rampart 概述

5 篇文章 0 订阅
3 篇文章 0 订阅

rampart是axis2实现ws-security的一个必须模块。它基于wss4j来完成安全相关的任务。

部署:首先是把rampart的mat包放在axis2的module文件夹里面;修改axis2.xml,加入<module ref="rampart"/>,使得rampart在axis2的启动过程中能加载上。

安全开发:实现安全的功能,主要是通过两个配置文件来实现的。服务端是在service.xml里面加入相应的安全属性;客户端则是在客户端的axis2.xml里面加入相应的安全属性,在声明客户端对象的时候要指明这个配置上下文,使得程序能够找到这个axis2.xml文件。还需要在客户端和服务器端写一个安全相关的callback类,一般客户端和服务器端的这两个类是一样的,就是把客户端和服务端的功能用一个类来实现了。安全的实现对原有程序的基本没有改动(除了在声明客户端对象的时候声明了一下安全上下文)和加入了一个新的类之外;

举例:

下面所有的安全相关的例子都是基于下面的客户端代码和服务端代码,不同的只是配置文件不一样。

客户端代码:

public class Client {



      public static void main(String[] args) throws Exception {

        

          if(args.length != 2) {

              System.out.println("Usage: $java Client endpoint_address client_repo_path");

          }

          System.out.println("arg[0] is :" + args[0]);

System.out.println("arg[1] is :" + args[1]);

          ConfigurationContext ctx = ConfigurationContextFactory.createConfigurationContextFromFileSystem(args[1], args[1] + "/conf/axis2.xml");

        

          ServiceClient client = new ServiceClient(ctx, null);

          Options options = new Options();

          options.setAction("urn:echo");

          options.setTo(new EndpointReference(args[0]));

          client.setOptions(options);

        

          OMElement response = client.sendReceive(getPayload("Hello world"));

        

          System.out.println(response);

        

      }

    

      private static OMElement getPayload(String value) {

          OMFactory factory = OMAbstractFactory.getOMFactory();

          OMNamespace ns = factory.createOMNamespace("http://sample01.samples.rampart.apache.org/xsd","ns1");

          OMElement elem = factory.createOMElement("echo", ns);

          OMElement childElem = factory.createOMElement("param0", null);

          childElem.setText(value);

          elem.addChild(childElem);

        

          return elem;

      }

    

}

服务端代码:

public class SimpleService {

    

      public String echo(String arg) {

          return arg;

      }

}

UsernameToken authentication

axis2.xml

<axisconfig name="AxisJava2.0">



<module ref="rampart" />



<parameter name="OutflowSecurity">

       <action>

           <items>UsernameToken Timestamp</items>

           <user>bob</user>

           <passwordCallbackClass>org.apache.rampart.samples.sample02.PWCBHandler</passwordCallbackClass>

         </action>

      </parameter>



.........................

services.xml

<service>

<operation name="echo">

    <messageReceiver class="org.apache.axis2.rpc.receivers.RPCMessageReceiver"/>

</operation>    

<parameter name="ServiceClass" locked="false">org.apache.rampart.samples.sample02.SimpleService</parameter>



<module ref="rampart" />



<parameter name="InflowSecurity">

        <action>

          <items>UsernameToken Timestamp</items>

          <passwordCallbackClass>org.apache.rampart.samples.sample02.PWCBHandler</passwordCallbackClass>

        </action>

      </parameter>

</service>

 

UsernameToken authentication with a plain text password

axis2.xml

<axisconfig name="AxisJava2.0">



<module ref="rampart" />



     <parameter name="OutflowSecurity">

       <action>

         <items>UsernameToken</items>

         <user>bob</user>

         <passwordCallbackClass>org.apache.rampart.samples.sample03.PWCBHandler</passwordCallbackClass>

         <passwordType>PasswordText</passwordType>

       </action>

     </parameter>



services.xml

<service>

<operation name="echo">

   <messageReceiver class="org.apache.axis2.rpc.receivers.RPCMessageReceiver"/>

</operation>    

<parameter name="ServiceClass" locked="false">org.apache.rampart.samples.sample03.SimpleService</parameter>



<module ref="rampart" />



<parameter name="InflowSecurity">

       <action>

         <items>UsernameToken</items>

         <passwordCallbackClass>org.apache.rampart.samples.sample03.PWCBHandler</passwordCallbackClass>

       </action>

     </parameter>

</service>

Encrypting messages

axis2.xml

<axisconfig name="AxisJava2.0">



<module ref="rampart" />



<parameter name="OutflowSecurity">

       <action>

         <items>Encrypt</items>

         <encryptionUser>service</encryptionUser>

         <encryptionPropFile>client.properties</encryptionPropFile>

       </action>

     </parameter>



     <parameter name="InflowSecurity">

       <action>

         <items>Encrypt</items>

         <passwordCallbackClass>org.apache.rampart.samples.sample05.PWCBHandler</passwordCallbackClass>

         <decryptionPropFile>client.properties</decryptionPropFile>

       </action>

     </parameter>

services.xml

 

