“ *未找到证书*(来自客户端)”;调用需要签名的Web服务时
当调用一个期望使用WS-Security对消息进行签名的Web服务时,我遇到了一个特殊的问题。如果我使用客户端应用程序(使用Apache CXF)进行呼叫,则会收到HTTP 500错误消息:
I have a peculiar problem when calling a web service that expects the message to be signed using WS-Security. If I call using my client application (using Apache CXF) I get a HTTP 500 error message:
*未找到证书*(来自客户端) )
*Certificate not found* (from client)
而如果我使用SoapUI调用了相同的服务,并配置为使用相同的密钥和密钥存储进行签名,则它会按预期工作。
while if I call the same service using SoapUI, configured for signing with the same key and key-store, it works as expected.
我注意到CXF和SoapUI之间调用的< KeyInfo> 部分有所不同。使用CXF(如下所示)时,KeyInfo的详细信息包括< X509Data> 等,而SoapUI调用仅包含一个简单的< SecurityTokenReference> ; 。我怀疑这种差异可能是导致服务器无法识别用于签名的证书的原因。
I noticed that the <KeyInfo> part of the call differs between CXF and SoapUI. With CXF (as below) the KeyInfo is a lot more detailed with <X509Data> sections etc while the SoapUI call contains just a simple <SecurityTokenReference>. I suspect that this difference might be the cause of the server not being able to identify the certificate used for signing.
不幸的是,我无法控制服务器端我在那里不能做很多调查。知道这是否是一个已知问题以及是否有任何变通办法会很高兴?
Unfortunately I'm not in control of the server side thus I cannot do much investigation there. It would be nice to know if this is a known problem and if there are any workarounds?
问候,奥拉
CXF:
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="KeyId-1007572087">
<wsse:SecurityTokenReference xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="STRId-1355509614"><ds:X509Data xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509IssuerSerial xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509IssuerName xmlns:ds="http://www.w3.org/2000/09/xmldsig#">C=SE,O=Company,CN=Company Test Corporate CA 01,SERIALNUMBER=516406-0120</ds:X509IssuerName>
<ds:X509SerialNumber xmlns:ds="http://www.w3.org/2000/09/xmldsig#">29382</ds:X509SerialNumber>
</ds:X509IssuerSerial></ds:X509Data></wsse:SecurityTokenReference></ds:KeyInfo>
SoapUI:
<ds:KeyInfo Id="KeyId-850CCDA383426C4A1E129683271974138"><wsse:SecurityTokenReference wsu:Id="STRId-850CCDA383426C4A1E129683271974139" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"><wsse:Reference URI="#CertId-850CCDA383426C4A1E129683271974137" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509PKIPathv1"/></wsse:SecurityTokenReference></ds:KeyInfo>
显然,诀窍是配置 WSS4JOutInterceptor 的 DirectReference的signatureKeyIdentifier属性将创建一个类似于SoapUI的KeyInfo,即它已被服务器接受。
Apparently the trick is to configure the WSS4JOutInterceptor's signatureKeyIdentifier property to "DirectReference" which creates a KeyInfo similar to SoapUI, i.e. it's accepted by the server.
<spring:bean class="org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor">
<spring:constructor-arg>
<spring:map>
<spring:entry key="signatureKeyIdentifier" value="DirectReference"/>
</spring:map>