Мне нужно позвонить на SOAP с WS-Security (метка времени, подпись и шифрование). Ниже моей конфигурации перехватчика
<bean class="org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor" id="wss4jOutSiaInterceptor"> <constructor-arg> <map> <entry key="action" value="Timestamp Signature Encrypt"/> <entry key="user" value="${areaClienti.esg.secAcsMaintenance.aliasSignatureKeystore}"/> <entry key="signaturePropFile" value="siaSignatureKeystore.properties"/> <entry key="encryptionPropFile" value="siaEncryptionKeystore.properties"/> <entry key="signatureUser" value="${areaClienti.esg.secAcsMaintenance.aliasSignatureKeystore}"/> <entry key="encryptionUser" value="${areaClienti.esg.secAcsMaintenance.aliasEncryptionKeystore}"/> <entry key="passwordCallbackRef"> <ref bean="secAcsMaintenancePasswordCallback"/> </entry> <entry key="signatureParts" value="{Element}{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd}Timestamp;{Element}{http://schemas.xmlsoap.org/soap/envelope/}Body"/> <entry key="encryptionParts" value="{Content}{http://schemas.xmlsoap.org/soap/envelope/}Body"/> <entry key="encryptionKeyTransportAlgorithm" value="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/> <entry key="encryptionSymAlgorithm" value="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/> <entry key="signatureAlgorithm" value="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> <entry key="signatureDigestAlgorithm" value="http://www.w3.org/2001/04/xmlenc#sha256"/> </map> </constructor-arg> </bean>
С помощью этого перехватчика создается запрос soap, как показано ниже
<?xml version="1.0" encoding="UTF-8"?> <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"> <SOAP-ENV:Header xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"> <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" soap:mustUnderstand="1"> <wsu:Timestamp wsu:Id="TS-C31BABEAC91B9AC09E158807958049827801"> <wsu:Created>2020-04-28T13:13:00.498Z</wsu:Created> <wsu:Expires>2020-04-28T13:18:00.498Z</wsu:Expires> </wsu:Timestamp> <xenc:EncryptedKey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Id="EK-C31BABEAC91B9AC09E158807958051227807"> <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p" /> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <wsse:SecurityTokenReference> <ds:X509Data> <ds:X509IssuerSerial> <ds:X509IssuerName>CN=Gestione Sicurezza CA,O=*****</ds:X509IssuerName> <ds:X509SerialNumber>67560614003381103605415267709141557689</ds:X509SerialNumber> </ds:X509IssuerSerial> </ds:X509Data> </wsse:SecurityTokenReference> </ds:KeyInfo> <xenc:CipherData> <xenc:CipherValue>2OR2eWkrXKGPDBlEBlXFxW+CrH3sNORwpT4SBJMwrnsKgpOD2k15IbtVgzX758D0NVYINhCyCOymKd7PysrXc70H72hsRwC2FKKlADzPK/N3g/Po+52DLS37dcL90496+NwAEvYN6QCQWxUdKjfWaSJc24noHn10w3IHg5rRcH+t3nNK/2KzJ14pDmCncHKFn8yVhuB4RYn3usryuE8UK7ampR6HW8+MC2gIx1TSXb+CD+EnVQHJ3XdD6xRjkKacLroMSrgVVHvgA49q6OCen8CJ0bbbF6nUO7RMvEVyBCZSL3+x3HE/IsqmJhiuG/uTwrVNxGup4dcM2XOO6XiptA==</xenc:CipherValue> </xenc:CipherData> <xenc:ReferenceList> <xenc:DataReference URI="#ED-C31BABEAC91B9AC09E158807958051327808" /> </xenc:ReferenceList> </xenc:EncryptedKey> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="SIG-C31BABEAC91B9AC09E158807958049827806"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"> <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="soap" /> </ds:CanonicalizationMethod> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" /> <ds:Reference URI="#TS-C31BABEAC91B9AC09E158807958049827801"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"> <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="wsse