| Blog信息 |
|
blog名称:
日志总数:1304
评论数量:2242
留言数量:5
访问次数:7574627
建立时间:2006年5月29日 |
| |
|
 [Spring]实施WebService Security[WS-Security1.0]的Encrypt和Sign模式(XFire+WSS4J)
软件技术
lhwork 发表于 2006/8/8 10:13:22 |
| 鉴于很多系统需要实施WS-Security的标准,我们在SpringSide中提供了XFire+WSS4J的Demo,本文介绍SpringSide中Spring+XFire+WSS4J的基本配置[WebService Server端配置]第一,创建一个基本的BookService500)this.width=500'>500)this.width=500'>public interface BookService 500)this.width=500'>{500)this.width=500'>500)this.width=500'> /** *//**500)this.width=500'> * 按书名模糊查询图书500)this.width=500'> */500)this.width=500'> List findBooksByName(String name);500)this.width=500'>500)this.width=500'>500)this.width=500'> /** *//**500)this.width=500'> * 查找目录下的所有图书500)this.width=500'> *500)this.width=500'> * @param categoryId 如果category为null或“all”, 列出所有图书。500)this.width=500'> */500)this.width=500'> List findBooksByCategory(String categoryId);500)this.width=500'>500)this.width=500'>500)this.width=500'> /** *//**500)this.width=500'> * 列出所有分类.500)this.width=500'> *500)this.width=500'> * @return List<Category>,或是null。500)this.width=500'> */500)this.width=500'> List getAllCategorys();500)this.width=500'>}第二,接口扩展,即Extend基本的BookService,在XFire中,不同的WSS4J策略需要针对不同的ServiceClass,否则<inHandlers>里面的定义会Overlap。
500)this.width=500'>500)this.width=500'>public interface BookServiceWSS4JEnc extends BookService 500)this.width=500'>{500)this.width=500'>500)this.width=500'>}500)this.width=500'>500)this.width=500'>public interface BookServiceWSS4JSign extends BookService 500)this.width=500'>{500)this.width=500'>500)this.width=500'>}第三,配置Spring的ApplicationContext文件500)this.width=500'> <!--BookService 基类-->500)this.width=500'> <bean id="baseWebService" class="org.codehaus.xfire.spring.remoting.XFireExporter" abstract="true">500)this.width=500'> <property name="serviceFactory" ref="xfire.serviceFactory"/>500)this.width=500'> <property name="xfire" ref="xfire"/>500)this.width=500'> </bean>500)this.width=500'>500)this.width=500'> <bean class="org.springframework.web.servlet.handler.SimpleUrlHandlerMapping">500)this.width=500'> <property name="mappings">500)this.width=500'> <value>500)this.width=500'> /BookService=bookService500)this.width=500'> /BookServiceWSS4J=bookServiceWSS4J500)this.width=500'> /BookServiceWSS4JEnc=bookServiceWSS4JEnc500)this.width=500'> /BookServiceWSS4JSign=bookServiceWSS4JSign500)this.width=500'> </value>500)this.width=500'> </property>500)this.width=500'> </bean>500)this.width=500'>500)this.width=500'> <!--(1)BookWebService 不需要认证-->500)this.width=500'> <bean id="bookService" class="org.codehaus.xfire.spring.remoting.XFireExporter">500)this.width=500'> <property name="serviceFactory" ref="xfire.serviceFactory"/>500)this.width=500'> <property name="xfire" ref="xfire"/>500)this.width=500'> <property name="serviceBean" ref="bookManager"/>500)this.width=500'> <property name="serviceClass" value="org.springside.bookstore.plugins.xfire.service.BookService"/>500)this.width=500'> </bean>500)this.width=500'>500)this.width=500'> <!