Apache CXF (MTOM + WS-Security)에서 WCF 웹 서비스에 액세스

Question

저는이 문제에 대해 많은 어려움을 겪어 왔으며 어디서나 살펴 보았지만 아직 해결하지 못했습니다.

시나리오의 세부 사항 (코드 설정 및 기타 물건은 마지막에 게시됩니다) :

1. WCF 웹 서비스 (.NET 4), 두 개의 엔드 포인트 노출 : 메시지 보안 및 사용자 이름 인증을 사용하여 보안되지 않은 하나 확보를 (멤버쉽 인프라 사용) - 전송 보안 없음.
2. 두 끝점 모두 MTOM 인코딩을 사용합니다. WSDL에서 참조하는 모든 클래스는 MessageContract 특성으로 표시되고 MessageBodyMember 특성을 가진 멤버로 표시됩니다.
3. WCF 바인딩의 구성에는 'establishSecurityContext'및 'negotiateServiceCredential'이 false로 설정되어 있습니다.
4. 암호화 목적으로 자체 서명 된 인증서로 보호되는 WCF 서비스입니다.
5. Apache CXF를 사용하여 Java 클라이언트에서 액세스 시도 중 2.5.1. 나는 클래스 패스에서 접근 할 수있는 KeyStore에 인증서를 설정했다.

결과 :

1. 는 .NET 클라이언트에서 웹 서비스에 액세스하는 것은 아파치 CXF가와와 MTOM 인코딩없이 모두 잘 작동에서 보안되지 않은 엔드 포인트에 액세스
2. 잘 작동합니다.
3. Apache CXF에서 안전한 엔드 포인트 (MTOM없이)에 액세스하면 정상적으로 작동합니다. CXF 추적은 암호화/암호 해독 프로세스가 정상적으로 수행됨을 나타냅니다.
4. MTOM이 WCF에서 활성화되면 문제가 발생합니다. WCF 측에서는 메시지 수신, 처리 및 응답 생성/암호화가 정상적으로 이루어 졌음을 확인할 수있었습니다.
5. CXF에서 메시지 수신 중 문제가 발생했습니다. CXF가 메시지의 암호를 해독하기 전에 MTOM 첨부 파일을 제대로 deserialize하지 않는 것으로 보입니다. 따라서 해독 로직은 메시지가 응답에서 해독 할 요소를 여전히 가지고 있지만 해독하고 실패 할 빈 요소를 찾았습니다. 첨부 파일을 초기화하기 위해 RECEIVE 위상 인터셉터를 추가하려고했습니다 (멀티 파트 응답에서 경계 표식을 찾는 데 실패했습니다).

   있는 Web.Config (명확성을 위해 단축) :

   <system.serviceModel> 
       <!-- Services --> 
       <services> 
        <service name="TestServices.Services.TestService" behaviorConfiguration="TestService.Basic"> 
        <!-- Plain (unsecured) endpoint --> 
        <endpoint address="" binding="wsHttpBinding" bindingConfiguration="TestService.Basic" name="TestService.Basic" 
           contract="TestServices.Interfaces.ITestService" bindingNamespace="http://searchtechnologies.com/cpa/wcfinterop"/> 
        <!-- Secure endpoint --> 
        <endpoint address="/secure" binding="wsHttpBinding" bindingConfiguration="TestService.Secure" name="TestService.Secure" 
           contract="TestServices.Interfaces.ITestService" bindingNamespace="http://searchtechnologies.com/cpa/wcfinterop"/> 
        </service> 
       </services> 
       <!-- Bindings --> 
       <bindings> 
        <wsHttpBinding> 
        <binding name="TestService.Basic" messageEncoding="Mtom"> 
         <security mode="None"> 
         <message clientCredentialType="None"/> 
         <transport clientCredentialType="None"/> 
         </security> 
        </binding> 
        <binding name="TestService.Secure" messageEncoding="Mtom"> 
         <security mode="Message"> 
         <message clientCredentialType="UserName" establishSecurityContext="false" negotiateServiceCredential="false"/> 
         <transport clientCredentialType="None"/> 
         </security> 
        </binding> 
        </wsHttpBinding> 
       </bindings> 
       <!-- Behaviors --> 
       <behaviors> 
        <serviceBehaviors> 
        <behavior name="TestService.Basic"> 
         <serviceMetadata httpGetEnabled="true"/> 
         <serviceDebug includeExceptionDetailInFaults="true"/> 
         <serviceCredentials> 
         <serviceCertificate storeName="My" storeLocation="LocalMachine" x509FindType="FindBySubjectName" findValue="equiros-PC2.search.local"/> 
         <userNameAuthentication userNamePasswordValidationMode="MembershipProvider" membershipProviderName="SqlProvider"/> 
         </serviceCredentials> 
        </behavior> 
        </serviceBehaviors> 
       </behaviors> 
   

