我有一个可用的 SOAP 连接,但我的证书即将终止。所以我只想更改证书。 对于我的 SOAP 连接,我使用使用 openssl 生成的 keystore 。
使用我的旧 keystore 可以正常工作。但通过我的新堆栈,我得到了这个堆栈跟踪:
Caused by: org.apache.ws.security.WSSecurityException: The security token could not be authenticated or authorized
at org.apache.ws.security.validate.SignatureTrustValidator.validate(SignatureTrustValidator.java:86)
at org.apache.ws.security.processor.SignatureProcessor.handleToken(SignatureProcessor.java:187)
at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:396)
at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:270)
at org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JInInterceptor.handleMessage(PolicyBasedWSS4JInInterceptor.java:120)
at org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JInInterceptor.handleMessage(PolicyBasedWSS4JInInterceptor.java:105)
at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:272)
at org.apache.cxf.endpoint.ClientImpl.onMessage(ClientImpl.java:835)
at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponseInternal(HTTPConduit.java:1612)
at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponse(HTTPConduit.java:1503)
at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1310)
at org.apache.cxf.io.CacheAndWriteOutputStream.postClose(CacheAndWriteOutputStream.java:50)
at org.apache.cxf.io.CachedOutputStream.close(CachedOutputStream.java:223)
at org.apache.cxf.transport.AbstractConduit.close(AbstractConduit.java:56)
at org.apache.cxf.transport.http.HTTPConduit.close(HTTPConduit.java:628)
at org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(MessageSenderInterceptor.java:62)
at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:272)
at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:565)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:474)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:377)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:330)
at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:96)
at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:135)
所以我猜我的 keystore 生成有问题。 虽然我可以发送消息,但接收时出错。 这是代码,在最后一行我得到了上面的异常。
AanleverServiceV12_Service service = new AanleverServiceV12_Service();
log.trace("aanleverService created");
AanleverServiceV12 aanleverServicePort = service.getAanleverServicePortV12();
log.trace("aanleverServicePort created");
AanleverRequest aanleverRequest = createAanleverRequest(belastingFormulier);
log.trace("AanleverRequest: {}", aanleverRequest);
AanleverResponse response = aanleverServicePort.aanleveren(aanleverRequest);
这是我的配置文件:
org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin
org.apache.ws.security.crypto.merlin.keystore.type=pkcs12
org.apache.ws.security.crypto.merlin.keystore.password=****
org.apache.ws.security.crypto.merlin.keystore.file=keystore.p12
org.apache.ws.security.crypto.merlin.keystore.alias={csr_request_finished}
欢迎任何帮助!
我尝试重新创建有效的 keystore ,但出现相同的错误。所以我猜错误在于制作 keystore 。
我这样做:
openssl pkcs12 -export -out keystore.p12 -inkey server.key -in cert.pem -name "{csr_request_finished}"
我将我的一代更新为这一代,但出现了相同的错误(我将证书拆分为我自己的证书和支持证书:
openssl pkcs12 -export -out kdeb5.p12 -inkey key.pem -in cert.pem -name "{csr_request_finished}" -certfile certRest.pem
最佳答案
好的,找到了。似乎当没有友好名称时,这将是错误:
org.apache.ws.security.WSSecurityException: The security token could not be authenticated or authorized
因此,为了避免至少一个证书需要一个名称,它甚至可以是空的,如下所示:
openssl pkcs12 -export -out keystore.p12 -inkey key.pem -in cert.pem -name "{CSR_Request_Finished}" -certfile certRest.pem -caname ""
以上方法有效,但最好的做法是:
openssl pkcs12 -export -out keystore.p12 -inkey key.pem -in cert.pem -name "{CSR_Request_Finished}" -certfile certRest.pem -caname "cert one" -caname "cert intermediate" -caname "cert root" etc....
差异是没有名字的,因为你得到了这个:
Bag Attributes: <No Attributes>
使用空名称,您会得到以下结果:
Bag Attributes
friendlyName:
您可以使用以下命令查看此信息:
openssl pkcs12 -info -in keystore.p12
关于java - WSSecurityException : The security token could not be authenticated or authorized,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/35302174/