-- (3)BookWebService 使用 WSS4J验证-->500)this.width=500'> <bean id="bookServiceWSS4J" class="org.codehaus.xfire.spring.remoting.XFireExporter">500)this.width=500'> <property name="serviceBean" ref="bookManager"/>500)this.width=500'> <property name="serviceClass" value="org.springside.bookstore.plugins.xfire.service.BookServiceWSS4J"/>500)this.width=500'> <property name="inHandlers">500)this.width=500'> <list>500)this.width=500'> <ref bean="domInHandler"/>500)this.width=500'> <ref bean="wss4jInHandler"/>500)this.width=500'> <ref bean="validateUserTokenHandler"/>500)this.width=500'> </list>500)this.width=500'> </property>500)this.width=500'> </bean>500)this.width=500'>500)this.width=500'> <bean id="domInHandler" class="org.codehaus.xfire.util.dom.DOMInHandler"/>500)this.width=500'>500)this.width=500'> <bean id="wss4jInHandler" class="org.codehaus.xfire.security.wss4j.WSS4JInHandler">500)this.width=500'> <property name="properties">500)this.width=500'> <props>500)this.width=500'> <prop key="action">UsernameToken</prop>500)this.width=500'> <prop key="passwordCallbackClass">org.springside.bookstore.plugins.xfire.wss4j.PasswordHandler</prop>500)this.width=500'> </props>500)this.width=500'> </property>500)this.width=500'> </bean>500)this.width=500'>500)this.width=500'> <bean id="validateUserTokenHandler" class="org.springside.bookstore.plugins.xfire.wss4j.WSS4JTokenHandler"/>500)this.width=500'> 500)this.width=500'> <!-- (4)BookWebService 使用 WSS4J验证 Encrypt模式-->500)this.width=500'> <bean id="bookServiceWSS4JEnc" class="org.codehaus.xfire.spring.remoting.XFireExporter">500)this.width=500'> <property name="serviceBean" ref="bookManager"/>500)this.width=500'> <property name="serviceClass" value="org.springside.bookstore.plugins.xfire.service.BookServiceWSS4JEnc"/>500)this.width=500'> <property name="inHandlers">500)this.width=500'> <list>500)this.width=500'> <ref bean="domInHandler"/>500)this.width=500'> <ref bean="wss4jInHandlerEnc"/>500)this.width=500'> <ref bean="validateUserTokenHandler"/>500)this.width=500'> </list>500)this.width=500'> </property>500)this.width=500'> </bean>500)this.width=500'> 500)this.width=500'> <bean id="wss4jInHandlerEnc" class="org.codehaus.xfire.security.wss4j.WSS4JInHandler">500)this.width=500'> <property name="properties">500)this.width=500'> <props>500)this.width=500'> <prop key="action">Encrypt</prop>500)this.width=500'> <prop key="decryptionPropFile">org/springside/bookstore/plugins/xfire/wss4j/insecurity_enc.properties</prop>500)this.width=500'> <prop key="passwordCallbackClass">org.springside.bookstore.plugins.xfire.wss4j.PasswordHandler</prop>500)this.width=500'> </props>500)this.width=500'> </property>500)this.width=500'> </bean>500)this.width=500'> 500)this.width=500'> <!-- (5)BookWebService 使用 WSS4J验证 Signature模式-->500)this.width=500'> <bean id="bookServiceWSS4JSign" class="org.codehaus.xfire.spring.remoting.XFireExporter">500)this.width=500'> <property name="serviceBean" ref="bookManager"/>500)this.width=500'> <property name="serviceClass" value="org.springside.bookstore.plugins.xfire.service.BookServiceWSS4JSign"/>500)this.width=500'> <property name="inHandlers">500)this.width=500'> <list>500)this.width=500'> <ref bean="domInHandler"/>500)this.width=500'> <ref bean="wss4jInHandlerSign"/>500)this.width=500'> <ref bean="validateUserTokenHandler"/>500)this.width=500'> </list>500)this.width=500'> </property>500)this.width=500'> </bean>500)this.width=500'> 500)this.width=500'> <bean id="wss4jInHandlerSign" class="org.codehaus.xfire.security.wss4j.WSS4JInHandler">500)this.width=500'> <property name="properties">500)this.width=500'> <props>500)this.width=500'> <prop