   피들러 사용
6. , 우리는 첨부

CODE/CONFIG/STUFF를 지칭와 반응이 잘 형성 보이는 것으로

자바 클라이언트 코드 (명확하게 구분하기 위해 생략 된 부분) :

private static void secureTest() { 
    try { 
     logger.debug("Secure test starting. Instatiating service"); 
     // service instantiation 
     TestService service = new TestService(); 
     ITestService port = service.getTestServiceSecure(); 
     // request creation 
     BasicRequest request = objectFactory.createBasicRequest(); 
     request.setStringData("String data"); 
     request.setIntegerData("Integer data"); 
     // setup logging 
     setupInterceptors(port); 
     // setup security & binding 
     setupBinding(port); 
     // service call 
     logger.debug("Attempting service call"); 
     BasicResponse response = port.simpleOperation(request); 
     logger.debug("Call success!!!"); 
     logger.debug(String.format("Response data: str: %1$s; int: %2$s", 
      response.getStringData(), response.getIntegerData())); 
    } catch (Exception e) { 
     logger.error("Error during service invocation", e); 
    } 
    } 

    private static void setupInterceptors(ITestService port) { 
    Client proxy = JaxWsClientProxy.getClient(port); 
    proxy.getInInterceptors().add(new LoggingInInterceptor()); 
    proxy.getOutInterceptors().add(new LoggingOutInterceptor()); 
    } 

    private static void setupBinding(ITestService port) { 
    javax.xml.ws.BindingProvider bp = (javax.xml.ws.BindingProvider) port; 
    SOAPBinding binding = (SOAPBinding) bp.getBinding(); 
    binding.setMTOMEnabled(true); 
    Map<String, Object> context = bp.getRequestContext(); 
    context.put("ws-security.username", "systemadmin"); 
    context.put("ws-security.password", "Pass@word1"); 
    context.put("ws-security.encryption.properties", 
     "clientKeystore.properties"); 
    context.put("ws-security.encryption.username", "serviceKey"); 
    } 

오류 추적 (만 암호 해독 단계) : 당신이 볼 수 있듯이 CXF는 첨부 파일을 참조하는 요소를 디코딩 할 때, 비어 그 내용을 찾아 내고, 실패처럼

