在Java中为ws-security UsernameToken实现密码摘要 [英] Implementing password digest for ws-security UsernameToken in Java

问题描述

我正在尝试从服务器调用ws-security安全的Web服务，遗憾的是，该服务器本身不支持此服务器。我采用的方法是实现一个.jsp，它充当实际端点URL的反向代理，在这个过程中添加了带有ws-security元素的元素。

I am trying to make a call to a ws-security secured webservice from a server which unfortunately does not support this natively. The approach I have taken is to implement a .jsp which acts as reverse proxy to the actual end point URL, in the process adding the element with ws-security elements.

这似乎工作得很好，我相信我已经使用正确的命名空间等正确构造了XML。我已经通过比较XML与SOAP-UI生成的XML来验证这一点。

This seems to be working quite well and I am confident I've constructed the XML correctly with the correct namespaces etc. I've verified this by comparing the XML with XML produced by SOAP-UI.

问题在于实现密码摘要生成器。我没有得到与使用相同的NOnce，xsd：dateTime和密码输入以及以下代码的SOAP-UI相同的结果。

The problem is in implementing the password digest generator. I don't get the same result as what SOAP-UI does using the same inputs for NOnce, xsd:dateTime and password, and the following code.

StringBuffer passwordDigestStr_ = new StringBuffer();

// First append the NOnce from the SOAP header
passwordDigestStr_.append(Base64.decode("PzlbwtWRpmFWjG0JRIRn7A=="));

// Then append the xsd:dateTime in UTC timezone
passwordDigestStr_.append("2012-06-09T18:41:03.640Z");

// Finally append the password/secret
passwordDigestStr_.append("password");

System.out.println("Generated password digest: " + new String(com.bea.xbean.util.Base64.encode(org.apache.commons.codec.digest.DigestUtils.sha(passwordDigestStr_.toString())), "UTF-8"));

我认为问题在于实现前两个元素的散列，如 http：//docs.oasis-open .org / wss / 2004/01 / oasis-200401-wss-username-token-profile-1.0.pdf

I think the problem is with implementing the hashing of the first two elements as explained by http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0.pdf

请注意，使用其解码值的八位位组序列对nonce进行哈希处理，而时间戳使用其元素内容中指定的UTF8编码的八位位组序列进行哈希处理。

Note that the nonce is hashed using the octet sequence of its decoded value while the timestamp is hashed using the octet sequence of its UTF8 encoding as specified in the contents of the element.

如果有人能帮我解决这个问题，那会很好，因为它开始让我发疯！如果你能提供源代码，那将是理想的。

If anyone could help me solve this problem that would be great because it's beginning to drive me crazy! It would be ideal if you could provide source code.

推荐答案

我会在没有SOAP-UI的情况下对它进行破解。散列函数的输入应该是字节，而不是字符串。 DigestUtils.sha（）将允许您使用字符串，但该字符串必须正确编码。当你编写nonce时，你正在调用 StringBuffer.append（Object） 最终调用 byte []。toString（） 。这给你的东西像 [B @ 3e25a5 ，绝对不是你想要的。通过在任何地方使用字节，您应该避免这个问题。请注意，下面的示例使用 org.apache.commons.codec.binary.Base64 ，而不是您使用的Base64类。没关系，那只是我方便的那个。

I'll take a crack at it without SOAP-UI. The input to the hash function is supposed to be bytes, not a string. DigestUtils.sha() will allow you to use a string, but that string must be properly encoded. When you wrote the nonce, you were calling StringBuffer.append(Object) which ends up calling byte[].toString(). That gives you something like [B@3e25a5, definitely not what you want. By using bytes everywhere, you should avoid this problem. Note that the example below uses org.apache.commons.codec.binary.Base64, not the Base64 class you were using. It doesn't matter, that's just the one I had handy.

ByteBuffer buf = ByteBuffer.allocate(1000);
buf.put(Base64.decodeBase64("PzlbwtWRpmFWjG0JRIRn7A=="));
buf.put("2012-06-09T18:41:03.640Z".getBytes("UTF-8"));
buf.put("password".getBytes("UTF-8"));
byte[] toHash = new byte[buf.position()];
buf.rewind();
buf.get(toHash);
byte[] hash = DigestUtils.sha(toHash);
System.out.println("Generated password digest: " + Base64.encodeBase64String(hash));

这篇关于在Java中为ws-security UsernameToken实现密码摘要的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！