java - 如何在 WSS4J 2.2.3 中启用 RSA15 传输算法?
问题描述
我正在将 SOAP Web 服务客户端升级到 JDK 11 和 WSS4J 2.2.3(不带 CXF/Spring)。Java 代码使用“独立”方法来处理加密,并且无法解密传入的响应,因为它是使用 RSA15 加密的。该算法在 2.0.0 版中默认禁用,但迁移指南建议可以通过将 WSHandlerConstants.ALLOW_RSA15_KEY_TRANSPORT_ALGORITHM 属性设置为“true”来启用该算法。我怎样才能做到这一点??
我查看了 WSS4J 代码,可以看到 RequestData 对象是从 WSS4J 框架中的 WSSecurityEngine 类实例化的,我没有看到允许我将 allowRSA15KeyTransportAlgorithm 属性设置为“true”的挂钩。我已经能够在 eclipse 中设置一个断点并更改值以确保它按预期工作并且确实如此。我在网上搜索过,我发现最接近的是一个类似的问题,这里没有明显的答案Allow the RSA v1.5 Key Transport Algorithm for WildFly / JBossWS / CXF / WSS4J stack. 我试图将 WSS4J 恢复到允许该算法的版本 1.6,但随后它失败并出现不同的错误“WRONG_DOCUMENT_ERR:一个节点用于与创建它的文档不同的文档中”。这似乎在将 WSS4J 1.6 与任何版本的 jaxws(JDK 外部)一起使用时发生。我能想到解决这个问题的唯一方法是侵入 WSS4J 2.2.3 依赖项并将 RequestData 类中的属性默认设置为“true”,但我真的不想这样做。
private void inboundWSSConfig(SOAPMessageContext context, Crypto crypto) throws WSSecurityException{
log.info("Inbound Message...");
KeystoreCallbackHandler keystoreCallbackHandler = new KeystoreCallbackHandler();
keystoreCallbackHandler.addUsers((String)cryptoProperties.get("org.apache.ws.security.crypto.merlin.keystore.alias"), (String)cryptoProperties.get("org.apache.ws.security.crypto.merlin.keystore.password"));
WSSecurityEngine newEngine = new WSSecurityEngine();
WSSConfig config = WSSConfig.getNewInstance();
config.setValidator(WSConstants.SIGNATURE, new SignatureTrustValidator());
newEngine.setWssConfig(config);
newEngine.processSecurityHeader(context.getMessage().getSOAPPart(), null, keystoreCallbackHandler, crypto);
}
返回的错误信息是...
Jul 17, 2019 11:42:56 AM ensurebill.client.handler.HeaderHandler inboundWSSConfig
INFO: Inbound Message...
Jul 17, 2019 11:42:56 AM ensurebill.client.handler.HeaderHandler handleMessage
SEVERE: ERROR in handleMessage
org.apache.wss4j.common.ext.WSSecurityException: An error was discovered processing the <wsse:Security> header
at org.apache.wss4j.dom.processor.EncryptedKeyProcessor.handleToken(EncryptedKeyProcessor.java:131)
at org.apache.wss4j.dom.processor.EncryptedKeyProcessor.handleToken(EncryptedKeyProcessor.java:90)
at org.apache.wss4j.dom.engine.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:340)
at org.apache.wss4j.dom.engine.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:221)
at org.apache.wss4j.dom.engine.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:168)
at org.apache.wss4j.dom.engine.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:127)
at ensurebill.client.handler.HeaderHandler.inboundWSSConfig(HeaderHandler.java:160)
at ensurebill.client.handler.HeaderHandler.handleMessage(HeaderHandler.java:61)
at ensurebill.client.handler.HeaderHandler.handleMessage(HeaderHandler.java:1)
at com.sun.xml.ws.handler.HandlerProcessor.callHandleMessageReverse(HandlerProcessor.java:311)
at com.sun.xml.ws.handler.HandlerProcessor.callHandlersResponse(HandlerProcessor.java:184)
at com.sun.xml.ws.handler.ClientSOAPHandlerTube.callHandlersOnResponse(ClientSOAPHandlerTube.java:133)
at com.sun.xml.ws.handler.HandlerTube.processResponse(HandlerTube.java:144)
at com.sun.xml.ws.api.pipe.Fiber.__doRun(Fiber.java:1117)
at com.sun.xml.ws.api.pipe.Fiber._doRun(Fiber.java:1020)
at com.sun.xml.ws.api.pipe.Fiber.doRun(Fiber.java:989)
at com.sun.xml.ws.api.pipe.Fiber.runSync(Fiber.java:847)
at com.sun.xml.ws.client.Stub.process(Stub.java:433)
at com.sun.xml.ws.client.sei.SEIStub.doProcess(SEIStub.java:161)
at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:78)
at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:62)
at com.sun.xml.ws.client.sei.SEIStub.invoke(SEIStub.java:131)
at com.sun.proxy.$Proxy33.callNotificationInquiry(Unknown Source)
