问题:
Rampart PostDispatchVerficationHandler: InvalidSecurity-找不到安全策略
鞠自明
编辑:
我稍微调整了一下城墙的配置,现在我被困在了另一个点上。
在Rampart的PostDispatchVerficationHandler中,抛出异常,因为尚未处理安全标头。
// If a security header is there and Rampart is engaged, it has to be processed.
// If it is not processed, there must have been a problem in picking the policy
SOAPHeaderBlock secHeader = getSecurityHeader(msgContext);
if (secHeader != null && (secHeader.isProcessed() == false)) {
throw new AxisFault("InvalidSecurity - Security policy not found");
}
日志:
[DEBUG] [MessageContext: logID=a5012f2f13095af97123a192575c50a7f727850f3a9ecfc5] Invoking Handler 'HTTPLocationBasedDispatcher' in Phase 'Dispatch'
[DEBUG] [MessageContext: logID=a5012f2f13095af97123a192575c50a7f727850f3a9ecfc5] Invoking Handler 'Post dispatch security verification handler' in Phase 'Dispatch'
[ERROR] InvalidSecurity - Security policy not found
org.apache.axis2.AxisFault: InvalidSecurity - Security policy not found
at org.apache.rampart.handler.PostDispatchVerificationHandler.invoke(PostDispatchVerificationHandler.java:189)
at org.apache.axis2.engine.Phase.invokeHandler(Phase.java:340)
at org.apache.axis2.engine.Phase.invoke(Phase.java:313)
at org.apache.axis2.engine.AxisEngine.invoke(AxisEngine.java:262)
at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:168)
at org.apache.axis2.description.OutInAxisOperationClient.handleResponse(OutInAxisOperation.java:364)
at org.apache.axis2.description.OutInAxisOperationClient.send(OutInAxisOperation.java:421)
at org.apache.axis2.description.OutInAxisOperationClient.executeImpl(OutInAxisOperation.java:229)
at org.apache.axis2.client.OperationClient.execute(OperationClient.java:165)
at webservices.chargepoint.com.dictionary.ChargepointservicesStub.getCPNInstances(ChargepointservicesStub.java:5361)
at webservices.chargepoint.com.dictionary.Chargepoint.<init>(Chargepoint.java:180)
at webservices.chargepoint.com.dictionary.Chargepoint.main(Chargepoint.java:81)
[DEBUG] [MessageContext: logID=a5012f2f13095af97123a192575c50a7f727850f3a9ecfc5] Invoking flowComplete() in Phase "Dispatch"
...
org.apache.axis2.AxisFault: InvalidSecurity - Security policy not found
at org.apache.rampart.handler.PostDispatchVerificationHandler.invoke(PostDispatchVerificationHandler.java:189)
at org.apache.axis2.engine.Phase.invokeHandler(Phase.java:340)
at org.apache.axis2.engine.Phase.invoke(Phase.java:313)
at org.apache.axis2.engine.AxisEngine.invoke(AxisEngine.java:262)
at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:168)
at org.apache.axis2.description.OutInAxisOperationClient.handleResponse(OutInAxisOperation.java:364)
at org.apache.axis2.description.OutInAxisOperationClient.send(OutInAxisOperation.java:421)
at org.apache.axis2.description.OutInAxisOperationClient.executeImpl(OutInAxisOperation.java:229)
at org.apache.axis2.client.OperationClient.execute(OperationClient.java:165)
at webservices.chargepoint.com.dictionary.ChargepointservicesStub.getCPNInstances(ChargepointservicesStub.java:5361)
at webservices.chargepoint.com.dictionary.Chargepoint.<init>(Chargepoint.java:180)
at webservices.chargepoint.com.dictionary.Chargepoint.main(Chargepoint.java:81)
这是安全标头:
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" soapenv:mustUnderstand="1">
<wsu:Timestamp xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsu:Created>2013-12-16T23:07:03.868Z</wsu:Created>
<wsu:Expires>2013-12-16T23:12:03.868Z</wsu:Expires>
</wsu:Timestamp>
</wsse:Security>
这是Rampart的政策文件:
<wsp:Policy wsu:Id="UsernameToken" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
<wsp:ExactlyOne>
<wsp:All>
<sp:SupportingTokens xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:UsernameToken sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient"/>
</wsp:Policy>
</sp:SupportingTokens>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
用户凭据在Java代码中设置:
Options options = stubWeb._getServiceClient().getOptions();
try
{
options.setProperty(RampartMessageData.KEY_RAMPART_POLICY,
loadPolicy("policy.xml"));
}
catch (XMLStreamException e1)
{
// TODO Auto-generated catch block
e1.printStackTrace();
}
options.setUserName("xxx");
options.setPassword("yyy");
stubWeb._getServiceClient().setOptions(options);