[main] DEBUG org.apache.ws.security.components.crypto.CryptoFactory - Using Crypto Engine [class org.apache.ws.security.components.crypto.Merlin] 
[main] DEBUG org.apache.ws.security.util.Loader - Trying to find [clientKeystore.jks] using sun.misc.Launcher$AppClassLoader@2a340e class loader. 
[main] DEBUG org.apache.ws.security.components.crypto.Merlin - The KeyStore clientKeystore.jks of type jks has been loaded 
[main] DEBUG org.apache.ws.security.processor.TimestampProcessor - Found Timestamp list element 
[main] DEBUG org.apache.ws.security.message.token.Timestamp - Current time: 2012-02-07T22:52:22.852Z 
[main] DEBUG org.apache.ws.security.message.token.Timestamp - Timestamp created: 2012-02-07T22:52:22.641Z 
[main] DEBUG org.apache.ws.security.message.token.Timestamp - Timestamp expires: 2012-02-07T22:57:22.641Z 
[main] DEBUG org.apache.ws.security.message.token.Timestamp - Validation of Timestamp: Everything is ok 
[main] DEBUG org.apache.ws.security.message.token.DerivedKeyToken - DerivedKeyToken: created : element constructor 
[main] DEBUG org.apache.ws.security.message.token.DerivedKeyToken - DerivedKeyToken: created : element constructor 
[main] DEBUG org.apache.ws.security.processor.ReferenceListProcessor - Found reference list element 
[main] DEBUG org.apache.ws.security.processor.ReferenceListProcessor - Found data reference: _3 
[main] DEBUG org.apache.ws.security.processor.X509Util - Sym Enc Algo: http://www.w3.org/2001/04/xmlenc#aes256-cbc 
[main] DEBUG org.apache.xml.security.encryption.XMLCipher - Getting XMLCipher with transformation 
[main] DEBUG org.apache.xml.security.encryption.XMLCipher - Constructing XMLCipher... 
[main] DEBUG org.apache.xml.security.algorithms.JCEMapper - Request for URI http://www.w3.org/2001/04/xmlenc#aes256-cbc 
[main] DEBUG org.apache.xml.security.encryption.XMLCipher - cipher._algorithm = AES/CBC/ISO10126Padding 
[main] DEBUG org.apache.xml.security.encryption.XMLCipher - Initializing XMLCipher... 
[main] DEBUG org.apache.xml.security.encryption.XMLCipher - opmode = DECRYPT_MODE 
[main] DEBUG org.apache.xml.security.encryption.XMLCipher - Processing source element... 
[main] DEBUG org.apache.xml.security.encryption.XMLCipher - Decrypting element... 
[main] DEBUG org.apache.xml.security.encryption.XMLCipher - Decrypting to ByteArray... 
[main] DEBUG org.apache.xml.security.utils.ElementProxy - setElement("KeyInfo", "null") 
[main] DEBUG org.apache.xml.security.encryption.XMLCipher - Encrypted octets: 
x1eLqhngbuRTq2XJIkcTdzyu1UFb4eV0kwno04/w4yW0HiY6RyYa7OHqniV63aaxgZPxm0NOK2ZUgjggtkM0O9myJ6ZJOFxCLmqREjQMD+mFW+WuTSEZ5cgc3SFule3MmryqoStNLsmzM8t5yaT3drF1ctT7DJQnV6W858WwpD+Dw+WYmO0RaUlgsfbTnWiBvCZ8yyCzvgmZTMGr8y9LXnwaw+FsspReuMpcIOsqU9LE5u5uW5ZJglgn5cv/8XWikD3TwNzqL+7qAVN8R6WnXgUmb1DuX5lx4cyxlwcLnkfOQKbGrwGvKJUY47ohAgKH 
[main] DEBUG org.apache.xml.security.algorithms.JCEMapper - Request for URI http://www.w3.org/2001/04/xmlenc#aes256-cbc 
[main] DEBUG org.apache.xml.security.encryption.XMLCipher - JCE Algorithm = AES/CBC/ISO10126Padding 
[main] DEBUG org.apache.xml.security.encryption.XMLCipher - Decrypted octets: 
<BasicResponse xmlns="http://searchtechnologies.com/cpa/wcfinterop/data"><DateTimeData>0001-01-02T00:00:00</DateTimeData><IntegerData>Integer data</IntegerData><StringData>String data</StringData></BasicResponse> 
[main] DEBUG org.apache.ws.security.processor.ReferenceListProcessor - Found data reference: _6 
[main] DEBUG org.apache.ws.security.processor.X509Util - Sym Enc Algo: http://www.w3.org/2001/04/xmlenc#aes256-cbc 
[main] DEBUG org.apache.xml.security.encryption.XMLCipher - Getting XMLCipher with transformation 
[main] DEBUG org.apache.xml.security.encryption.XMLCipher - Constructing XMLCipher... 
[main] DEBUG org.apache.xml.security.algorithms.JCEMapper - Request for URI http://www.w3.org/2001/04/xmlenc#aes256-cbc 
[main] DEBUG org.apache.xml.security.encryption.XMLCipher - cipher._algorithm = AES/CBC/ISO10126Padding 
[main] DEBUG org.apache.xml.security.encryption.XMLCipher - Initializing XMLCipher... 
[main] DEBUG org.apache.xml.security.encryption.XMLCipher - opmode = DECRYPT_MODE 
[main] DEBUG org.apache.xml.security.encryption.XMLCipher - Processing source element... 
[main] DEBUG org.apache.xml.security.encryption.XMLCipher - Decrypting element... 
[main] DEBUG org.apache.xml.security.encryption.XMLCipher - Decrypting to ByteArray... 
[main] DEBUG org.apache.xml.security.utils.ElementProxy - setElement("KeyInfo", "null") 
[main] DEBUG org.apache.xml.security.encryption.XMLCipher - Encrypted octets: 