at ensurebill.client.swing.MenuItemListener.sendRequest(MenuItemListener.java:109)
at ensurebill.client.swing.MenuItemListener.actionPerformed(MenuItemListener.java:92)
at java.desktop/javax.swing.AbstractButton.fireActionPerformed(AbstractButton.java:1967)
at java.desktop/javax.swing.AbstractButton$Handler.actionPerformed(AbstractButton.java:2308)
at java.desktop/javax.swing.DefaultButtonModel.fireActionPerformed(DefaultButtonModel.java:405)
at java.desktop/javax.swing.DefaultButtonModel.setPressed(DefaultButtonModel.java:262)
at java.desktop/javax.swing.AbstractButton.doClick(AbstractButton.java:369)
at java.desktop/javax.swing.plaf.basic.BasicMenuItemUI.doClick(BasicMenuItemUI.java:1020)
at java.desktop/javax.swing.plaf.basic.BasicMenuItemUI$Handler.mouseReleased(BasicMenuItemUI.java:1064)
at java.desktop/java.awt.Component.processMouseEvent(Component.java:6632)
at java.desktop/javax.swing.JComponent.processMouseEvent(JComponent.java:3342)
at java.desktop/java.awt.Component.processEvent(Component.java:6397)
at java.desktop/java.awt.Container.processEvent(Container.java:2263)
at java.desktop/java.awt.Component.dispatchEventImpl(Component.java:5008)
at java.desktop/java.awt.Container.dispatchEventImpl(Container.java:2321)
at java.desktop/java.awt.Component.dispatchEvent(Component.java:4840)
at java.desktop/java.awt.LightweightDispatcher.retargetMouseEvent(Container.java:4918)
at java.desktop/java.awt.LightweightDispatcher.processMouseEvent(Container.java:4547)
at java.desktop/java.awt.LightweightDispatcher.dispatchEvent(Container.java:4488)
at java.desktop/java.awt.Container.dispatchEventImpl(Container.java:2307)
at java.desktop/java.awt.Window.dispatchEventImpl(Window.java:2772)
at java.desktop/java.awt.Component.dispatchEvent(Component.java:4840)
at java.desktop/java.awt.EventQueue.dispatchEventImpl(EventQueue.java:772)
at java.desktop/java.awt.EventQueue$4.run(EventQueue.java:721)
at java.desktop/java.awt.EventQueue$4.run(EventQueue.java:715)
at java.base/java.security.AccessController.doPrivileged(Native Method)
at java.base/java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(ProtectionDomain.java:85)
at java.base/java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(ProtectionDomain.java:95)
at java.desktop/java.awt.EventQueue$5.run(EventQueue.java:745)
at java.desktop/java.awt.EventQueue$5.run(EventQueue.java:743)
at java.base/java.security.AccessController.doPrivileged(Native Method)
at java.base/java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(ProtectionDomain.java:85)
at java.desktop/java.awt.EventQueue.dispatchEvent(EventQueue.java:742)
at java.desktop/java.awt.EventDispatchThread.pumpOneEventForFilters(EventDispatchThread.java:203)
at java.desktop/java.awt.EventDispatchThread.pumpEventsForFilter(EventDispatchThread.java:124)
at java.desktop/java.awt.EventDispatchThread.pumpEventsForHierarchy(EventDispatchThread.java:113)
at java.desktop/java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:109)
at java.desktop/java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:101)
at java.desktop/java.awt.EventDispatchThread.run(EventDispatchThread.java:90)
解决方案
经过一番追踪之后..我设法为你找到了它。
这是我通过堆栈跟踪向后工作并查看源代码发现的:
从引发异常的地方开始at org.apache.wss4j.dom.processor.EncryptedKeyProcessor.handleToken(EncryptedKeyProcessor.java:131)
public List<WSSecurityEngineResult> handleToken(Element elem, RequestData data, AlgorithmSuite algorithmSuite) {
// ...
if (WSConstants.KEYTRANSPORT_RSA15.equals(encryptedKeyTransportMethod)
&& !data.isAllowRSA15KeyTransportAlgorithm() // <=== because this is false, etc.