stubWeb._getServiceClient().engageModule("rampart");
原职务:
我已经用谷歌搜索这个错误好几天了,但我没有主意了。
代码由Axis2为基于此WSDL的SOAP Web服务生成:https://webservices.chargepoint.com/cp_api_4.1.wsdl
使用soapUI,一切都运行良好,我还可以从本地Tomcat服务器获取一些代码模拟响应。当尝试使用我的Java客户端连接到Web服务时,我总是收到此错误:
组织。阿帕奇。axis2.AxisFault:必须理解标头的检查失败http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd:安全性
那是我的代码(用户名和密码隐藏):
public static void main(String[] args)
{
log4j.getRootLogger().setLevel(Level.DEBUG);
GetCPNInstancesResponse resp = new GetCPNInstancesResponse();
ChargepointservicesStub stubWeb = null;
try
{
ConfigurationContext ctx = ConfigurationContextFactory.createConfigurationContextFromFileSystem("/Users/jonas/projects/workspace_openHAB/axis2-1.6.2_clean/repository", null);
stubWeb = new ChargepointservicesStub(ctx);
GetCPNInstances cpn = new GetCPNInstances();
SOAPFactory sfac = OMAbstractFactory.getSOAP11Factory();
stubWeb._getServiceClient().engageModule("rampart");
OMFactory omFactory = OMAbstractFactory.getOMFactory();
OMNamespace wsseNamespace = omFactory.createOMNamespace("http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd", "wsse");
OMElement omSecurityElement = omFactory.createOMElement("Security", wsseNamespace);
// omSecurityElement.addAttribute("soapenv:mustUnderstand", "1", null);
// OMNamespace soapenv = omFactory.createOMNamespace("http://schemas.xmlsoap.org/soap/envelope/", "soapenv");
// omSecurityElement.addAttribute("mustUnderstand", "1", soapenv);
OMElement omusertoken = omFactory.createOMElement("UsernameToken", wsseNamespace);
OMElement omuserName = omFactory.createOMElement("Username", wsseNamespace);
omuserName.setText("yyy");
OMElement omPassword = omFactory.createOMElement("Password", wsseNamespace);
omPassword.setText("xxx");
omPassword.addAttribute("Type", "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText", null);
omusertoken.addChild(omuserName);
omusertoken.addChild(omPassword);
omSecurityElement.addChild(omusertoken);
SOAPHeaderBlock block = ElementHelper.toSOAPHeaderBlock(omSecurityElement, sfac);
block.setMustUnderstand(true);
stubWeb._getServiceClient().addHeader(block);
resp = stubWeb.getCPNInstances(cpn);
} catch (Exception e)
{
// TODO Auto-generated catch block
e.printStackTrace();
}
}
生成此请求的:
[DEBUG] >> "<?xml version='1.0' encoding='UTF-8'?>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" soapenv:mustUnderstand="1">
<wsse:UsernameToken>
<wsse:Username>yyy</wsse:Username>
<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">xxx</wsse:Password>
</wsse:UsernameToken>
</wsse:Security>
</soapenv:Header>
<soapenv:Body>
<ns1:getCPNInstances xmlns:ns1="urn:dictionary:com.chargepoint.webservices" />
</soapenv:Body>
</soapenv:Envelope>"
同样的请求适用于soapUI。
我还收到服务器的正确响应,其中包含我的代码:
<?xml version='1.0' encoding='utf-8'?>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" soapenv:mustUnderstand="1"><wsu:Timestamp xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsu:Created>2013-10-25T16:54:30.767Z</wsu:Created>
<wsu:Expires>2013-10-25T16:59:30.767Z</wsu:Expires></wsu:Timestamp>
</wsse:Security>
</soapenv:Header>
<soapenv:Body>
<ns1:getCPNInstancesResponse xmlns:ns1="urn:dictionary:com.chargepoint.webservices">
<CPN>
<cpnID>1</cpnID>
<cpnName>USA</cpnName>
<cpnDescription>ChargePoint Operations</cpnDescription>
</CPN>
<CPN>
<cpnID>2</cpnID>
<cpnName>EU</cpnName>
<cpnDescription>ChargePoint Europe</cpnDescription>
</CPN>
<CPN>
<cpnID>3</cpnID>
<cpnName>AU</cpnName>
<cpnDescription>ChargePoint Australia</cpnDescription>
</CPN>
</ns1:getCPNInstancesResponse>
</soapenv:Body>
</soapenv:Envelope>
但是安全模块搞砸了一些事情。
这是调试日志的一部分:
[DEBUG] XMLStreamWriter is org.apache.axiom.util.stax.dialect.WoodstoxStreamWriterWrapper
[DEBUG] Calling MTOMXMLStreamWriter.flush
[DEBUG] forceExpand: expanding element {http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security
[DEBUG] forceExpand stack java.lang.Exception: Debug Stack Trace
at org.apache.axiom.om.impl.llom.OMSourcedElementImpl.forceExpand(OMSourcedElementImpl.java:264)
at org.apache.axiom.om.impl.llom.OMSourcedElementImpl.getAttribute(OMSourcedElementImpl.java:416)
at org.apache.axiom.soap.impl.llom.SOAPHeaderBlockImpl.setAttribute(SOAPHeaderBlockImpl.java:91)
