WSO2 ESB 使用带有证书的 WCF 安全方法

Question

我是 WSO2 ESB 的新手。 我已经使用自我证书保护的 wsHttpBinding 构建了一个 wcf 服务。而且我找不到将该服务与 ESB 集成的方法。 请问有什么建议吗？

我使用 makecert 命令创建了一个自签名证书，但我无法将壁垒配置为使用创建的证书。我怎样才能做到这一点？我迷路了。我的 wsHttpBinding 看起来像这样：

<wsHttpBinding>
    <binding name="BasicHttpAuthentication_Config">          
      <security mode="Message">
        <message clientCredentialType="UserName" algorithmSuite="Basic256" establishSecurityContext="false"/>
      </security>
    </binding>
  </wsHttpBinding>

壁垒配置如下所示：

<ramp:RampartConfig xmlns:ramp="http://ws.apache.org/rampart/policy">
            <ramp:user>acc1</ramp:user>
            <ramp:userCertAlias>acc1</ramp:userCertAlias>
            <ramp:encryptionUser>acc1</ramp:encryptionUser>
            <ramp:passwordCallbackClass>org.wso2.samples.pwcb.PWCBHandler</ramp:passwordCallbackClass>
            <ramp:TimeToLive>360</ramp:TimeToLive>
            <ramp:signatureCrypto>
                <ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin">
                    <ramp:property name="org.apache.ws.security.crypto.merlin.keystore.type">pkcs12</ramp:property>
                    <ramp:property name="org.apache.ws.security.crypto.merlin.file">C:\ESB_HOME\repository\resources\security\cert1.pfx</ramp:property>
                    <ramp:property name="org.apache.ws.security.crypto.merlin.keystore.password">123</ramp:property>
                </ramp:crypto>
            </ramp:signatureCrypto>
            <ramp:encryptionCypto>
                <ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin">
                    <ramp:property name="org.apache.ws.security.crypto.merlin.keystore.type">pkcs12</ramp:property>
                    <ramp:property name="org.apache.ws.security.crypto.merlin.file">C:\ESB_HOME\repository\resources\security\cert1.pfx</ramp:property>
                    <ramp:property name="org.apache.ws.security.crypto.merlin.keystore.password">123</ramp:property>
                </ramp:crypto>
            </ramp:encryptionCypto>
        </ramp:RampartConfig>

创建代理服务后出现以下错误：

 org.apache.synapse.SynapseException: Unexpected error during sending message out at org.apache.synapse.core.axis2.Axis2Sender.handleException(Axis2Sender.java:257) at org.apache.synapse.core.axis2.Axis2Sender.sendOn(Axis2Sender.java:84) at org.apache.synapse.core.axis2.Axis2SynapseEnvironment.send(Axis2SynapseEnvironment.java:548) at org.apache.synapse.endpoints.AbstractEndpoint.send(AbstractEndpoint.java:382) at org.apache.synapse.endpoints.AddressEndpoint.send(AddressEndpoint.java:65) at org.apache.synapse.core.axis2.ProxyServiceMessageReceiver.receive(ProxyServiceMessageReceiver.java:231) at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:180) at org.apache.synapse.transport.passthru.ServerWorker.processEntityEnclosingRequest(ServerWorker.java:403) at org.apache.synapse.transport.passthru.ServerWorker.run(ServerWorker.java:151) at org.apache.axis2.transport.base.threads.NativeWorkerPool$1.run(NativeWorkerPool.java:172) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at java.lang.Thread.run(Thread.java:748) Caused by: org.apache.axis2.AxisFault: Signature token missing at org.apache.rampart.handler.RampartSender.invoke(RampartSender.java:76) at org.apache.axis2.engine.Phase.invokeHandler(Phase.java:340) at org.apache.axis2.engine.Phase.invoke(Phase.java:313) at org.apache.axis2.engine.AxisEngine.invoke(AxisEngine.java:261) at org.apache.axis2.engine.AxisEngine.send(AxisEngine.java:426) at org.apache.synapse.core.axis2.DynamicAxisOperation$DynamicOperationClient.send(DynamicAxisOperation.java:185) at org.apache.synapse.core.axis2.DynamicAxisOperation$DynamicOperationClient.executeImpl(DynamicAxisOperation.java:167) at org.apache.axis2.client.OperationClient.execute(OperationClient.java:149) at org.apache.synapse.core.axis2.Axis2FlexibleMEPClient.send(Axis2FlexibleMEPClient.java:581) at org.apache.synapse.core.axis2.Axis2Sender.sendOn(Axis2Sender.java:78) ... 11 more Caused by: org.apache.rampart.RampartException: Signature token missing at org.apache.rampart.builder.SymmetricBindingBuilder.doSignBeforeEncrypt(SymmetricBindingBuilder.java:434) at org.apache.rampart.builder.SymmetricBindingBuilder.build(SymmetricBindingBuilder.java:86) at org.apache.rampart.MessageBuilder.build(MessageBuilder.java:144) at org.apache.rampart.handler.RampartSender.invoke(RampartSender.java:65) ... 20 more