soap" /> </ds:Transform> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" /> <ds:DigestValue>FAb4/VrY1fFTLmSJSD2O+t0rQEtG3EeQpeLovAZwKtw=</ds:DigestValue> </ds:Reference> <ds:Reference URI="#_C31BABEAC91B9AC09E158807958049827802"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"> <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="" /> </ds:Transform> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" /> <ds:DigestValue>2UFNV0D7Yant04I/jof6SlEW3dK/ZWG7uHgj3RgxzuA=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>J9dCxv/FobrAtgvIWeZgY2mftCpmvfTcj8yiQLvfFXoWKTVquLmoB4GnFwfaW7G8jnNkQPkzU3CVnXYfA1cuh7JeRM8fqKByHa+4VAz9b7LJrbj/4TSvzKeQeOU1Km6wWb8G1uZCx2klQjp9kL+ihB2+36ZpEmFhO9Ll/lUG7to/Sagge3Zwqh+C40Ziy0LjTlEry/fmLXhIy4TleDDBpQSSzOQQakA//k/3tojwzNq556olu2hIE74O+6eI73bGQ752b3+lrTChdk1UFmoSMzq6hw3pyRdkdV1QGXRLFKvv7T1wYRj94+K6EIdHAT9GpnYpPn+VQrzj8g4rgbArxg==</ds:SignatureValue> <ds:KeyInfo Id="KI-C31BABEAC91B9AC09E158807958049827804"> <wsse:SecurityTokenReference wsu:Id="STR-C31BABEAC91B9AC09E158807958049827805"> <ds:X509Data> <ds:X509IssuerSerial> <ds:X509IssuerName>CN=Gestione Sicurezza CA,O=******</ds:X509IssuerName> <ds:X509SerialNumber>89188619645497795794812461714094482737</ds:X509SerialNumber> </ds:X509IssuerSerial> </ds:X509Data> </wsse:SecurityTokenReference> </ds:KeyInfo> </ds:Signature> </wsse:Security> </SOAP-ENV:Header> <soap:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="_C31BABEAC91B9AC09E158807958049827802"> <xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Id="ED-C31BABEAC91B9AC09E158807958051327808" Type="http://www.w3.org/2001/04/xmlenc#Content"> <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc" /> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <wsse:SecurityTokenReference xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd" wsse11:TokenType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey"> <wsse:Reference URI="#EK-C31BABEAC91B9AC09E158807958051227807" /> </wsse:SecurityTokenReference> </ds:KeyInfo> <xenc:CipherData> <xenc:CipherValue>k3Jce5fUhOUSy84RhxSgtSCUZz/vikqRshAMRphrT2VrbnVCPtya+GPUxq4mW289kGrZPyh0MP8ZAsOk3SO6YGOhuO3SizgqvVA2UQjIAcNTbuKOqF1+iWXcLlib8RPtcxnIG8OdNMC0hwdDGPw6iFHFGnDp6WYKxUQxvC5yMTwddUL83ASY0N4VpxNzJU8J1dRFDmBwhkD5mvQVlfkO67Y8YzrlNZCTqjDagUDSqRYDwXzdFkpvM142mK20QHiv+StSYFr6BTjlWvA6vsGhMrc8w8qX+li6JM6Qo9WIUr8CmXFVbkrWy0gZfQgcAmneK6IgAw8+8ggvvkhc5iK/bUSKaALr375rruZuSjUfJd65y5e3UOwnkrhzlKowwl0Rvld6O0vy+lLF4NmolC8eZKzkKdlTMvfKn6kNTdfvs0CdBUBAYDNStUckXXY0kFHV4/1Ht2MqzlrwFXWM3UW49A==</xenc:CipherValue> </xenc:CipherData> </xenc:EncryptedData> </soap:Body> </soap:Envelope>
Проблема в том, что ValueType отсутствует в KeyInfo -> SecurityTokenReference -> Reference: вместо этого
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <wsse:SecurityTokenReference xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd" wsse11:TokenType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey"> <wsse:Reference URI="#EK-C31BABEAC91B9AC09E158807958051227807" /> </wsse:SecurityTokenReference> </ds:KeyInfo>
Ссылочный тег должен иметь атрибут ValueType, например:
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <wsse:SecurityTokenReference xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd" wsse11:TokenType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey"> <wsse:Reference URI="#EK-C31BABEAC91B9AC09E158807958051227807" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" /> </wsse:SecurityTokenReference> </ds:KeyInfo>
Как добавить этот атрибут?
Спасибо