怎样才能做到这一点??
我查看了WSS4J代码,可以看到RequestData对象是从WSS4J框架中的WSSecurityEngine类实例化的,并且看不到允许我将allowRSA15KeyTransportAlgorithm属性设置为'true'的钩子。我已经能够在eclipse上设置一个断点并更改其值,以确保它能够按预期的方式工作并且确实可以。我已经在网上搜索过,发现最接近的东西是一个类似的问题,在这里Allow the RSA v1.5 Key Transport Algorithm for WildFly / JBossWS / CXF / WSS4J stack没有明显的答案。我试图将WSS4J还原到1.6版,该版本允许使用该算法,但随后失败,并显示了不同的错误“ WRONG_DOCUMENT_ERR:在与创建它的节点不同的文档中使用了一个节点”。将WSS4J 1.6与任何版本的jaxws(JDK外部)一起使用时,似乎会发生这种情况。我认为可以解决此问题的唯一方法是侵入WSS4J 2.2.3依赖关系,并在RequestData类中将属性默认设置为“ true”,但我真的不想这样做。
private void inboundWSSConfig(SOAPMessageContext context, Crypto crypto) throws WSSecurityException{
log.info("Inbound Message...");
KeystoreCallbackHandler keystoreCallbackHandler = new KeystoreCallbackHandler();
keystoreCallbackHandler.addUsers((String)cryptoProperties.get("org.apache.ws.security.crypto.merlin.keystore.alias"), (String)cryptoProperties.get("org.apache.ws.security.crypto.merlin.keystore.password"));
WSSecurityEngine newEngine = new WSSecurityEngine();
WSSConfig config = WSSConfig.getNewInstance();
config.setValidator(WSConstants.SIGNATURE, new SignatureTrustValidator());
newEngine.setWssConfig(config);
newEngine.processSecurityHeader(context.getMessage().getSOAPPart(), null, keystoreCallbackHandler, crypto);
}
返回的错误消息是...
Jul 17, 2019 11:42:56 AM ensurebill.client.handler.HeaderHandler inboundWSSConfig
INFO: Inbound Message...
Jul 17, 2019 11:42:56 AM ensurebill.client.handler.HeaderHandler handleMessage
SEVERE: ERROR in handleMessage
org.apache.wss4j.common.ext.WSSecurityException: An error was discovered processing the <wsse:Security> header
at org.apache.wss4j.dom.processor.EncryptedKeyProcessor.handleToken(EncryptedKeyProcessor.java:131)
at org.apache.wss4j.dom.processor.EncryptedKeyProcessor.handleToken(EncryptedKeyProcessor.java:90)
at org.apache.wss4j.dom.engine.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:340)
at org.apache.wss4j.dom.engine.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:221)
at org.apache.wss4j.dom.engine.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:168)
at org.apache.wss4j.dom.engine.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:127)
at ensurebill.client.handler.HeaderHandler.inboundWSSConfig(HeaderHandler.java:160)
at ensurebill.client.handler.HeaderHandler.handleMessage(HeaderHandler.java:61)
at ensurebill.client.handler.HeaderHandler.handleMessage(HeaderHandler.java:1)
at com.sun.xml.ws.handler.HandlerProcessor.callHandleMessageReverse(HandlerProcessor.java:311)
at com.sun.xml.ws.handler.HandlerProcessor.callHandlersResponse(HandlerProcessor.java:184)
at com.sun.xml.ws.handler.ClientSOAPHandlerTube.callHandlersOnResponse(ClientSOAPHandlerTube.java:133)
at com.sun.xml.ws.handler.HandlerTube.processResponse(HandlerTube.java:144)
at com.sun.xml.ws.api.pipe.Fiber.__doRun(Fiber.java:1117)
at com.sun.xml.ws.api.pipe.Fiber._doRun(Fiber.java:1020)
at com.sun.xml.ws.api.pipe.Fiber.doRun(Fiber.java:989)
at com.sun.xml.ws.api.pipe.Fiber.runSync(Fiber.java:847)
at com.sun.xml.ws.client.Stub.process(Stub.java:433)
at com.sun.xml.ws.client.sei.SEIStub.doProcess(SEIStub.java:161)
at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:78)
at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:62)
at com.sun.xml.ws.client.sei.SEIStub.invoke(SEIStub.java:131)
at com.sun.proxy.$Proxy33.callNotificationInquiry(Unknown Source)