[main] DEBUG org.apache.xml.security.algorithms.JCEMapper - Request for URI http://www.w3.org/2001/04/xmlenc#aes256-cbc 
[main] DEBUG org.apache.xml.security.encryption.XMLCipher - JCE Algorithm = AES/CBC/ISO10126Padding 
Feb 07, 2012 4:52:22 PM org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor handleMessage 
WARNING: 
org.apache.ws.security.WSSecurityException: The signature or decryption was invalid 
    at org.apache.ws.security.processor.ReferenceListProcessor.decryptEncryptedData(ReferenceListProcessor.java:298) 
    at org.apache.ws.security.processor.ReferenceListProcessor.decryptDataRefEmbedded(ReferenceListProcessor.java:159) 
    at org.apache.ws.security.processor.ReferenceListProcessor.handleReferenceList(ReferenceListProcessor.java:93) 
    at org.apache.ws.security.processor.ReferenceListProcessor.handleToken(ReferenceListProcessor.java:60) 
    at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:396) 
    at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:249) 
    at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:85) 
    at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:263) 
    at org.apache.cxf.endpoint.ClientImpl.onMessage(ClientImpl.java:799) 
    at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponseInternal(HTTPConduit.java:1627) 
    at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponse(HTTPConduit.java:1494) 
    at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1402) 
    at org.apache.cxf.io.CacheAndWriteOutputStream.postClose(CacheAndWriteOutputStream.java:47) 
    at org.apache.cxf.io.CachedOutputStream.close(CachedOutputStream.java:195) 
    at org.apache.cxf.transport.AbstractConduit.close(AbstractConduit.java:56) 
    at org.apache.cxf.transport.http.HTTPConduit.close(HTTPConduit.java:649) 
    at org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(MessageSenderInterceptor.java:62) 
    at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:263) 
    at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:533) 
    at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:463) 
    at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:366) 
    at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:319) 
    at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:88) 
    at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:134) 
    at $Proxy33.simpleOperation(Unknown Source) 
    at com.searchtechnologies.wcfinterop.TestServiceClient.secureTest(TestServiceClient.java:74) 
    at com.searchtechnologies.wcfinterop.TestServiceClient.main(TestServiceClient.java:32) 
Caused by: java.lang.ArrayIndexOutOfBoundsException 
    at java.lang.System.arraycopy(Native Method) 
    at org.apache.xml.security.encryption.XMLCipher.decryptToByteArray(Unknown Source) 
    at org.apache.xml.security.encryption.XMLCipher.decryptElement(Unknown Source) 
    at org.apache.xml.security.encryption.XMLCipher.doFinal(Unknown Source) 
    at org.apache.ws.security.processor.ReferenceListProcessor.decryptEncryptedData(ReferenceListProcessor.java:296) 
    ... 26 more 

