java - Header 上类型的身份验证具有未定义的属性 {http ://docs. oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd}Id

Question

最近几天一直在为这个错误而苦苦挣扎 Authentication of type {http://service.soap.xcompany.com}AuthenticationHeader had undefined attribute {http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd}Id同时从 C# WCF 客户端(针对 .Net 4.5 框架)调用服务调用到使用端到端加密(同时使用客户端和服务证书)在外部托管的 Java Soap 服务。当我使用带有 JKS 文件的 SoapUI 测试服务时，请求已成功处理。

为了了解这两个请求之间的区别，我执行了以下操作:

1. 使用 Fiddler Inspector 捕获了两个请求，一个来自 SoapUI，请求成功，另一个来自 C#，失败并返回 500 错误
2. 使用 VS2017 功能编辑/选择性粘贴/粘贴 Xml 作为类将这两个 Xml 消息提取到两个 C# 类(分别命名为 RequestByJava 和 RequestByDotNet)。
3. 使用XmlSerializer将两个请求反序列化为2)中创建的类型的两个对象，并比较它们的属性。
4. 考虑到 Soap 错误消息，我缩小了两个身份验证 header 之间的差异 - 有趣的是，RequestByDotNet 对象中有一个额外的属性“Id”，而 RequestByJava 对象没有。并且 500 Soap 错误消息似乎表明由于未定义的元素“Id”而导致模式验证错误
5. 还注意到 RequestByDotNet.Header.Security.BinarySecurityToken.ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509 -token-profile-1.0#X509v3"但 RequestByJava (SoapUI) 具有不同的 ValueType "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0# X509PKIPathv1"
6. 另一个不确定的区别是，来自 .net 代码的请求在 Header.Security 下有一个“mustunderstand”值设置为 true，而来自 Java 的则没有。<

我的问题是:

1. 为什么不同？
2. 如何在不编写 Java 客户端的情况下解决这个问题？

一些代码使用绑定(bind)和端点行为:

private static CustomBinding BuildCustomBinding()
    {
        var binding = new CustomBinding();

        var textMessageEncoding = new TextMessageEncodingBindingElement()
        {
            MessageVersion = MessageVersion.Soap11

        };

        var securityBindingElement =
            SecurityBindingElement.CreateMutualCertificateBindingElement(
                MessageSecurityVersion.WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10, true);


        binding.Elements.AddRange(textMessageEncoding, securityBindingElement, new HttpsTransportBindingElement());

        return binding;
    }


private static void CallAccountService()
    {
        //credential for test
        const string applId = "testuser"; 
        const string pwd = "password";


        //for client certificate, import client.pfx to LocalMachine's Trusted Root Certification Authorities and make sure the thumbprint matches 
        var client = new NOLWSAccountSvc.WSAccountv1Client(BuildCustomBinding(), GetAccountServiceEndpointAddress());
        client.ClientCredentials.ClientCertificate.SetCertificate(StoreLocation.LocalMachine,
            StoreName.Root, X509FindType.FindByThumbprint, "thumbprintvalue");

        //for service certificate, import service-provider.cer to same store location and store name and make sure the thumbprint matches 
        client.ClientCredentials.ServiceCertificate.SetDefaultCertificate(StoreLocation.LocalMachine, StoreName.Root,
            X509FindType.FindByThumbprint, "thumprintvalue");
        client.ClientCredentials.ServiceCertificate.Authentication.CertificateValidationMode =
            X509CertificateValidationMode.PeerOrChainTrust;

        client.Open();
        var header = new NOLWSAccountSvc.AuthenticationHeader()
        {
            application_id = applId,
            password = pwd
        };

        var getActiveAccountsFunc = new NOLWSAccountSvc.getActiveAccounts() { applRef = "softact-dev", resetRows = true };

        try
        {
            var response = client.getActiveAccounts(header, getActiveAccountsFunc);
            Console.WriteLine(response.moreData);
        }
        catch (Exception ex)
        {

            Console.WriteLine(ex.Message);
        }

        finally
        {
            client.Close();
        }
    }

感谢您的宝贵时间!非常感谢您的帮助。

Answer 1

@jdweng 是的，我做到了；这里有两个请求主体，第一个来自 .Net，第二个来自 SoapUI:

.Net 请求:

<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"><s:Header><h:Authentication u:Id="_2" xmlns:h="http://service.soap.xcompany.com" xmlns="http://service.soap.xcompany.com" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"><application_id>testuserid</application_id><password>testpassword</password></h:Authentication><ActivityId CorrelationId="d7085e6f-b757-46e8-b3eb-319a51d568a3" xmlns="http://schemas.microsoft.com/2004/09/ServiceModel/Diagnostics">00000000-0000-0000-0000-000000000000</ActivityId><VsDebuggerCausalityData xmlns="http://schemas.microsoft.com/vstudio/diagnostics/servicemodelsink">uIDPo8DAzaQVkApDpl1Tc1YTHQwAAAAAMbeMEvBLCUqoD7kEDPHDKYukgggNOf5FtHBB/Sa7ggkACQAA</VsDebuggerCausalityData><o:Security s:mustUnderstand="1" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"><o:BinarySecurityToken u:Id="uuid-eb310312-396a-4d00-8922-f77de97138cb-3" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">MIIDYzCCAkugAwIBAgIEaGKzJDANBgkqhkiG9w0BAQsFADBiMQswCQYDVQQGEwJ1czEPMA0GA1UEChMGU3ByaW50MREwDwYDVQQLEwhQcm9qZWN0czEMMAoGA1UECxMDQk1QMQwwCgYDVQQLEwNUUEExEzARBgNV</o:BinarySecurityToken><Signature xmlns="http://www.w3.org/2000/09/xmldsig#"><SignedInfo><CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><Reference URI="#_1"><Transforms><Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></Transforms><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue>WCpRwVjx89ceVctR8lp9LNGKHeA=</DigestValue></Reference><Reference URI="#_2"><Transforms><Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></Transforms><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue>8/PErh8BL9To5zazpP9CbPFTAa8=</DigestValue></Reference></SignedInfo><SignatureValue>hOtpz7lXvZPPbBD6sV1hxyx3Hc39vj0q2GYKMd8oQbgTbbuKC7QKcZOjktqUxayrzc6h/V0j7Kx3APPONe4F3A2581nK4AQ72yYonsaeXQW0yzSxW/VTsN04uoqCP6IpKXqlAz40VeWGUPJOeGthCKy/9A+NSuqS</SignatureValue><KeyInfo><o:SecurityTokenReference><o:Reference ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" URI="#uuid-eb310312-396a-4d00-8922-f77de97138cb-3"/></o:SecurityTokenReference></KeyInfo></Signature></o:Security></s:Header><s:Body u:Id="_1" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"><getActiveAccounts xmlns="http://service.soap.xcompany.com"><applRef>dev</applRef><resetRows>false</resetRows></getActiveAccounts></s:Body></s:Envelope>

SoapUI 请求:

(不知何故，它不会让我在这里通过整个 xml..)