at ensurebill.client.swing.MenuItemListener.sendRequest(MenuItemListener.java:109)
at ensurebill.client.swing.MenuItemListener.actionPerformed(MenuItemListener.java:92)
at java.desktop/javax.swing.AbstractButton.fireActionPerformed(AbstractButton.java:1967)
at java.desktop/javax.swing.AbstractButton$Handler.actionPerformed(AbstractButton.java:2308)
at java.desktop/javax.swing.DefaultButtonModel.fireActionPerformed(DefaultButtonModel.java:405)
at java.desktop/javax.swing.DefaultButtonModel.setPressed(DefaultButtonModel.java:262)
at java.desktop/javax.swing.AbstractButton.doClick(AbstractButton.java:369)
at java.desktop/javax.swing.plaf.basic.BasicMenuItemUI.doClick(BasicMenuItemUI.java:1020)
at java.desktop/javax.swing.plaf.basic.BasicMenuItemUI$Handler.mouseReleased(BasicMenuItemUI.java:1064)
at java.desktop/java.awt.Component.processMouseEvent(Component.java:6632)
at java.desktop/javax.swing.JComponent.processMouseEvent(JComponent.java:3342)
at java.desktop/java.awt.Component.processEvent(Component.java:6397)
at java.desktop/java.awt.Container.processEvent(Container.java:2263)
at java.desktop/java.awt.Component.dispatchEventImpl(Component.java:5008)
at java.desktop/java.awt.Container.dispatchEventImpl(Container.java:2321)
at java.desktop/java.awt.Component.dispatchEvent(Component.java:4840)
at java.desktop/java.awt.LightweightDispatcher.retargetMouseEvent(Container.java:4918)
at java.desktop/java.awt.LightweightDispatcher.processMouseEvent(Container.java:4547)
at java.desktop/java.awt.LightweightDispatcher.dispatchEvent(Container.java:4488)
at java.desktop/java.awt.Container.dispatchEventImpl(Container.java:2307)
at java.desktop/java.awt.Window.dispatchEventImpl(Window.java:2772)
at java.desktop/java.awt.Component.dispatchEvent(Component.java:4840)
at java.desktop/java.awt.EventQueue.dispatchEventImpl(EventQueue.java:772)
at java.desktop/java.awt.EventQueue$4.run(EventQueue.java:721)
at java.desktop/java.awt.EventQueue$4.run(EventQueue.java:715)
at java.base/java.security.AccessController.doPrivileged(Native Method)
at java.base/java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(ProtectionDomain.java:85)
at java.base/java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(ProtectionDomain.java:95)
at java.desktop/java.awt.EventQueue$5.run(EventQueue.java:745)
at java.desktop/java.awt.EventQueue$5.run(EventQueue.java:743)
at java.base/java.security.AccessController.doPrivileged(Native Method)
at java.base/java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(ProtectionDomain.java:85)
at java.desktop/java.awt.EventQueue.dispatchEvent(EventQueue.java:742)
at java.desktop/java.awt.EventDispatchThread.pumpOneEventForFilters(EventDispatchThread.java:203)
at java.desktop/java.awt.EventDispatchThread.pumpEventsForFilter(EventDispatchThread.java:124)
at java.desktop/java.awt.EventDispatchThread.pumpEventsForHierarchy(EventDispatchThread.java:113)
at java.desktop/java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:109)
at java.desktop/java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:101)
at java.desktop/java.awt.EventDispatchThread.run(EventDispatchThread.java:90)
最佳答案
经过大量的跟踪..我设法找到它。
这是通过向后浏览堆栈跟踪并查看源代码发现的:
从引发异常的地方开始at org.apache.wss4j.dom.processor.EncryptedKeyProcessor.handleToken(EncryptedKeyProcessor.java:131)
public List<WSSecurityEngineResult> handleToken(Element elem, RequestData data, AlgorithmSuite algorithmSuite) {
// ...