&& (algorithmSuite == null
|| !algorithmSuite.getKeyWrapAlgorithms().contains(WSConstants.KEYTRANSPORT_RSA15))) {
LOG.debug(
"The Key transport method does not match the requirement"
);
throw new WSSecurityException(WSSecurityException.ErrorCode.INVALID_SECURITY); // <=== this is where you die
}
// ...
}
它死了,因为requestData
没有allowRSA15KeyTransportAlgorithm
设置为真。为什么不requestData
将此设置为true,请求数据来自哪里。
at org.apache.wss4j.dom.processor.EncryptedKeyProcessor.handleToken(EncryptedKeyProcessor.java:90) at org.apache.wss4j.dom.engine.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:340) at org.apache.wss4j.dom.engine.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:221)
所有只是传递requestData
在这个方法中创建的:
// line 208
public WSHandlerResult processSecurityHeader(
Element securityHeader,
String actor,
CallbackHandler cb,
Crypto sigVerCrypto,
Crypto decCrypto
) throws WSSecurityException {
RequestData data = new RequestData(); // creates RequestData but doesn't set `allowRSA15KeyTransportAlgorithm`
data.setActor(actor);
data.setWssConfig(getWssConfig());
data.setDecCrypto(decCrypto);
data.setSigVerCrypto(sigVerCrypto);
data.setCallbackHandler(cb);
return processSecurityHeader(securityHeader, data); // line 221
}
由以下方式调用:
public WSHandlerResult processSecurityHeader(
Document doc,
String actor,
CallbackHandler cb,
Crypto crypto
) throws WSSecurityException {
return processSecurityHeader(doc, actor, cb, crypto, crypto);
}
你在你的inboundWSSConfig
方法中调用它。
因此,因为您正在调用 processSecurityHeader(Document doc, String actor, CallbackHandler cb, Crypto crypto)
它正在初始化一个 newRequestData
并在其上设置Crypto
andCallbackHandler
但从不设置allowRSA15KeyTransportAlgorithm
.
相反,您应该RequestData
为自己创建对象,如下所示:
private void inboundWSSConfig(SOAPMessageContext context, Crypto crypto) throws WSSecurityException{
log.info("Inbound Message...");
KeystoreCallbackHandler keystoreCallbackHandler = new KeystoreCallbackHandler();
keystoreCallbackHandler.addUsers((String)cryptoProperties.get("org.apache.ws.security.crypto.merlin.keystore.alias"),
(String)cryptoProperties.get("org.apache.ws.security.crypto.merlin.keystore.password"));
WSSecurityEngine newEngine = new WSSecurityEngine();
WSSConfig config = WSSConfig.getNewInstance();
config.setValidator(WSConstants.SIGNATURE, new SignatureTrustValidator());
newEngine.setWssConfig(config);
RequestData data = new RequestData();
data.setWssConfig(config); // probably
data.setDecCrypto(crypto);
data.setSigVerCrypto(crypto);
data.setCallbackHandler(keystoreCallbackHandler);
data.setAllowRSA15KeyTransportAlgorithm(true);
newEngine.processSecurityHeader(context.getMessage().getSOAPPart(), data);
}
推荐阅读
- astropy - Astropy“时间”对象没有属性“dtype”
- swift - Swift - 图像视图动画
- c++ - 如何构建模板的显式实例化以提高编译速度?
- node.js - TypeError:无法读取 Node.Js 上未定义的属性“标题”
- java - 封装冗余Setter
- java - 阻止执行发送方通道,直到从拆分器中生成的执行程序通道完成 Spring Integration 中的处理
- c++ - 如何知道用于实现标准代码的确切数据结构和算法,例如在 C++ STL 中?
- varnish - Varnish:如果图像在 varnish 缓存中仍然是最新的并且未在应用程序中更新,则从浏览器缓存中获取图像
- excel - 使用数组打破不均匀的值
- react-native - React Native - 对未安装的组件进行 React 状态更新