在WebSphere中使用spring-ws,XWS拦截器的X509 WS-Security [英] X509 WS-Security using spring-ws, XWS interceptor in WebSphere
问题描述
在WebSphere v7中,我很难使用基于X509证书的WS-Security.
I am having a hard time with X509 certificate-based WS-Security in WebSphere v7.
这里有一点背景: 我们在应用程序中使用spring-ws,并且允许UsernameToken配置文件安全性或X509安全性.这两个是使用Xws Security拦截器实现的,该拦截器在Xws Security Framework的基础上运行:
Here's a little background: We are using spring-ws in our application, and we allow for UsernameToken profile security or X509 security. The two are implemented using the Xws Security interceptor, which runs off of the Xws Security Framework:
我们在客户端和客户端都实现了安全性在服务器端,都使用XWSS拦截器.有两个问题:
We implement the security on both the client-side & the server-side, both using the XWSS interceptor. There are two issues:
- 从WebSphere返回的javax.xml.crypto类"http://www.w3.org/2001/10/xml-exc-c14n#"或任何CanonicalizationMethod与XWSS拦截器不兼容.我们在服务器端的消息日志中看到此错误:
11/5/11 17:26:41:098 EST 00000023 XwsSecurityIn W org.springframework.ws.soap.security.AbstractWsSecurityInterceptor handleValidationException无法验证请求:com.sun.xml.wss.XWSSecurityException:javax.xml. crypto.MarshalException:java.security.NoSuchAlgorithmException:为TransformService配置的类:com.ibm.xml.crypto.dsig.dom.transform.ExcC14nTransformer不是TransformService;嵌套的异常是com.sun.xml.wss.XWSSecurityException:com.sun.xml.wss.XWSSecurityException:javax.xml.crypto.MarshalException:java.security.NoSuchAlgorithmException:为TransformService配置的类:com.ibm.xml.crypto. dsig.dom.transform.ExcC14nTransformer不是TransformService
12/5/11 17:26:41:098 EST 00000023 XwsSecurityIn W org.springframework.ws.soap.security.AbstractWsSecurityInterceptor handleValidationException Could not validate request: com.sun.xml.wss.XWSSecurityException: javax.xml.crypto.MarshalException: java.security.NoSuchAlgorithmException: class configured for TransformService: com.ibm.xml.crypto.dsig.dom.transform.ExcC14nTransformer not a TransformService; nested exception is com.sun.xml.wss.XWSSecurityException: com.sun.xml.wss.XWSSecurityException: javax.xml.crypto.MarshalException: java.security.NoSuchAlgorithmException: class configured for TransformService: com.ibm.xml.crypto.dsig.dom.transform.ExcC14nTransformer not a TransformService
我认为最好的做法是重写用于解密这些类型的实现.我们确实在我们的war文件中包含了xmldsig-1.0.jar(该文件通过将classloader设置为parent-last进行部署).有人知道覆盖它的方法吗?我尝试在运行时环境的java.security中指定"org.jcp.xml.dsig.internal.dom.XMLDSigRI",但这没有用.我们将xmldsig-1.0.jar包含在我们的应用程序中.
I think the best thing to do here is override which implementation is used for decrypting these types. We do include the xmldsig-1.0.jar in our war file (which gets deployed with the classloader set to parent-last). Does anybody know of a way to overwrite this? I tried specifying "org.jcp.xml.dsig.internal.dom.XMLDSigRI" in the java.security in my runtime environment, but that did not work. We are including the xmldsig-1.0.jar in our application.
这似乎是IBM的JRE& Sun的JRE. XWSS拦截器是由Sun编写的,因此他们可能认为某些事情是理所当然的.
This seems like a compatibility issue between IBM's JRE & Sun's JRE. The XWSS interceptor was written by Sun, so they may have taken some things for granted.
-
我们在客户端获得NullPointerException,试图插入对请求进行签名所需的标头元素.我们将xerces用于DOM实现,但这似乎与SOAPFactory相似.我尝试将属性"javax.xml.soap.SOAPFactory"设置为"com.sun.xml.messaging.saaj.soap.ver1_1.SOAPFactory1_1Impl",但这似乎无法解决问题.这是堆栈跟踪:
We are getting a NullPointerException on the client-side trying to insert the header elements needed to sign the request. We are using xerces for our DOM implementation, but this seems to be along the lines of the SOAPFactory. I tried setting the property "javax.xml.soap.SOAPFactory" to "com.sun.xml.messaging.saaj.soap.ver1_1.SOAPFactory1_1Impl", but that did not seem to fix the issue. Here is the stack trace:
[12/3/11 13:39:52:560 EST] 00000027 XwsSecurityIn E org.springframework.ws.soap.security.AbstractWsSecurityInterceptor handleSecurementException无法保护响应:java.lang.NullPointerException;嵌套的异常是com.sun.xml.wss.XWSSecurityException:java.lang.NullPointerException org.springframework.ws.soap.security.xwss.XwsSecuritySecurementException:java.lang.NullPointerException;嵌套的异常是com.sun.xml.wss.XWSSecurityException:java.lang.NullPointerException
[12/3/11 13:39:52:560 EST] 00000027 XwsSecurityIn E org.springframework.ws.soap.security.AbstractWsSecurityInterceptor handleSecurementException Could not secure response: java.lang.NullPointerException; nested exception is com.sun.xml.wss.XWSSecurityException: java.lang.NullPointerException org.springframework.ws.soap.security.xwss.XwsSecuritySecurementException: java.lang.NullPointerException; nested exception is com.sun.xml.wss.XWSSecurityException: java.lang.NullPointerException
...