if (WSConstants.KEYTRANSPORT_RSA15.equals(encryptedKeyTransportMethod)
&& !data.isAllowRSA15KeyTransportAlgorithm() // <=== because this is false, etc.
&& (algorithmSuite == null
|| !algorithmSuite.getKeyWrapAlgorithms().contains(WSConstants.KEYTRANSPORT_RSA15))) {
LOG.debug(
"The Key transport method does not match the requirement"
);
throw new WSSecurityException(WSSecurityException.ErrorCode.INVALID_SECURITY); // <=== this is where you die
}
// ...
}
之所以死,是因为
requestData没有将allowRSA15KeyTransportAlgorithm设置为true。为什么
requestData没有将此设置为true,请求数据来自哪里。at org.apache.wss4j.dom.processor.EncryptedKeyProcessor.handleToken(EncryptedKeyProcessor.java:90) at org.apache.wss4j.dom.engine.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:340) at org.apache.wss4j.dom.engine.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:221)全部都通过此方法中创建的
requestData传递:// line 208
public WSHandlerResult processSecurityHeader(
Element securityHeader,
String actor,
CallbackHandler cb,
Crypto sigVerCrypto,
Crypto decCrypto
) throws WSSecurityException {
RequestData data = new RequestData(); // creates RequestData but doesn't set `allowRSA15KeyTransportAlgorithm`
data.setActor(actor);
data.setWssConfig(getWssConfig());
data.setDecCrypto(decCrypto);
data.setSigVerCrypto(sigVerCrypto);
data.setCallbackHandler(cb);
return processSecurityHeader(securityHeader, data); // line 221
}
称为:
public WSHandlerResult processSecurityHeader(
Document doc,
String actor,
CallbackHandler cb,
Crypto crypto
) throws WSSecurityException {
return processSecurityHeader(doc, actor, cb, crypto, crypto);
}
您可以在
inboundWSSConfig方法中调用它。因此,因为您正在调用
processSecurityHeader(Document doc, String actor, CallbackHandler cb, Crypto crypto),所以它将初始化一个新的RequestData并在其上设置Crypto和CallbackHandler,但从不设置allowRSA15KeyTransportAlgorithm。相反,您应该自己创建
RequestData对象,如下所示:private void inboundWSSConfig(SOAPMessageContext context, Crypto crypto) throws WSSecurityException{
log.info("Inbound Message...");
KeystoreCallbackHandler keystoreCallbackHandler = new KeystoreCallbackHandler();
keystoreCallbackHandler.addUsers((String)cryptoProperties.get("org.apache.ws.security.crypto.merlin.keystore.alias"),
(String)cryptoProperties.get("org.apache.ws.security.crypto.merlin.keystore.password"));
WSSecurityEngine newEngine = new WSSecurityEngine();
WSSConfig config = WSSConfig.getNewInstance();
config.setValidator(WSConstants.SIGNATURE, new SignatureTrustValidator());
newEngine.setWssConfig(config);
RequestData data = new RequestData();
data.setWssConfig(config); // probably
data.setDecCrypto(crypto);
data.setSigVerCrypto(crypto);
data.setCallbackHandler(keystoreCallbackHandler);
data.setAllowRSA15KeyTransportAlgorithm(true);
newEngine.processSecurityHeader(context.getMessage().getSOAPPart(), data);
}