<service>

<operation name="echo">

   <messageReceiver class="org.apache.axis2.rpc.receivers.RPCMessageReceiver"/>

</operation>    

<parameter name="ServiceClass" locked="false">org.apache.rampart.samples.sample05.SimpleService</parameter>



<module ref="rampart" />

  

     <parameter name="InflowSecurity">

       <action>

         <items>Encrypt</items>

         <passwordCallbackClass>org.apache.rampart.samples.sample05.PWCBHandler</passwordCallbackClass>

         <decryptionPropFile>service.properties</decryptionPropFile>

       </action>

     </parameter>

    

<parameter name="OutflowSecurity">

       <action>

         <items>Encrypt</items>

         <encryptionUser>client</encryptionUser>

         <encryptionPropFile>service.properties</encryptionPropFile>

       </action>

     </parameter>

</service>



Sign and encrypt messages

axis2.xml

 

<axisconfig name="AxisJava2.0">

    

     <!--Signature and Encryption : Using the request's certificate-->



<module ref="rampart" />



     <parameter name="OutflowSecurity">

       <action>

         <items>Timestamp Signature Encrypt</items>

         <user>client</user>

         <passwordCallbackClass>org.apache.rampart.samples.sample06.PWCBHandler</passwordCallbackClass>

         <signaturePropFile>client.properties</signaturePropFile>

         <signatureKeyIdentifier>DirectReference</signatureKeyIdentifier>

         <encryptionKeyIdentifier>SKIKeyIdentifier</encryptionKeyIdentifier>

         <encryptionUser>service</encryptionUser>

       </action>

     </parameter>



     <parameter name="InflowSecurity">

       <action>

         <items>Timestamp Signature Encrypt</items>

         <passwordCallbackClass>org.apache.rampart.samples.sample06.PWCBHandler</passwordCallbackClass>

         <signaturePropFile>client.properties</signaturePropFile>

       </action>

     </parameter>



services.xml

 

<service>

<operation name="echo">

   <messageReceiver class="org.apache.axis2.rpc.receivers.RPCMessageReceiver"/>

</operation>    

<parameter name="ServiceClass" locked="false">org.apache.rampart.samples.sample06.SimpleService</parameter>



<module ref="rampart" />



     <parameter name="InflowSecurity">

       <action>

         <items>Timestamp Signature Encrypt</items>

         <passwordCallbackClass>org.apache.rampart.samples.sample06.PWCBHandler</passwordCallbackClass>

         <signaturePropFile>service.properties</signaturePropFile>

       </action>

     </parameter>

    

     <parameter name="OutflowSecurity">

       <action>

         <items>Timestamp Signature Encrypt</items>

         <user>service</user>

         <passwordCallbackClass>org.apache.rampart.samples.sample06.PWCBHandler</passwordCallbackClass>

         <signaturePropFile>service.properties</signaturePropFile>

         <signatureKeyIdentifier>DirectReference</signatureKeyIdentifier>

         <encryptionKeyIdentifier>SKIKeyIdentifier</encryptionKeyIdentifier>

         <encryptionUser>useReqSigCert</encryptionUser>

       </action>

     </parameter>

    

</service>

通过Rampart将SOAP信息安全传输

 

AXIS2拥有一个基于apache wss4j提供ws-security的模块,叫Rampart。这篇文档提供了运行和配置Rampart模块的信息。

 

介绍:

       当rampart模块在系统指定的安全阶段插入了处理器之后,它是全局起作用的。这些处理器可以使用ws-securitypolicy[2]和rempart指定的策略来配置。Rampart-1.0使用两个axis2参数来配置,这种配置方法到了1.1还在使用。

Rampart1.1:http://www.apache.org/dyn/closer.cgi/ws/rampart/1_1

首先,需要将下面的语句插入到axis2.xml文件中

<module ref=”rampart”/>

 

当axis2配置到服务器如tomcat时,可以使用web的管理接口。

在服务器,为每个服务提供安全是可能的。配置参数需要在service.xml文件中设定。

在客户端配置参数需要在client’s axis2 repository的axis2.xml中设置。

 

Rampart-1.1 配置

       Rampart指定的声明

       Rampart使用标准的ws-securitypolicy[2]声明,也能定义自己的声明。

       Rampart指定的声明xsd文档:http://ws.apache.org/axis2/modules/rampart/1_1/sec-conf/rampart-config.xsd

       Ramp:rampartconfig必须作为顶层声明有效,如http://ws.apache.org/axis2/modules/rampart/1_1/sec-conf/sample-policy.xml

 

服务端配置

       需要在services.xml文件中增加policy元素来配置服务。一个可用的service.xml:

http://ws.apache.org/axis2/modules/rampart/1_1/sec-conf/sample-services.xml

客户端配置

       在客户端,需要创建一个policy对象,将其载入options.创建policy对象能使用policy.xml文件,如下:

//Creating the object

      StAXOMBuilder builder = new StAXOMBuilder(pathToPolicyfile);

