1. 鉴于很多系统需要实施WS-Security的标准,我们在SpringSide中提供了XFire+WSS4J的Demo,本文介绍SpringSide中Spring+XFire+WSS4J的基本配置
2.
3. [WebService Server端配置]
4. 第一,创建一个基本的BookService
5. public interface BookService {
6. /** *//**
7. * 按书名模糊查询图书
8. */
9. List findBooksByName(String name);
10.
11. /** *//**
12. * 查找目录下的所有图书
13. *
14. * @param categoryId 如果category为null或“all”, 列出所有图书。
15. */
16. List findBooksByCategory(String categoryId);
17.
18. /** *//**
19. * 列出所有分类.
20. *
21. * @return List<Category>,或是null。
22. */
23. List getAllCategorys();
24. }
25. 第二,接口扩展,即Extend基本的BookService,在XFire中,不同的WSS4J策略需要针对不同的ServiceClass,否则<inHandlers>里面的定义会Overlap。 public interface BookServiceWSS4JEnc extends BookService {
26.
27. }
28. public interface BookServiceWSS4JSign extends BookService {
29.
30. }
31. 第三,配置Spring的ApplicationContext文件
32. <!--BookService 基类-->
33. <bean id="baseWebService" class="org.codehaus.xfire.spring.remoting.XFireExporter" abstract="true">
34. <property name="serviceFactory" ref="xfire.serviceFactory"/>
35. <property name="xfire" ref="xfire"/>
36. </bean>
37.
38. <bean class="org.springframework.web.servlet.handler.SimpleUrlHandlerMapping">
39. <property name="mappings">
40. <value>
41. /BookService=bookService
42. /BookServiceWSS4J=bookServiceWSS4J
43. /BookServiceWSS4JEnc=bookServiceWSS4JEnc
44. /BookServiceWSS4JSign=bookServiceWSS4JSign
45. </value>
46. </property>
47. </bean>
48.
49. <!--(1)BookWebService 不需要认证-->
50. <bean id="bookService" class="org.codehaus.xfire.spring.remoting.XFireExporter">
51. <property name="serviceFactory" ref="xfire.serviceFactory"/>
52. <property name="xfire" ref="xfire"/>
53. <property name="serviceBean" ref="bookManager"/>
54. <property name="serviceClass" value="org.springside.bookstore.plugins.xfire.service.BookService"/>
55. </bean>
56.
57. <!-- (3)BookWebService 使用 WSS4J验证-->
58. <bean id="bookServiceWSS4J" class="org.codehaus.xfire.spring.remoting.XFireExporter">
59. <property name="serviceBean" ref="bookManager"/>
60. <property name="serviceClass" value="org.springside.bookstore.plugins.xfire.service.BookServiceWSS4J"/>
61. <property name="inHandlers">
62. <list>
63. <ref bean="domInHandler"/>
64. <ref bean="wss4jInHandler"/>
65. <ref bean="validateUserTokenHandler"/>
66. </list>
67. </property>
68. </bean>
69.
70. <bean id="domInHandler" class="org.codehaus.xfire.util.dom.DOMInHandler"/>
71.
72. <bean id="wss4jInHandler" class="org.codehaus.xfire.security.wss4j.WSS4JInHandler">
73. <property name="properties">
74. <props>
75. <prop key="action">UsernameToken</prop>
76. <prop key="passwordCallbackClass">org.springside.bookstore.plugins.xfire.wss4j.PasswordHandler</prop>
77. </props>
78. </property>
79. </bean>
80.
81. <bean id="validateUserTokenHandler" class="org.springside.bookstore.plugins.xfire.wss4j.WSS4JTokenHandler"/>
82.
83. <!-- (4)BookWebService 使用 WSS4J验证 Encrypt模式-->
84. <bean id="bookServiceWSS4JEnc" class="org.codehaus.xfire.spring.remoting.XFireExporter">
85. <property name="serviceBean" ref="bookManager"/>
86. <property name="serviceClass" value="org.springside.bookstore.plugins.xfire.service.BookServiceWSS4JEnc"/>
87. <property name="inHandlers">
88. <list>
89. <ref bean="domInHandler"/>
90. <ref bean="wss4jInHandlerEnc"/>
91. <ref bean="validateUserTokenHandler"/>
92. </list>
93. </property>
94. </bean>
95.