at org.apache.axiom.soap.impl.llom.soap11.SOAP11HeaderBlockImpl.setMustUnderstand(SOAP11HeaderBlockImpl.java:105)
at chargepoint.com.dictionary.Chargepoint.main(Chargepoint.java:74)
当我使用
omSecurityElement.add属性("soapenv:的理解","1", null);
而不是
块setMustUnderstand(true);
上面的异常消失了,我得到了这个错误:
[DEBUG] serialize OutputStream optimisation: false [DEBUG] getReader [DEBUG]
XMLStreamReader is org.apache.axiom.util.stax.dialect.WoodstoxStreamReaderWrapper
org.apache.axiom.om.OMException: com.ctc.wstx.exc.WstxParsingException: Undeclared namespace prefix "soapenv" (for attribute "mustUnderstand") at [row,col {unknown-source}]: [1,137]
at org.apache.axiom.om.impl.builder.StAXOMBuilder.next(StAXOMBuilder.java:296)
at org.apache.axiom.om.impl.llom.OMDocumentImpl.buildNext(OMDocumentImpl.java:153)
at org.apache.axiom.om.impl.llom.OMDocumentImpl.getFirstOMChild(OMDocumentImpl.java:242)
at org.apache.axiom.om.impl.llom.OMDocumentImpl.getChildren(OMDocumentImpl.java:204)
使用此代码,错误消失了,但问题仍然存在。
OMNamespace soapenv = omFactory.createOMNamespace("http://schemas.xmlsoap.org/soap/envelope/", "soapenv");
omSecurityElement.addAttribute("mustUnderstand", "1", soapenv);
以下是调试日志中最有趣的部分:
[DEBUG] [MessageContext: logID=ca3f0db9a4fb557a33edc579a48f31508ff1f2b457c617f6] Invoking phase "Security"
[DEBUG] [MessageContext: logID=ca3f0db9a4fb557a33edc579a48f31508ff1f2b457c617f6] Invoking Handler 'SecurityOutHandler' in Phase 'Security'
[DEBUG] WSDoAllReceiver: enter invoke()
[DEBUG] Signature crypto property file is not set. Property file key - signaturePropFile
[DEBUG] Signature crypto property file is not set. Property file key - signaturePropFile
[DEBUG] WSDoAllReceiver: exit invoke()
...
[DEBUG] [MessageContext: logID=ba3f0db9a4fb557a33edc579a48f31508ff1f2b457c617f6] Checking post-conditions for phase "OperationInPhase"
[DEBUG] MustUnderstand header not processed or registered as understood{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security
[DEBUG] org.apache.axis2.i18n.resource::handleGetObject(mustunderstandfailed)
[ERROR] Must Understand check failed for header http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd : Security
org.apache.axis2.AxisFault: Must Understand check failed for header http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd : Security
at org.apache.axis2.engine.AxisEngine.checkMustUnderstand(AxisEngine.java:105)
在这里您可以看到整个调试日志:https://drive.google.com/file/d/0B_iw7qzMyYhOSDNEMW5oOHgzY0k/edit?usp=sharing
如果你对如何解决这个问题有任何建议,我将不胜感激。
共有2个答案
苏淇
这可能不是一个解决方案。我遇到过同样的情况,我使用了wsdl2java工具生成的存根。我发送请求时没有包括安全标头。因此,我使用ServiceClient类创建了请求,然后导入策略。看起来是这样的
ConfigurationContext ctx = ConfigurationContextFactory.createConfigurationContextFromFileSystem("clientrepo", null);
ServiceClient sc = new ServiceClient(ctx, null);
sc.engageModule("rampart");
// create option object
Options opts = new Options();
// setting target EPR
opts.setTo(new EndpointReference(serviceUrl);
opts.setAction("urn:something");
try {
opts.setProperty(RampartMessageData.KEY_RAMPART_POLICY,
loadPolicy("policy.xml"));
} catch (Exception e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
sc.setOptions(opts);
OMElement res = sc.sendReceive(payload);
并加载保单
public Policy loadPolicy(String xmlPath) throws Exception {
StAXOMBuilder builder = new StAXOMBuilder(xmlPath);
Policy policy = PolicyEngine.getPolicy(builder.getDocumentElement());
RampartConfig rc = new RampartConfig();
rc.setUser(username);
rc.setPwCbClass(PWDCallBackHandler.class.getName());
CryptoConfig sigCryptoConfig = new CryptoConfig();
sigCryptoConfig.setProvider("org.apache.ws.security.components.crypto.Merlin");
Properties prop1 = new Properties();
prop1.put("org.apache.ws.security.crypto.merlin.keystore.type", "JKS");
prop1.put("org.apache.ws.security.crypto.merlin.file", AppConstants.KEYSTORE);
prop1.put("org.apache.ws.security.crypto.merlin.keystore.password",
password);
sigCryptoConfig.setProp(prop1);
rc.setSigCryptoConfig(sigCryptoConfig);
policy.addAssertion(rc);
return policy;
}
别子实
我承认我不熟悉这些技术,但我找到了用于SOAPHeaderBlock的Javadoc。setProcessed有趣:
“我们需要知道节点是否处理了所有mustUnderstand头。这将由执行链末端的特定验证处理程序完成。为此,处理特定头块的所有处理程序必须明确表示,他通过调用setProcessed()处理头。”
那么可能会发生这样的事情?