原因:com.sun.xml.wss.XWSSecurityException:java.lang.NullPointerException 在com.sun.xml.wss.impl.misc.XWSSProcessor2_0Impl.secureOutboundMessage(XWSSProcessor2_0Impl.java:98) 在org.springframework.ws.soap.security.xwss.XwsSecurityInterceptor.secureMessage(XwsSecurityInterceptor.java:135) ...更多86 造成原因:java.lang.NullPointerException 在com.sun.xml.wss.core.Timestamp.getAsSoapElement(Timestamp.java:265) 在com.sun.xml.wss.core.SecurityHeader.insertHeaderBlock(SecurityHeader.java:90) 在com.sun.xml.wss.impl.filter.TimestampFilter.process(TimestampFilter.java:149) 在com.sun.xml.wss.impl.HarnessUtil.processWSSPolicy(HarnessUtil.java:87) 在com.sun.xml.wss.impl.HarnessUtil.processDeep(HarnessUtil.java:237) 在com.sun.xml.wss.impl.SecurityAnnotator.processMessagePolicy(SecurityAnnotator.java:162) 在com.sun.xml.wss.impl.SecurityAnnotator.secureMessage(SecurityAnnotator.java:137) 在com.sun.xml.wss.impl.misc.XWSSProcessor2_0Impl.secureOutboundMessage(XWSSProcessor2_0Impl.java:96) ...还有87个
Caused by: com.sun.xml.wss.XWSSecurityException: java.lang.NullPointerException at com.sun.xml.wss.impl.misc.XWSSProcessor2_0Impl.secureOutboundMessage(XWSSProcessor2_0Impl.java:98) at org.springframework.ws.soap.security.xwss.XwsSecurityInterceptor.secureMessage(XwsSecurityInterceptor.java:135) ... 86 more Caused by: java.lang.NullPointerException at com.sun.xml.wss.core.Timestamp.getAsSoapElement(Timestamp.java:265) at com.sun.xml.wss.core.SecurityHeader.insertHeaderBlock(SecurityHeader.java:90) at com.sun.xml.wss.impl.filter.TimestampFilter.process(TimestampFilter.java:149) at com.sun.xml.wss.impl.HarnessUtil.processWSSPolicy(HarnessUtil.java:87) at com.sun.xml.wss.impl.HarnessUtil.processDeep(HarnessUtil.java:237) at com.sun.xml.wss.impl.SecurityAnnotator.processMessagePolicy(SecurityAnnotator.java:162) at com.sun.xml.wss.impl.SecurityAnnotator.secureMessage(SecurityAnnotator.java:137) at com.sun.xml.wss.impl.misc.XWSSProcessor2_0Impl.secureOutboundMessage(XWSSProcessor2_0Impl.java:96) ... 87 more
我尝试将策略配置设置为禁用时间戳,但是随后我在另一个元素上获得了NPE.我不认为应该怪配置,但是无论如何这里都是这样:
I've tried setting my policy configuration to disable the timestamp, but then I get a NPE on a different element. I don't believe the configuration is to blame, but here it is anyway:
<?xml version="1.0" encoding="UTF-8"?>
<SecurityConfiguration xmlns="http://java.sun.com/xml/ns/xwss/config" dumpMessages="true">
<Sign includeTimestamp="false">
<X509Token certificateAlias="1"/>
</Sign>
</SecurityConfiguration>
我已经在JBoss&码头,并且都按预期工作.任何帮助将不胜感激...
I have tested this on JBoss & Jetty, and both worked as expected. Any assistance would be greatly appreciated...
推荐答案
经过大量研究,我发现XWS安全拦截器与IBM的JRE不兼容.我能够使它与UsernameToken配置文件安全性一起使用,但不适用于基于证书的安全性.我决定使用WSS4J拦截器重写它.
After much research, I've found that the XWS Security Interceptor is incompatible with IBM's JRE. I was able to get it to work with UsernameToken profile security, but it will not work with certificate-based security. I have decided to re-write this using the WSS4J interceptor.
有关更多信息,请参阅第7.2章:
For more information, please look at chapter 7.2:
http://static.springsource. org/spring-ws/site/reference/pdf/spring-ws-reference.pdf
这篇关于在WebSphere中使用spring-ws,XWS拦截器的X509 WS-Security的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
