logo标签列表

当尝试向Web服务发送SOAP请求时,出现WS-security错误。

javaspringweb-servicesspring-security
4

以下是我使用 SoapUI 发送的 SOAP 请求。但是,我收到了一个错误,提示“消息不符合配置策略”。

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:csw="http://www.cargospot.com/crystal/cswebservice">
   <soapenv:Header>

     <xwss:SecurityConfiguration dumpMessages="false" xmlns:xwss="http://java.sun.com/xml/ns/xwss/config">
            <xwss:RequireUsernameToken passwordDigestRequired="true" nonceRequired="true"/>
        <xwss:UsernameToken name="somename" password="somepassword" useNonce="true" digestPassword="true"/>
    </xwss:SecurityConfiguration>   
   </soapenv:Header>
   <soapenv:Body>

      <csw:cargoImpMessageRequest>
         <csw:content>test</csw:content>
      </csw:cargoImpMessageRequest>
   </soapenv:Body>
</soapenv:Envelope>

我收到以下响应:
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
   <SOAP-ENV:Header/>
   <SOAP-ENV:Body>
      <SOAP-ENV:Fault>
         <faultcode>SOAP-ENV:Client</faultcode>
         <faultstring xml:lang="en">com.sun.xml.wss.XWSSecurityException: Message does not conform to configured policy [ AuthenticationTokenPolicy(S) ]:  No Security Header found; nested exception is com.sun.xml.wss.XWSSecurityException: com.sun.xml.wss.XWSSecurityException: Message does not conform to configured policy [ AuthenticationTokenPolicy(S) ]:  No Security Header found</faultstring>
      </SOAP-ENV:Fault>
   </SOAP-ENV:Body>
</SOAP-ENV:Envelope>

以下是Web服务安全配置,
<!-- Web Service Security Configuration -->
    <bean id="xwssSecurityInterceptor" class="org.springframework.ws.soap.security.xwss.XwsSecurityInterceptor">
        <description>
            This interceptor validates incoming messages according to the policy defined in 'securityPolicy.xml'.
            The policy defines that all incoming requests must have a UsernameToken with a password digest in it.
            The actual authentication is performed by the Acegi callback handler.
        </description>
        <property name="policyConfiguration" value="/WEB-INF/securityPolicy.xml"/>
        <property name="callbackHandler" ref="digestPasswordCallback" />
    </bean>

    <bean id="digestPasswordCallback" class="org.springframework.ws.soap.security.xwss.callback.acegi.AcegiDigestPasswordValidationCallbackHandler">
        <property name="userDetailsService" ref="userDetailsService"/>       
    </bean>

    <bean id="userDetailsService" class="org.acegisecurity.userdetails.memory.InMemoryDaoImpl">
        <property name="userProperties">
            <bean class="org.springframework.beans.factory.config.PropertiesFactoryBean">
                <property name="location" value="/WEB-INF/csws-users.properties" />
            </bean>
        </property>
    </bean>

以下是安全策略。
<xwss:SecurityConfiguration dumpMessages="false" xmlns:xwss="http://java.sun.com/xml/ns/xwss/config">
    <xwss:RequireUsernameToken passwordDigestRequired="true" nonceRequired="true"/>
    <xwss:UsernameToken name="somename" password="somepassword" useNonce="true" digestPassword="true"/>-->
</xwss:SecurityConfiguration>

我不确定我在SOAP请求中漏掉了什么,请帮助我找出SOAP请求的问题。
谢谢。
1个回答
6
尝试在您的SOAP请求中添加以下标头:
<soapenv:Header>
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" wsse:mustUnderstand="1">
  <wsse:UsernameToken>
     <wsse:Username>userName</wsse:Username>
     <wsse:Password>password</wsse:Password>
  </wsse:UsernameToken>
</wsse:Security>

1
这个可以运行,但感觉有些奇怪。我们不应该得到一个 401 权限被拒绝的错误吗?因为用户没有提供身份验证,所以出现了内部服务器错误。 - Gunslinger
网页内容由stack overflow 提供, 点击上面的
可以查看英文原文,
原文链接