rampart是axis2实现ws-security的一个必须模块。它基于wss4j来完成安全相关的任务。
部署:首先是把rampart的mat包放在axis2的module文件夹里面;修改axis2.xml,加入<module ref="rampart"/>,使得rampart在axis2的启动过程中能加载上。
安全开发:实现安全的功能,主要是通过两个配置文件来实现的。服务端是在service.xml里面加入相应的安全属性;客户端则是在客户端的axis2.xml里面加入相应的安全属性,在声明客户端对象的时候要指明这个配置上下文,使得程序能够找到这个axis2.xml文件。还需要在客户端和服务器端写一个安全相关的callback类,一般客户端和服务器端的这两个类是一样的,就是把客户端和服务端的功能用一个类来实现了。安全的实现对原有程序的基本没有改动(除了在声明客户端对象的时候声明了一下安全上下文)和加入了一个新的类之外;
举例:
下面所有的安全相关的例子都是基于下面的客户端代码和服务端代码,不同的只是配置文件不一样。
客户端代码:
public class Client {
public static void main(String[] args) throws Exception {
if(args.length != 2) {
System.out.println("Usage: $java Client endpoint_address client_repo_path");
}
System.out.println("arg[0] is :" + args[0]);
System.out.println("arg[1] is :" + args[1]);
ConfigurationContext ctx = ConfigurationContextFactory.createConfigurationContextFromFileSystem(args[1], args[1] + "/conf/axis2.xml");
ServiceClient client = new ServiceClient(ctx, null);
Options options = new Options();
options.setAction("urn:echo");
options.setTo(new EndpointReference(args[0]));
client.setOptions(options);
OMElement response = client.sendReceive(getPayload("Hello world"));
System.out.println(response);
}
private static OMElement getPayload(String value) {
OMFactory factory = OMAbstractFactory.getOMFactory();
OMNamespace ns = factory.createOMNamespace("http://sample01.samples.rampart.apache.org/xsd","ns1");
OMElement elem = factory.createOMElement("echo", ns);
OMElement childElem = factory.createOMElement("param0", null);
childElem.setText(value);
elem.addChild(childElem);
return elem;
}
}
服务端代码:
public class SimpleService {
public String echo(String arg) {
return arg;
}
}
UsernameToken authentication
axis2.xml
<axisconfig name="AxisJava2.0"> <module ref="rampart" /> <parameter name="OutflowSecurity"> <action> <items>UsernameToken Timestamp</items> <user>bob</user> <passwordCallbackClass>org.apache.rampart.samples.sample02.PWCBHandler</passwordCallbackClass> </action> </parameter>
.........................
services.xml
<service> <operation name="echo"> <messageReceiver class="org.apache.axis2.rpc.receivers.RPCMessageReceiver"/> </operation> <parameter name="ServiceClass" locked="false">org.apache.rampart.samples.sample02.SimpleService</parameter> <module ref="rampart" /> <parameter name="InflowSecurity"> <action> <items>UsernameToken Timestamp</items> <passwordCallbackClass>org.apache.rampart.samples.sample02.PWCBHandler</passwordCallbackClass> </action> </parameter> </service>
UsernameToken authentication with a plain text password axis2.xml <axisconfig name="AxisJava2.0"> <module ref="rampart" /> <parameter name="OutflowSecurity"> <action> <items>UsernameToken</items> <user>bob</user> <passwordCallbackClass>org.apache.rampart.samples.sample03.PWCBHandler</passwordCallbackClass> <passwordType>PasswordText</passwordType> </action> </parameter> services.xml <service> <operation name="echo"> <messageReceiver class="org.apache.axis2.rpc.receivers.RPCMessageReceiver"/> </operation> <parameter name="ServiceClass" locked="false">org.apache.rampart.samples.sample03.SimpleService</parameter> <module ref="rampart" /> <parameter name="InflowSecurity"> <action> <items>UsernameToken</items> <passwordCallbackClass>org.apache.rampart.samples.sample03.PWCBHandler</passwordCallbackClass> </action> </parameter> </service> Encrypting messages axis2.xml <axisconfig name="AxisJava2.0"> <module ref="rampart" /> <parameter name="OutflowSecurity"> <action> <items>Encrypt</items> <encryptionUser>service</encryptionUser> <encryptionPropFile>client.properties</encryptionPropFile> </action> </parameter> <parameter name="InflowSecurity"> <action> <items>Encrypt</items> <passwordCallbackClass>org.apache.rampart.samples.sample05.PWCBHandler</passwordCallbackClass> <decryptionPropFile>client.properties</decryptionPropFile> </action> </parameter> services.xml
<service> <operation name="echo"> <messageReceiver class="org.apache.axis2.rpc.receivers.RPCMessageReceiver"/> </operation> <parameter name="ServiceClass" locked="false">org.apache.rampart.samples.sample05.SimpleService</parameter> <module ref="rampart" /> <parameter name="InflowSecurity"> <action> <items>Encrypt</items> <passwordCallbackClass>org.apache.rampart.samples.sample05.PWCBHandler</passwordCallbackClass> <decryptionPropFile>service.properties</decryptionPropFile> </action> </parameter> <parameter name="OutflowSecurity"> <action> <items>Encrypt</items> <encryptionUser>client</encryptionUser> <encryptionPropFile>service.properties</encryptionPropFile> </action> </parameter> </service> Sign and encrypt messages axis2.xml
