我有一些 Web 服务(用 Java 编写),我需要在 .NET 中为其创建客户端。 Web 服务具有 WS-Security 并且需要密码摘要。
首先,我在 SoapUI 中测试了它,它适用于:
POST http://192.168.100.101:8181/services/ws/SomeService HTTP/1.1
Accept-Encoding: gzip,deflate
Content-Type: application/soap+xml;charset=UTF-8;action="someMethod"
Content-Length: 971
Host: 192.168.100.101:8181
Connection: Keep-Alive
User-Agent: Apache-HttpClient/4.1.1 (java 1.5)
<soap:Envelope xmlns:not="http://existing-domain.com/op/integration/services" xmlns:soap="http://www.w3.org/2003/05/soap-envelope">
<soap:Header>
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsse:UsernameToken wsu:Id="UsernameToken-2C1E2DE2B61EBB94E115572099598331">
<wsse:Username>SOME_LOGIN</wsse:Username>
<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest">rcSb6Hd8btcI9g6JvO7dGdiTBTI=</wsse:Password>
<wsse:Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">PCoVwJm9oEXtusx6gkMb7w==</wsse:Nonce>
<wsu:Created>2019-05-07T06:19:19.824Z</wsu:Created>
</wsse:UsernameToken>
</wsse:Security>
</soap:Header>
<soap:Body>
<not:someMethod/>
</soap:Body>
</soap:Envelope>
在下一步中,我在 .NET 中准备了简单的客户端,并使用 Wireshark 检查它发送的内容:
POST /services/ws/SomeService HTTP/1.1
Accept-Encoding: gzip,deflate
Content-Type: application/soap+xml;charset=UTF-8;action="someMethod"
User-Agent: Apache-HttpClient/4.1.1 (java 1.5)
Host: 192.168.100.101:8181
Content-Length: 1124
Expect: 100-continue
Connection: Keep-Alive
<soap:Envelope xmlns:not="http://existing-domain.com/op/integration/services" xmlns:soap="http://www.w3.org/2003/05/soap-envelope">
<soap:Header>
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsse:UsernameToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="SecurityToken-85707168-b5c6-47dc-93e9-45afa466fa2a" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<wsse:Username>SOME_LOGIN</wsse:Username>
<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest">g112a9eHPR1hXD4UH+Lh3o8JV/o=</wsse:Password>
<wsse:Nonce>EiUbo2DbXMGhM26fT+ZkJQ==</wsse:Nonce>
<wsu:Created>2019-05-07T06:27:59Z</wsu:Created>
</wsse:UsernameToken>
</wsse:Security>
</soap:Header>
<soap:Body>
<not:someMethod />
</soap:Body>
</soap:Envelope>
不幸的是我总是收到 500 状态代码和响应:
<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope">
<soap:Body>
<soap:Fault>
<soap:Code>
<soap:Value>soap:Sender</soap:Value>
<soap:Subcode>
<soap:Value xmlns:ns1="http://ws.apache.org/wss4j">ns1:SecurityError</soap:Value>
</soap:Subcode>
</soap:Code>
<soap:Reason>
<soap:Text xml:lang="en">A security error was encountered when verifying the message</soap:Text>
</soap:Reason>
</soap:Fault>
</soap:Body>
</soap:Envelope>
我很确定它的出现是因为授权问题(如果提供了错误的凭据,我在 SoapUI 中也会收到相同的消息)。
我的客户端中的部分是使用以下命令创建的:
UsernameToken t = new UsernameToken("SOME_LOGIN", "SOME_PASSWORD", PasswordOption.SendHashed);
string usernameTokenSection = t.GetXml(new XmlDocument()).OuterXml.ToString();
有几篇文章如何创建密码数字(Base64( SHA1(密码 + 随机数 + 创建) )), 随机数 (Base64(随机字符串)) 或创建日期,但我找不到是什么wsu:Id="UsernameToken-2C1E2DE2B61EBB94E115572099598331"
以及如何创建它。上面的代码我从 UsernameToken 获取 xml 返回完整的部分,所以我决定使用它,但我注意到它附加了wsu:Id="SecurityToken-85707168-b5c6-47dc-93e9-45afa466fa2a"
(代替wsu:Id="UsernameToken-2C1E2DE2B61EBB94E115572099598331"
)。我可以更改名称并删除-
字符,但没有任何改变,我仍然收到 500 内部服务器错误消息“验证消息时遇到安全错误".
所以,我的问题是如何用正确的方式生成 UsernameToken 部分wsu:Id="UsernameToken-XXXXXXXXXXXXXXX"
数据?它是什么 - 只是随机字符串或基于用户名和密码创建的一些哈希值?