        Policy clientPolicy = PolicyEngine.getPolicy(builder.getDocumentElement());

        //setting the object

        Options options = new Options();

        options.setProperty(RampartMessageData.KEY_RAMPART_POLICY, clientPolicy);

 

rampart-1.0配置

rampart模块使用两个参数:outflowsecurity和inflowsecurity

OutflowSecurity参数:

这个参数是用来配置outflow安全处理器的。Outflow处理器能在一个outflow(one can provde configuration for each of these invocations)中调用多次.”action”描述了一种这样的配置。因此”outflowsecurity”参数能包含多个’action’元素。’action’元素的schema:http://ws.apache.org/axis2/modules/rampart/1_1/sec-conf/out-action.xsd

给outflow配置增加一个时间戳,http://ws.apache.org/axis2/modules/rampart/1_1/security-module.html#ex1是给信息签字和加密的例子,http://ws.apache.org/axis2/modules/rampart/1_1/security-module.html#ex1 演示了如何通过连锁outflow处理器将信息签名两次(使用两个‘action’元素)

下面是outflowsecurity 参数能放在’action’元素里面的元素描述

Parameter

Description

Example

items

Security actions for the inflow

Add a Timestamp, Sign the SOAP body and Encrypt the SOAP body <items> Timestamp Signature Encrypt</items>

user

The user's name

Set alias of the key to be used to sign <user> bob</user>

passwordCallbackClass

Callback class used to provide the password required to create the UsernameToken or to sign the message

<passwordCallbackClass> org.apache.axis2.security.PWCallback</passwordCallbackClass>

signaturePropFile

property file used to get the signature parameters such as crypto provider, keystore and its password

Set example.properties file as the signature property file <signaturePropFile> example.properties</signaturePropFile>

signatureKeyIdentifier

Key identifier to be used in referring the key in the signature

Use the serial number of the certificate <signatureKeyIdentifier> IssuerSerial</signatureKeyIdentifier>

encryptionKeyIdentifier

Key identifier to be used in referring the key in encryption

Use the serial number of the certificate <encryptionKeyIdentifier>IssuerSerial</encryptionKeyIdentifier>

encryptionUser

The user's name for encryption.

<encryptionUser> alice </encryptionUser>

encryptionSymAlgorithm

Symmetric algorithm to be used for encryption

Use AES-128 <encryptionSymAlgorithm> http://www.w3.org/2001/04/xmlenc#aes128-cbc</encryptionSymAlgorithm>

encryptionKeyTransportAlgorithm

Key encryption algorithm

Use RSA-OAEP <parameter name="encryptionSymAlgorithm"> http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p</parameter>

signatureParts

Sign multiple parts in the SOAP message

Sign Foo and Bar elements qualified by "http://app.ns/ns" <signatureParts> {Element}{http://app.ns/ns}Foo;{Element}{http://app.ns/ns}Bar </signatureParts>

optimizeParts

MTOM Optimize the elements specified by the XPath query

Optimize the CipherValue <optimizeParts> //xenc:EncryptedData/xenc:CipherData/xenc:CipherValue </optimizeParts>

 

InflowSecurity 参数

       这个参数是来配置inflow 安全处理器的。’action’也被使用来对配置元素进行封装。http://ws.apache.org/axis2/modules/rampart/1_1/security-module.html#ex3 展示了配置说明,校验签名和验证时间戳。

Parameter

Description

Example

items

Security actions for the inflow

first the incoming message should be decrypted and then the signatures should be verified and should be checked for the availability of the Timestamp <items> Timestamp Signature Encrypt</items>

passwordCallbackClass

Callback class used to obtain password for decryption and UsernameToken verification

<passwordCallbackClass> org.apache.axis2.security.PWCallback</passwordCallbackClass>

signaturePropFile

Property file used for signature verification

<signaturePropFile> sig.properties</signaturePropFile>

decryptionPropFile

Property file used for decryption

<decryptionPropFile> dec.properties</decryptionPropFile>

 

 

请注意’.properties’文件在properties中被使用,如outsignaturepropfile 和在wss4j项目中用到的属性文件是一样的。下面展示了如何在属性文件中定义属性。

    org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin

        org.apache.ws.security.crypto.merlin.keystore.type=pkcs12

        org.apache.ws.security.crypto.merlin.keystore.password=security

        org.apache.ws.security.crypto.merlin.keystore.alias= 16c 73ab6-b892 -458f -abf5 -2f 875f 74882e

        org.apache.ws.security.crypto.merlin.alias.password=security

        org.apache.ws.security.crypto.merlin.file=keys/x509.PFX.MSFT

 

org.apache.ws.security.crypto.provider defines the implementation of the org.apache.ws.security.components.crypto.Crypto interface to provide the crypto information required by WSS4J. The other properties defined are the configuration properties used by the implementation class (org.apache.ws.security.components.crypto.Merlin).

本文系转载,原文地址:http://www.blogjava.net/daniel-shen/

评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值