96. <bean id="wss4jInHandlerEnc" class="org.codehaus.xfire.security.wss4j.WSS4JInHandler">
97. <property name="properties">
98. <props>
99. <prop key="action">Encrypt</prop>
100. <prop key="decryptionPropFile">org/springside/bookstore/plugins/xfire/wss4j/insecurity_enc.properties</prop>
101. <prop key="passwordCallbackClass">org.springside.bookstore.plugins.xfire.wss4j.PasswordHandler</prop>
102. </props>
103. </property>
104. </bean>
105.
106. <!-- (5)BookWebService 使用 WSS4J验证 Signature模式-->
107. <bean id="bookServiceWSS4JSign" class="org.codehaus.xfire.spring.remoting.XFireExporter">
108. <property name="serviceBean" ref="bookManager"/>
109. <property name="serviceClass" value="org.springside.bookstore.plugins.xfire.service.BookServiceWSS4JSign"/>
110. <property name="inHandlers">
111. <list>
112. <ref bean="domInHandler"/>
113. <ref bean="wss4jInHandlerSign"/>
114. <ref bean="validateUserTokenHandler"/>
115. </list>
116. </property>
117. </bean>
118.
119. <bean id="wss4jInHandlerSign" class="org.codehaus.xfire.security.wss4j.WSS4JInHandler">
120. <property name="properties">
121. <props>
122. <prop key="action">Signature</prop>
123. <prop key="signaturePropFile">org/springside/bookstore/plugins/xfire/wss4j/insecurity_sign.properties</prop>
124. <prop key="passwordCallbackClass">org.springside.bookstore.plugins.xfire.wss4j.PasswordHandler</prop>
125. </props>
126. </property>
127. </bean>
128.
129. </beans>
130.
131. 第四,配置insecurity_enc.properties和insecurity_sign.properties两个密钥库配置文件
132. insecurity_enc.properties:
133. org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin
134. org.apache.ws.security.crypto.merlin.keystore.type=jks
135. org.apache.ws.security.crypto.merlin.keystore.password=SpringSide
136. org.apache.ws.security.crypto.merlin.alias.password=SpringSide
137. org.apache.ws.security.crypto.merlin.keystore.alias=david
138. org.apache.ws.security.crypto.merlin.file=org/springside/bookstore/plugins/xfire/wss4j/springside_private.jks
139. outsecurity_sign.properties:
140. org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin
141. org.apache.ws.security.crypto.merlin.keystore.type=jks
142. org.apache.ws.security.crypto.merlin.keystore.password=SpringSide
143. org.apache.ws.security.crypto.merlin.keystore.alias=david
144. org.apache.ws.security.crypto.merlin.file=org/springside/bookstore/plugins/xfire/wss4j/springside_public.jks
145. 第五,使用SecureX生成了两个keystore文件
146. springside_private.jks
147. 别名名称: david
148. 创建日期: 2006-8-6
149. 输入类型:KeyEntry
150. 认证链长度: 1
151. 认证 [1]:
152. Owner: CN=david, OU=SpringSide, O=org, L=gz, ST=gd, C=cn
153. 发照者: CN=david, OU=SpringSide, O=org, L=gz, ST=gd, C=cn
154. 序号: 44d4cdcd
155. 有效期间: Sun Aug 06 00:56:45 CST 2006 至: Mon Aug 06 00:56:45 CST 2007
156. 认证指纹:
157. MD5: CF:97:13:0C:70:D0:4D:B6:B4:27:0F:1A:0B:CF:D9:F2
158. SHA1: 8E:8E:E8:BC:64:39:C8:43:E4:F7:1B:3B:CE:48:1D:6B:A0:2B:58:B5
159. springside_public.jks
160. 别名名称: david
161. 创建日期: 2006-8-6
162. 输入类型: trustedCertEntry
163.
164. Owner: CN=david, OU=SpringSide, O=org, L=gz, ST=gd, C=cn
165. 发照者: CN=david, OU=SpringSide, O=org, L=gz, ST=gd, C=cn
166. 序号: 44d4cdcd
167. 有效期间: Sun Aug 06 00:56:45 CST 2006 至: Mon Aug 06 00:56:45 CST 2007
168. 认证指纹:
169. MD5: CF:97:13:0C:70:D0:4D:B6:B4:27:0F:1A:0B:CF:D9:F2
170. SHA1: 8E:8E:E8:BC:64:39:C8:43:E4:F7:1B:3B:CE:48:1D:6B:A0:2B:58:B5
171. 第五,新版本SpringSide需要
172. http://www.bouncycastle.org/download/bcprov-jdk15-133.jar
173. 并且要配置java.security
174. 另外,还要使用jdk加密增强策略
175. http://www.blogjava.net/openssl/archive/2006/03/08/34381.html
176.