Feb 07, 2012 4:52:22 PM org.apache.cxf.phase.PhaseInterceptorChain doDefaultLogging 
WARNING: Interceptor for {http://searchtechnologies.com/cpa/wcfinterop}TestService#{http://searchtechnologies.com/cpa/wcfinterop}SimpleOperation has thrown exception, unwinding now 
org.apache.cxf.binding.soap.SoapFault: The signature or decryption was invalid 
    at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.createSoapFault(WSS4JInInterceptor.java:643) 
    at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:308) 
    at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:85) 
    at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:263) 
    at org.apache.cxf.endpoint.ClientImpl.onMessage(ClientImpl.java:799) 
    at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponseInternal(HTTPConduit.java:1627) 
    at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponse(HTTPConduit.java:1494) 
    at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1402) 
    at org.apache.cxf.io.CacheAndWriteOutputStream.postClose(CacheAndWriteOutputStream.java:47) 
    at org.apache.cxf.io.CachedOutputStream.close(CachedOutputStream.java:195) 
    at org.apache.cxf.transport.AbstractConduit.close(AbstractConduit.java:56) 
    at org.apache.cxf.transport.http.HTTPConduit.close(HTTPConduit.java:649) 
    at org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(MessageSenderInterceptor.java:62) 
    at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:263) 
    at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:533) 
    at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:463) 
    at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:366) 
    at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:319) 
    at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:88) 
    at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:134) 
    at $Proxy33.simpleOperation(Unknown Source) 
    at com.searchtechnologies.wcfinterop.TestServiceClient.secureTest(TestServiceClient.java:74) 
    at com.searchtechnologies.wcfinterop.TestServiceClient.main(TestServiceClient.java:32) 
Caused by: org.apache.ws.security.WSSecurityException: The signature or decryption was invalid 
    at org.apache.ws.security.processor.ReferenceListProcessor.decryptEncryptedData(ReferenceListProcessor.java:298) 
    at org.apache.ws.security.processor.ReferenceListProcessor.decryptDataRefEmbedded(ReferenceListProcessor.java:159) 
    at org.apache.ws.security.processor.ReferenceListProcessor.handleReferenceList(ReferenceListProcessor.java:93) 
    at org.apache.ws.security.processor.ReferenceListProcessor.handleToken(ReferenceListProcessor.java:60) 
    at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:396) 
    at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:249) 
    ... 21 more 
Caused by: java.lang.ArrayIndexOutOfBoundsException 
    at java.lang.System.arraycopy(Native Method) 
    at org.apache.xml.security.encryption.XMLCipher.decryptToByteArray(Unknown Source) 
    at org.apache.xml.security.encryption.XMLCipher.decryptElement(Unknown Source) 
    at org.apache.xml.security.encryption.XMLCipher.doFinal(Unknown Source) 
    at org.apache.ws.security.processor.ReferenceListProcessor.decryptEncryptedData(ReferenceListProcessor.java:296) 
    ... 26 more 

[main] ERROR com.searchtechnologies.wcfinterop.TestServiceClient - Error during service invocation 
java.lang.NullPointerException 
    at com.sun.xml.internal.messaging.saaj.soap.impl.ElementImpl.addTextNode(ElementImpl.java:439) 
    at com.sun.xml.internal.messaging.saaj.soap.ver1_2.Fault1_2Impl.setFaultRole(Fault1_2Impl.java:323) 
    at com.sun.xml.internal.messaging.saaj.soap.ver1_2.Fault1_2Impl.setFaultActor(Fault1_2Impl.java:559) 
    at org.apache.cxf.jaxws.JaxWsClientProxy.createSoapFault(JaxWsClientProxy.java:219) 
    at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:152) 
    at $Proxy33.simpleOperation(Unknown Source) 
    at com.searchtechnologies.wcfinterop.TestServiceClient.secureTest(TestServiceClient.java:74) 
    at com.searchtechnologies.wcfinterop.TestServiceClient.main(TestServiceClient.java:32) 

, 그것은 보인다.

어떤 도움 이라든지 깊이입니다.

크기 제한으로 인해 WSDL을 게시 할 수 없습니다. 필요한 경우 요청시 제공됩니다.

감사합니다,

에두아르도 Quiros-캄포스

Answer 1

서명이 활성화되면 지금까지 내가 알려진 바와 같이, CXF 완전히 MTOM 지원하지 않습니다이 서명하거나 첨부 파일을 암호화하지 않습니다. WCF는 첨부 파일을 서명하거나 암호화하므로 작동하지 않습니다. http://cxf.547215.n5.nabble.com/Signature-digest-mismatch-when-NET-supplies-MTOM-attachment-td3270961.html 및 https://issues.apache.org/jira/browse/CXF-3687을 참조하십시오.