key="action">Signature</prop>500)this.width=500'> <prop key="signaturePropFile">org/springside/bookstore/plugins/xfire/wss4j/insecurity_sign.properties</prop>500)this.width=500'> <prop key="passwordCallbackClass">org.springside.bookstore.plugins.xfire.wss4j.PasswordHandler</prop>500)this.width=500'> </props>500)this.width=500'> </property>500)this.width=500'> </bean>500)this.width=500'> 500)this.width=500'></beans>500)this.width=500'>第四,配置insecurity_enc.properties和insecurity_sign.properties两个密钥库配置文件insecurity_enc.properties:org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlinorg.apache.ws.security.crypto.merlin.keystore.type=jksorg.apache.ws.security.crypto.merlin.keystore.password=SpringSideorg.apache.ws.security.crypto.merlin.alias.password=SpringSideorg.apache.ws.security.crypto.merlin.keystore.alias=davidorg.apache.ws.security.crypto.merlin.file=org/springside/bookstore/plugins/xfire/wss4j/springside_private.jksoutsecurity_sign.properties:org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlinorg.apache.ws.security.crypto.merlin.keystore.type=jksorg.apache.ws.security.crypto.merlin.keystore.password=SpringSideorg.apache.ws.security.crypto.merlin.keystore.alias=davidorg.apache.ws.security.crypto.merlin.file=org/springside/bookstore/plugins/xfire/wss4j/springside_public.jks第五,使用SecureX生成了两个keystore文件springside_private.jks别名名称: david创建日期: 2006-8-6输入类型:KeyEntry认证链长度: 1认证 [1]:Owner: CN=david, OU=SpringSide, O=org, L=gz, ST=gd, C=cn发照者: CN=david, OU=SpringSide, O=org, L=gz, ST=gd, C=cn序号: 44d4cdcd有效期间: Sun Aug 06 00:56:45 CST 2006 至: Mon Aug 06 00:56:45 CST 2007认证指纹: MD5: CF:97:13:0C:70:D0:4D:B6:B4:27:0F:1A:0B:CF:D9:F2 SHA1: 8E:8E:E8:BC:64:39:C8:43:E4:F7:1B:3B:CE:48:1D:6B:A0:2B:58:B5springside_public.jks500)this.width=500'>别名名称: david500)this.width=500'>创建日期: 2006-8-6500)this.width=500'>输入类型: trustedCertEntry500)this.width=500'>500)this.width=500'>Owner: CN=david, OU=SpringSide, O=org, L=gz, ST=gd, C=cn500)this.width=500'>发照者: CN=david, OU=SpringSide, O=org, L=gz, ST=gd, C=cn500)this.width=500'>序号: 44d4cdcd500)this.width=500'>有效期间: Sun Aug 06 00:56:45 CST 2006 至: Mon Aug 06 00:56:45 CST 2007500)this.width=500'>认证指纹:500)this.width=500'> MD5: CF:97:13:0C:70:D0:4D:B6:B4:27:0F:1A:0B:CF:D9:F2500)this.width=500'> SHA1: 8E:8E:E8:BC:64:39:C8:43:E4:F7:1B:3B:CE:48:1D:6B:A0:2B:58:B5第五,新版本SpringSide需要http://www.bouncycastle.org/download/bcprov-jdk15-133.jar并且要配置java.security另外,还要使用jdk加密增强策略http://www.blogjava.net/openssl/archive/2006/03/08/34381.html用户要使用WSS4J,需要配置Bouncycastle这个SecurityProvider,否则运行Enc模式的XFire认证的时候,会抛出异常:org.apache.ws.security.WSSecurityException: An unsupported signature or encryption algorithm was used unsupported key配合java.security也是非常简单:在最后加入BouncycastleProvider。security.provider.1=sun.security.provider.Sunsecurity.provider.2=com.sun.net.ssl.internal.ssl.Providersecurity.provider.3=com.sun.rsajca.Providersecurity.provider.4=com.sun.crypto.provider.SunJCEsecurity.provider.5=sun.security.jgss.SunProvidersecurity.provider.6=org.bouncycastle.jce.provider.BouncyCastleProvider[WebService Client端配置]1,Encrypt模式的Client是在客户端用david的公钥加密Soap里面的usernameToken,然后发送到Web服务,Web服务用david的私钥来验证。这种模式需要客户端预先知道服务器端的公钥。