177. 用户要使用WSS4J,需要配置Bouncycastle这个SecurityProvider,否则
178. 运行Enc模式的XFire认证的时候,会抛出异常:
179. org.apache.ws.security.WSSecurityException: An unsupported signature or encryption algorithm was used unsupported key
180. 配合java.security也是非常简单:
181. 在最后加入BouncycastleProvider。
182. security.provider.1=sun.security.provider.Sun
183. security.provider.2=com.sun.net.ssl.internal.ssl.Provider
184. security.provider.3=com.sun.rsajca.Provider
185. security.provider.4=com.sun.crypto.provider.SunJCE
186. security.provider.5=sun.security.jgss.SunProvider
187. security.provider.6=org.bouncycastle.jce.provider.BouncyCastleProvider
188.
189. [WebService Client端配置]
190. 1,Encrypt模式的Client是在客户端用david的公钥加密Soap里面的usernameToken,然后发送到Web服务,Web服务用david的私钥来验证。这种模式需要客户端预先知道服务器端的公钥。
191.
192. 在Encrypt模式中,需要这样配置ClientHandler:
193. Service serviceModel = new ObjectServiceFactory().create(BookServiceWSS4JEnc.class);
194. XFireProxyFactory factory = new XFireProxyFactory(getXFire());
195.
196. BookService service = (BookService) factory.create(serviceModel, "xfire.local://BookServiceWSS4JEnc");
197.
198. Client client = ((XFireProxy) Proxy.getInvocationHandler(service)).getClient();
199. //挂上WSS4JOutHandler,提供认证
200. client.addOutHandler(new DOMOutHandler());
201. Properties properties = new Properties();
202. configureOutProperties(properties);
203. client.addOutHandler(new WSS4JOutHandler(properties));
204.
205. List list = service.getAllCategorys(); configureOutProperties函数负责指定Client使用何种安全策略,没错,使用 outsecurity_enc.properties,这个properties是跟Server端的 insecurity_enc.properties一起使用的。
206. protected void configureOutProperties(Properties config) {
207. config.setProperty(WSHandlerConstants.ACTION, WSHandlerConstants.ENCRYPT);
208. config.setProperty(WSHandlerConstants.USER, "david");
209. //config.setProperty(WSHandlerConstants.PW_CALLBACK_CLASS, PasswordHandler.class.getName());
210. //Configuration of public key used to encrypt message goes to properties file.
211. config.setProperty(WSHandlerConstants.ENC_PROP_FILE,
212. "org/springside/bookstore/plugins/xfire/outsecurity_enc.properties");
213. }
214.
215. outsecurity_enc.properties:
216. org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin
217. org.apache.ws.security.crypto.merlin.keystore.type=jks
218. org.apache.ws.security.crypto.merlin.keystore.password=SpringSide
219. org.apache.ws.security.crypto.merlin.keystore.alias=david
220. org.apache.ws.security.crypto.merlin.file=org/springside/bookstore/plugins/xfire/wss4j/springside_public.jks
221.
222. 2, Sign模式的Client同样也是很简单,这种模式是Client端用自己的私钥为usernameToken签名,服务器端用Client的公钥来验证签名,因此,服务器端需要预先知道客户端的公钥。
223. 对应于Encrypt模式,这里的configureOutProperties需要这样来配置:
224. protected void configureOutProperties(Properties properties) {
225. properties.setProperty(WSHandlerConstants.ACTION,WSHandlerConstants.SIGNATURE);
226. // User in keystore
227. properties.setProperty(WSHandlerConstants.USER, "david");
228. // This callback is used to specify password for given user for keystore
229. properties.setProperty(WSHandlerConstants.PW_CALLBACK_CLASS, PasswordHandler.class.getName());
230. // Configuration for accessing private key in keystore
231. properties.setProperty(WSHandlerConstants.SIG_PROP_FILE,"org/springside/bookstore/plugins/xfire/outsecurity_sign.properties");
232. properties.setProperty(WSHandlerConstants.SIG_KEY_ID,"IssuerSerial");
233. }
234.
235.
236. outsecurity_sign.properties:
237. org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin
238. org.apache.ws.security.crypto.merlin.keystore.type=jks
239. org.apache.ws.security.crypto.merlin.keystore.password=SpringSide
240. org.apache.ws.security.crypto.merlin.alias.password=SpringSide
241. org.apache.ws.security.crypto.merlin.keystore.alias=david
242. org.apache.ws.security.crypto.merlin.file=org/springside/bookstore/plugins/xfire/wss4j/springside_private.jks
176
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