<axisconfig name="AxisJava2.0"> <!--Signature and Encryption : Using the request's certificate--> <module ref="rampart" /> <parameter name="OutflowSecurity"> <action> <items>Timestamp Signature Encrypt</items> <user>client</user> <passwordCallbackClass>org.apache.rampart.samples.sample06.PWCBHandler</passwordCallbackClass> <signaturePropFile>client.properties</signaturePropFile> <signatureKeyIdentifier>DirectReference</signatureKeyIdentifier> <encryptionKeyIdentifier>SKIKeyIdentifier</encryptionKeyIdentifier> <encryptionUser>service</encryptionUser> </action> </parameter> <parameter name="InflowSecurity"> <action> <items>Timestamp Signature Encrypt</items> <passwordCallbackClass>org.apache.rampart.samples.sample06.PWCBHandler</passwordCallbackClass> <signaturePropFile>client.properties</signaturePropFile> </action> </parameter> services.xml
<service> <operation name="echo"> <messageReceiver class="org.apache.axis2.rpc.receivers.RPCMessageReceiver"/> </operation> <parameter name="ServiceClass" locked="false">org.apache.rampart.samples.sample06.SimpleService</parameter> <module ref="rampart" /> <parameter name="InflowSecurity"> <action> <items>Timestamp Signature Encrypt</items> <passwordCallbackClass>org.apache.rampart.samples.sample06.PWCBHandler</passwordCallbackClass> <signaturePropFile>service.properties</signaturePropFile> </action> </parameter> <parameter name="OutflowSecurity"> <action> <items>Timestamp Signature Encrypt</items> <user>service</user> <passwordCallbackClass>org.apache.rampart.samples.sample06.PWCBHandler</passwordCallbackClass> <signaturePropFile>service.properties</signaturePropFile> <signatureKeyIdentifier>DirectReference</signatureKeyIdentifier> <encryptionKeyIdentifier>SKIKeyIdentifier</encryptionKeyIdentifier> <encryptionUser>useReqSigCert</encryptionUser> </action> </parameter> </service> 通过Rampart将SOAP信息安全传输
AXIS2拥有一个基于apache wss4j提供ws-security的模块,叫Rampart。这篇文档提供了运行和配置Rampart模块的信息。
介绍: 当rampart模块在系统指定的安全阶段插入了处理器之后,它是全局起作用的。这些处理器可以使用ws-securitypolicy[2]和rempart指定的策略来配置。Rampart-1.0使用两个axis2参数来配置,这种配置方法到了1.1还在使用。 Rampart1.1:http://www.apache.org/dyn/closer.cgi/ws/rampart/1_1 首先,需要将下面的语句插入到axis2.xml文件中 <module ref=”rampart”/>
当axis2配置到服务器如tomcat时,可以使用web的管理接口。 在服务器,为每个服务提供安全是可能的。配置参数需要在service.xml文件中设定。 在客户端配置参数需要在client’s axis2 repository的axis2.xml中设置。
Rampart-1.1 配置 Rampart指定的声明 Rampart使用标准的ws-securitypolicy[2]声明,也能定义自己的声明。 Rampart指定的声明xsd文档:http://ws.apache.org/axis2/modules/rampart/1_1/sec-conf/rampart-config.xsd Ramp:rampartconfig必须作为顶层声明有效,如http://ws.apache.org/axis2/modules/rampart/1_1/sec-conf/sample-policy.xml
服务端配置 需要在services.xml文件中增加policy元素来配置服务。一个可用的service.xml: http://ws.apache.org/axis2/modules/rampart/1_1/sec-conf/sample-services.xml 客户端配置 在客户端,需要创建一个policy对象,将其载入options.创建policy对象能使用policy.xml文件,如下: //Creating the object StAXOMBuilder builder = new StAXOMBuilder(pathToPolicyfile); Policy clientPolicy = PolicyEngine.getPolicy(builder.getDocumentElement()); //setting the object Options options = new Options(); options.setProperty(RampartMessageData.KEY_RAMPART_POLICY, clientPolicy);
rampart-1.0配置 rampart模块使用两个参数:outflowsecurity和inflowsecurity OutflowSecurity参数: 这个参数是用来配置outflow安全处理器的。Outflow处理器能在一个outflow(one can provde configuration for each of these invocations)中调用多次.”action”描述了一种这样的配置。因此”outflowsecurity”参数能包含多个’action’元素。’action’元素的schema:http://ws.apache.org/axis2/modules/rampart/1_1/sec-conf/out-action.xsd 给outflow配置增加一个时间戳,http://ws.apache.org/axis2/modules/rampart/1_1/security-module.html#ex1是给信息签字和加密的例子,http://ws.apache.org/axis2/modules/rampart/1_1/security-module.html#ex1 演示了如何通过连锁outflow处理器将信息签名两次(使用两个‘action’元素) 下面是outflowsecurity 参数能放在’action’元素里面的元素描述
InflowSecurity 参数 这个参数是来配置inflow 安全处理器的。’action’也被使用来对配置元素进行封装。http://ws.apache.org/axis2/modules/rampart/1_1/security-module.html#ex3 展示了配置说明,校验签名和验证时间戳。
请注意’.properties’文件在properties中被使用,如outsignaturepropfile 和在wss4j项目中用到的属性文件是一样的。下面展示了如何在属性文件中定义属性。 org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin org.apache.ws.security.crypto.merlin.keystore.type=pkcs12 org.apache.ws.security.crypto.merlin.keystore.password=security org.apache.ws.security.crypto.merlin.keystore.alias= 16c 73ab6-b892 -458f -abf5 -2f 875f 74882e org.apache.ws.security.crypto.merlin.alias.password=security org.apache.ws.security.crypto.merlin.file=keys/x509.PFX.MSFT
org.apache.ws.security.crypto.provider defines the implementation of the org.apache.ws.security.components.crypto.Crypto interface to provide the crypto information required by WSS4J. The other properties defined are the configuration properties used by the implementation class (org.apache.ws.security.components.crypto.Merlin). 本文系转载,原文地址:http://www.blogjava.net/daniel-shen/ |