在Encrypt模式中,需要这样配置ClientHandler:500)this.width=500'> Service serviceModel = new ObjectServiceFactory().create(BookServiceWSS4JEnc.class);500)this.width=500'> XFireProxyFactory factory = new XFireProxyFactory(getXFire());500)this.width=500'>500)this.width=500'> BookService service = (BookService) factory.create(serviceModel, "xfire.local://BookServiceWSS4JEnc");500)this.width=500'>500)this.width=500'> Client client = ((XFireProxy) Proxy.getInvocationHandler(service)).getClient();500)this.width=500'> //挂上WSS4JOutHandler,提供认证500)this.width=500'> client.addOutHandler(new DOMOutHandler());500)this.width=500'> Properties properties = new Properties();500)this.width=500'> configureOutProperties(properties);500)this.width=500'> client.addOutHandler(new WSS4JOutHandler(properties));500)this.width=500'>500)this.width=500'> List list = service.getAllCategorys();configureOutProperties函数负责指定Client使用何种安全策略,没错,使用outsecurity_enc.properties,这个properties是跟Server端的insecurity_enc.properties一起使用的。 protected void configureOutProperties(Properties config) { config.setProperty(WSHandlerConstants.ACTION, WSHandlerConstants.ENCRYPT); config.setProperty(WSHandlerConstants.USER, "david"); //config.setProperty(WSHandlerConstants.PW_CALLBACK_CLASS, PasswordHandler.class.getName()); //Configuration of public key used to encrypt message goes to properties file. config.setProperty(WSHandlerConstants.ENC_PROP_FILE, "org/springside/bookstore/plugins/xfire/outsecurity_enc.properties"); }outsecurity_enc.properties:500)this.width=500'>org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin500)this.width=500'>org.apache.ws.security.crypto.merlin.keystore.type=jks500)this.width=500'>org.apache.ws.security.crypto.merlin.keystore.password=SpringSide500)this.width=500'>org.apache.ws.security.crypto.merlin.keystore.alias=david500)this.width=500'>org.apache.ws.security.crypto.merlin.file=org/springside/bookstore/plugins/xfire/wss4j/springside_public.jks2, Sign模式的Client同样也是很简单,这种模式是Client端用自己的私钥为usernameToken签名,服务器端用Client的公钥来验证签名,因此,服务器端需要预先知道客户端的公钥。对应于Encrypt模式,这里的configureOutProperties需要这样来配置: protected void configureOutProperties(Properties properties) { properties.setProperty(WSHandlerConstants.ACTION,WSHandlerConstants.SIGNATURE); // User in keystore properties.setProperty(WSHandlerConstants.USER, "david"); // This callback is used to specify password for given user for keystore properties.setProperty(WSHandlerConstants.PW_CALLBACK_CLASS, PasswordHandler.class.getName()); // Configuration for accessing private key in keystore properties.setProperty(WSHandlerConstants.SIG_PROP_FILE,"org/springside/bookstore/plugins/xfire/outsecurity_sign.properties"); properties.setProperty(WSHandlerConstants.SIG_KEY_ID,"IssuerSerial"); }outsecurity_sign.properties:org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlinorg.apache.ws.security.crypto.merlin.keystore.type=jksorg.apache.ws.security.crypto.merlin.keystore.password=SpringSideorg.apache.ws.security.crypto.merlin.alias.password=SpringSideorg.apache.ws.security.crypto.merlin.keystore.alias=davidorg.apache.ws.security.crypto.merlin.file=org/springside/bookstore/plugins/xfire/wss4j/springside_private.jks
|
|
|
回复:实施WebService Security[WS-Security1.0]的Encrypt和Sign模式(XFire+WSS4J)
软件技术
noway(游客)发表评论于2006/8/11 21:59:29 |
| 这篇文章是david.turing所写的,呵呵
你怎么抄袭别人的东西啊
http://www.blogjava.net/openssl/archive/2006/08/08/xfire_wss4j.html |
|
» 1 »
|