“wsse:InvalidSecurity"是什么意思?吝啬的? [英] What does "wsse:InvalidSecurity" mean?
问题描述
An error was discovered processing the <wsse:Security> header
顺便说一句,这是一个 WS-Security 问题...
This is a WS-Security question btw...
我看不出我的 WS 端点有什么问题(除了它在 TIBCO BW 引擎中运行!).有人对这种错误有任何先验"吗?我意识到 WS-Security Header 可能会在任何地方被破坏,大概会出现这个错误,但是,对于某种常见错误,必须有 90% 的百分位.
I can't see anything wrong with my WS endpoint (apart from the fact that it's running in a TIBCO BW engine!). Does someone have any 'prior' with this kind of error? I realise that the WS-Security Header could be broken anywhere presumably to get this error but, there's GOT to be a 90% percentile on some kind of common error.
这是安全的 SOAP - 客户端是独立的 java (WSS4J 1.5.0),仅在此阶段执行签名.
Here's the secured SOAP - the client is standalone java (WSS4J 1.5.0) performing signing only at this stage.
<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" soapenv:mustUnderstand="1">
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="Signature-20237898">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#id-18414151">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>DvjhvAtEVxwntL/RjMCNhId57cg=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
YbOB3FRduCr5rutpIvch9sDZfZToy3pjm+Kyl/Oqz6cAPqMVKqvKBb4P7ebnzP/3SVjm+PfLqlE5
BGgcT3Vz93apyg+eY1rAIYUs7K1Zt9F5ejMmij6HQpQTGpyM9BUXJi1x5bt9GuMtD0SK939bIIE2
ZUyZ0jPJp/wUhMonskw=
</ds:SignatureValue>
<ds:KeyInfo Id="KeyId-15734641">
<wsse:SecurityTokenReference xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="STRId-3852606">
<ds:X509Data>
<ds:X509IssuerSerial>
<ds:X509IssuerName>CN=Mark Hesketh,OU=asdf,O=DVA,L=Canberra,ST=ACT,C=AU</ds:X509IssuerName>
<ds:X509SerialNumber>1231310305</ds:X509SerialNumber>
</ds:X509IssuerSerial>
</ds:X509Data>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
</wsse:Security>
</soapenv:Header>
<soapenv:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="id-18414151">
<message xmlns="http://www.tibco.com/schemas/CertificateWork/Resources/Schema.xsd" text="Sample msg with SHA1 signature"/>
</soapenv:Body>
</soapenv:Envelope>
推荐答案
哇...如果你仍然遇到这个问题,你比我更有耐心...但为了以防万一,这是我的想法:
Wow... if you're still having this problem, you have more patience than I... but just in case, here's my thoughts:
>
- http://schemas.xmlsoap.org/specs/ws-security/ws-security.htm#ws-security__toc6201567 - 表明这是读取标签的问题.
- 让我印象深刻的一件事是,我没有看到将签名与密钥信息联系起来的参考.当然,我会假设 KeyInfo 元素正在描述使用私钥生成 SignatureValue 的证书,但我没有看到告诉软件这一点的 XML 片段.我认为仅包含 KeyInfo 是不够的,可能必须有指向它的链接.
- 如果不是这样,我会根据架构仔细检查这个,可能还有一个独立的架构验证源.标题级别的错误让我想到了格式而不是内容.
- http://schemas.xmlsoap.org/specs/ws-security/ws-security.htm#ws-security__toc6201567 - suggests that this is a problem reading the tag.
- One thing that sticks out to me is that I don't see a reference connecting the signature to the key info. Certainly, I would assume that the KeyInfo element is describing the certificate that used a private key to make the SignatureValue, but I don't see a peice of the XML that is telling the software that. I don't think including the KeyInfo is enough, there may have to be a link to it.
- If not that, I'd double check this against the schema, and maybe an independant schema verifying source. An error at the header level makes me think format rather than content.
- 格式 - 根据架构正确的 XML?
- 签名 - 签名需要三样东西:数据、密钥、制作它的一套算法.检查所有三项 - 数据是否正确,密钥是否正确,算法是否适用于密钥以及如何处理消息?此外,您的图书馆是否正确引用并找到了密钥和数据项?
- 外部信息来源 - 在这种情况下,您的密钥信息引用了一个可能从其他地方提取的证书 - 例如 LDAP 证书存储.那么..您的代码是否可以访问该外部源,是否可以从您运行代码的位置访问数据源和网络?等
- 如果 PKI -- 证书验证/信任 - 系统在幕后需要做什么来信任签名者?OCSP 检查?在 LDAP 中查找?链接到受信任的根?等等.信任算法是否正常工作,它是否具备所需的一切 - 即访问 OCSP 响应程序、正确配置的证书存储等.
- Format - the XML correct according to the schema?
- Signature - the signature needs three things: data, a key, a set of algorithms for making it. Check all three - is the data correct, is the key correct, are the algorithms appropriate for the key and for how the message will be handled? Also, are the key and data items referenced properly and being found by your library?
- External sources of info - in this case, your key info references a certificate that presumably is pulled from somewhere else - like an LDAP cert store. So.. can your code get to that external source, is the source of data running and network accessible from where you are running the code? etc.
- If PKI -- Certificate Validation/Trust - what does the system have to do behind the scenes to trust the signer? OCSP checks? Lookup in LDAP? Chain to trusted root? etc. Is the trust algorithm working properly and does it have everything it needs - ie, access to OCSP responder, properly configured certificate store, etc.
这是我对这个的第一个猜测,这只是一个猜测,没有接触过你的系统并尝试过很多不同的东西.如果这不起作用,这是我针对此类错误的一般逻辑链:
That's my first guess at this one, and it's just a guess without getting hands on with your system and trying a bunch of different things. If that doesn't work, this my general logical chain for this type of error:
我根据我对错误含义的猜测重新排列了这些步骤.错误不是那么直观——所以我经常执行所有这些步骤,以防我对错误的解释是错误的.此外,我可能会在以后防止出现问题......
I reorder these steps based upon my guess on what the error means. The errors are not so intuitive -- so I often go through all these steps just in case my interpretation of the error is wrong. Besides, I may then prevent a problem later...
这篇关于“wsse:InvalidSecurity"是什么意思?吝啬的?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