SOAPHeaderBlock block = ElementHelper.toSOAPHeaderBlock(omSecurityElement, sfac);
block.setProcessed();
在这里可以找到另一种可能性,海报更改Rampart配置文件META-INF/module的内容。通过添加以下内容:
<InFaultFlow>
<handler name="PolicyBasedSecurityInHandler" class="org.apache.rampart.handler.RampartReceiver">
<order phase="Security" phaseFirst="true"/>
</handler>
<handler name="SecurityInHandler" class="org.apache.rampart.handler.WSDoAllReceiver">
<order phase="Security"/>
</handler>
<handler name="PostDispatchVerificationHandler" class="org.apache.rampart.handler.PostDispatchVerificationHandler">
<order phase="Dispatch" phaseLast="true"/>
</handler>
</InFaultFlow>
我发现这不太可能是问题所在,但你的问题似乎很令人沮丧,我想我会把它扔出去。
祝你好运。
类似资料:
-
主要内容:命令配置密码,手动配置密码,指令安全,端口安全,SSH代理Redis 提供了诸多安全策略,比如为了保证数据安全,提供了设置密码的功能。Redis 密码设置主要有两种方式:一种是使用 命令来设置密码;另外一种则是手动修改 Redis 的配置文件。虽然看似前者更为简单,其实两种方式各有特点。本节将对它们进行介绍。 命令配置密码 通过执行以下命令查看是否设置了密码验证: 在默认情况下 requirepass 参数值为空的,表示无需通过密码验证就可以连接到 Re
-
在这个世界上没有绝对的安全,我们说这台服务器安全并不是说它绝对不会有安全风险,不会受到损害。只能说明该台服务器的安全可信度高,不易受到侵害。相反,如果我们说这台服务器不安全,即可信度低,则这台服务器可能是一些服务的配置有安全漏洞或没有做数据冗余。每种环境、每种应用的可信度要求是有不同的,不能一概而论,如作为企业中心数据库服务器的可信度要求就比内部WEB服务器的可信度要求高。需投入更多的资金和时间对
-
PodSecurityPolicy 类型的对象能够控制,是否可以向 Pod 发送请求,该 Pod 能够影响被应用到 Pod 和容器的 SecurityContext。 查看 Pod 安全策略建议 获取更多信息。 什么是 Pod 安全策略? Pod 安全策略 是集群级别的资源,它能够控制 Pod 运行的行为,以及它具有访问什么的能力。 PodSecurityPolicy对象定义了一组条件,指示 Po
-
我正在通过https://www.influxdata.com/blog/getting-started-python-influxdb/留档来查询Python的InspxDB。 我能够创建数据库: 另外,我还在数据库中发送数据: 调用json主体为: 但是很快,我想从数据库中查询指标: 此查询导致错误: 文件ipython-inport-31-6e47204db16b,第1行,在模块client
-
问题内容: 我写了一个模块,我刚才将其发布到npm(https://npmjs.org/package/wisp) 因此,可以从命令行进行安装: 但是,当我从命令行运行它时,我不断收到未安装乐观主义者的错误消息: 但是,我在package.json中指定了依赖性: 有谁知道该怎么做才能使它运行?我知道它与bin部分有关,将可执行文件添加到bin中,该目录中的node_modules为空。不知道如何
-
我写了一个模块,不久前发布到npm(https://npmjs.org/package/wisp) 所以它可以从命令行安装: 但是,当我从命令行运行它时,我不断收到一个错误,即未安装optimist: 但是,我在package.json中指定了依赖项: 有人知道该怎么做才能让它运行吗?我知道这与bin部分将可执行文件添加到bin以及该目录中的node_模块为空有关。不知道如何解决这个问题。