环境:
- Apache CXF 2.7.8
- Jboss EAP 6
- 用于测试客户端的SoapUI
我试图实现简单的身份验证,即使用密码简单文本类型,它正在工作,但当我尝试实现密码摘要类型时,给了我一个例外:
立即展开:org.apache.cxf.binding.soap.soap错误:消息已过期org.apache.ws.security.WSSecurityException:消息已过期
我为每个请求和五分钟内的时间提供新的nonce值差异
WSS4JIInInterceptor Bean类定义:
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:jaxws="http://cxf.apache.org/jaxws"
xsi:schemaLocation="
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://cxf.apache.org/jaxws http://cxf.apache.org/schemas/jaxws.xsd">
<import resource="classpath:META-INF/cxf/cxf.xml" />
<import resource="classpath:META-INF/cxf/cxf-extension-soap.xml" />
<import resource="classpath:META-INF/cxf/cxf-servlet.xml" />
<jaxws:endpoint id="orderProcess" implementor="demo.order.OrderProcessImpl" address="/OrderProcess" >
<jaxws:inInterceptors>
<bean
class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
<constructor-arg>
<map>
<entry key="action" value="UsernameToken"/>
<entry key="passwordType" value="PasswordDigest"/>
<entry key="passwordCallbackRef" value-ref="myPasswordCallback"/>
</map>
</constructor-arg>
</bean>
</jaxws:inInterceptors>
</jaxws:endpoint>
<bean id="myPasswordCallback" class="service.ServerPasswordCallback" />
</beans>
客户端xml请求代码:
<soapenv:Envelope
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:ord="http://order.demo/"
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<soapenv:Header>
<wsse:Security>
<wsse:UsernameToken>
<wsse:Username>joe</wsse:Username>
<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest">PE7F51/oyWFVMsiZURuUwjoZVPY=</wsse:Password>
<!--<wsu:Created>2013-12-17T13:12:00.429Z</wsu:Created>-->
<wsse:Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">efPSkfHXTM6NFDDD1CJHsw==</wsse:Nonce>
<wsu:Created>2013-12-23T12:17:15Z</wsu:Created>
</wsse:UsernameToken>
</wsse:Security>
</soapenv:Header>
<soapenv:Body>
<ord:processOrder>
<!--Optional:-->
<arg0>
<!--Optional:-->
<customerID>234</customerID>
<!--Optional:-->
<itemID>0908923</itemID>
<price>23423</price>
<qty>1000</qty>
</arg0>
</ord:processOrder>
</soapenv:Body>
</soapenv:Envelope>
当我试图呼叫该服务时,我得到了的异常
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Body>
<soap:Fault>
<faultcode xmlns:ns1="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">ns1:MessageExpired</faultcode>
<faultstring>The message has expired</faultstring>
</soap:Fault>
</soap:Body>
</soap:Envelope>
有人能告诉我哪里出错了吗?
我怀疑这是wss4j早期版本中的一个错误。如果使用SimpleDateFormat分析日期,则可能需要将时区设置为UTC(祖鲁时间)。
sdf.setTimeZone("UTC");
然而,这已经在2.0-贝塔中得到了修复。
http://grepcode.com/file/repo1.maven.org/maven2/org.apache.wss4j/wss4j-ws-security-dom/2.0-beta/org/apache/wss4j/dom/message/token/UsernameToken.java#226
编辑:这不是wss4j中的错误。规范规定时区必须以UTC为单位。