我应该怎么做才能让它工作？ 整个策略文件如下：

<wsp:Policy wsu:Id="WSHttpBinding_IBasicHttpService_policy" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy" xmlns:wsaw="http://www.w3.org/2006/05/addressing/wsdl">
<wsp:ExactlyOne>
    <wsp:All>
        <sp:SymmetricBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
            <wsp:Policy>
                <sp:ProtectionToken>
                    <wsp:Policy>
                        <mssp:SslContextToken sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient" xmlns:mssp="http://schemas.microsoft.com/ws/2005/07/securitypolicy">
                            <wsp:Policy>
                                <sp:RequireDerivedKeys/>
                            </wsp:Policy>
                        </mssp:SslContextToken>
                    </wsp:Policy>
                </sp:ProtectionToken>
                <sp:AlgorithmSuite>
                    <wsp:Policy>
                        <sp:Basic256/>
                    </wsp:Policy>
                </sp:AlgorithmSuite>
                <sp:Layout>
                    <wsp:Policy>
                        <sp:Strict/>
                    </wsp:Policy>
                </sp:Layout>
                <sp:IncludeTimestamp/>
                <sp:EncryptSignature/>
                <sp:OnlySignEntireHeadersAndBody/>
            </wsp:Policy>
        </sp:SymmetricBinding>
        <sp:SignedSupportingTokens xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
            <wsp:Policy>
                <sp:UsernameToken sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
                    <wsp:Policy>
                        <sp:WssUsernameToken10/>
                    </wsp:Policy>
                </sp:UsernameToken>
            </wsp:Policy>
        </sp:SignedSupportingTokens>
        <sp:Wss11 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
            <wsp:Policy/>
        </sp:Wss11>
        <sp:Trust10 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
            <wsp:Policy>
                <sp:MustSupportIssuedTokens/>
                <sp:RequireClientEntropy/>
                <sp:RequireServerEntropy/>
            </wsp:Policy>
        </sp:Trust10>
        <sp:SignedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
            <sp:Body />
            <sp:Header Name="To" Namespace="http://www.w3.org/2005/08/addressing" />
            <sp:Header Name="From" Namespace="http://www.w3.org/2005/08/addressing" />
            <sp:Header Name="FaultTo" Namespace="http://www.w3.org/2005/08/addressing" />
            <sp:Header Name="ReplyTo" Namespace="http://www.w3.org/2005/08/addressing" />
            <sp:Header Name="MessageID" Namespace="http://www.w3.org/2005/08/addressing" />
            <sp:Header Name="RelatesTo" Namespace="http://www.w3.org/2005/08/addressing" />
            <sp:Header Name="Action" Namespace="http://www.w3.org/2005/08/addressing" />
        </sp:SignedParts>
        <sp:EncryptedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
            <sp:Body />
        </sp:EncryptedParts>
        <wsaw:UsingAddressing/>
        <ramp:RampartConfig xmlns:ramp="http://ws.apache.org/rampart/policy">
            <ramp:user>acc1</ramp:user>
            <ramp:userCertAlias>BasicHttpAuthentication</ramp:userCertAlias>
            <ramp:encryptionUser>acc1</ramp:encryptionUser>
            <ramp:passwordCallbackClass>org.wso2.samples.pwcb.PWCBHandler</ramp:passwordCallbackClass>
            <ramp:TimeToLive>360</ramp:TimeToLive>
            <ramp:signatureCrypto>
                <ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin">
                    <ramp:property name="org.apache.ws.security.crypto.merlin.keystore.type">pkcs12</ramp:property>
                    <ramp:property name="org.apache.ws.security.crypto.merlin.file">C:\ESB_HOME\repository\resources\security\cert1.pfx</ramp:property>
                    <ramp:property name="org.apache.ws.security.crypto.merlin.keystore.password">123456</ramp:property>
                </ramp:crypto>
            </ramp:signatureCrypto>
            <ramp:encryptionCypto>
                <ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin">
                    <ramp:property name="org.apache.ws.security.crypto.merlin.keystore.type">pkcs12</ramp:property>
                    <ramp:property name="org.apache.ws.security.crypto.merlin.file">C:\ESB_HOME\repository\resources\security\cert1.pfx</ramp:property>
                    <ramp:property name="org.apache.ws.security.crypto.merlin.keystore.password">123456</ramp:property>
                </ramp:crypto>
            </ramp:encryptionCypto>
        </ramp:RampartConfig>           
    </wsp:All>

</wsp:ExactlyOne>

Answer 1

我想通了，似乎问题是使用 SSLContextToken 时出现问题，因为axis2不理解，所以我像这样更改了wsHttpBinding：

<security mode="Message">
    <message clientCredentialType="None" 
         negotiateServiceCredential="false" 
         establishSecurityContext="false"/>
</security>

然后一切正常。 所以现在我必须找到一种新的身份验证方法，但至少消息是用我们的证书保护的。