如何为使用WSSJInInterceptor配置的安全性编写WS-SecurityPolicy条目?

时间:2014-05-15 09:07:36

标签: java spring web-services cxf

我有一个安全的Web服务,我使用WSSJInInterceptor方法:

<jaxws:endpoint id="NAME_REMOVED"
    implementorClass="NAME_REMOVED"
    implementor="#NAME_REMOVED" address="/NAME_REMOVED">

    <jaxws:inInterceptors>
        <ref bean="logInBound" />
        <ref bean="wsAuthenticationInterceptor" />
    </jaxws:inInterceptors>
    <jaxws:outInterceptors>
        <ref bean="logOutBound" />
        <ref bean="outbound-security" />
    </jaxws:outInterceptors>

</jaxws:endpoint>


<!-- WSS4JInInterceptor for decrypting inbound SOAP -->
 <bean id="wsAuthenticationInterceptor" class="NAME_REMOVED.WSAuthenticationInInterceptor">
    <constructor-arg index="0">
        <map key-type="java.lang.String" value-type="java.lang.Object">
            <entry key="action" value="Timestamp Signature Encrypt" />
            <entry key="signaturePropFile" value="server-crypto.properties" />
            <entry key="decryptionPropFile" value="server-crypto.properties" />
            <entry key="passwordCallbackClass" value="NAME_REMOVED.ServerPasswordCallback" />
        </map>
    </constructor-arg>
</bean>

<!-- WSS4JOutInterceptor for signing and encrypting outbound SOAP -->
<bean id="outbound-security" class="org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor">
    <constructor-arg>
        <map>
            <entry key="action" value="Timestamp Signature Encrypt" />
            <entry key="user" value="server" />
            <entry key="signaturePropFile" value="server-crypto.properties" />
            <entry key="encryptionPropFile" value="server-crypto.properties" />
            <entry key="encryptionUser" value="useReqSigCert" />
            <entry key="passwordCallbackClass" value="NAME_REMOVED.ServerPasswordCallback" />
            <entry key="signatureParts"
                value="{Element}{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd}Timestamp;{Element}{http://schemas.xmlsoap.org/soap/envelope/}Body" />
            <entry key="encryptionParts"
                value="{Content}{http://schemas.xmlsoap.org/soap/envelope/}Body" />
            <entry key="encryptionSymAlgorithm" value="http://www.w3.org/2001/04/xmlenc#tripledes-cbc" />
        </map>
    </constructor-arg>
</bean>

但是,我之后才意识到这种方法不会将任何SecurityPolicy信息放入WSDL中。客户端知道应用了哪些安全措施非常重要,因此我想手动将@Policy批注添加到端点。有人能指出我编写与上述配置相对应的SecurityPolicy的正确方向吗?

谢谢!

更新:由于我还没有回答这个问题,我想很少有人会使用这种WSSJInterceptor方法。对于那些不这样做的人,这是一个使用此配置生成的示例SOAP请求:

<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Header>
    <wsse:Security
    xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
    xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
    soap:mustUnderstand="1">
    <xenc:EncryptedKey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
        Id="EK-B9E9615202664FEC1B14006659902977">
        <xenc:EncryptionMethod
            Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p" />
        <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
            <wsse:SecurityTokenReference>
                <ds:X509Data>
                    <ds:X509IssuerSerial>
                        <ds:X509IssuerName>1.2.840.113549.1.9.1=#1611746573746361407465737463612e636f6d,CN=Test
                            CA,OU=Test CA,O=Test CA,L=Wien,ST=Wien,C=AT
                        </ds:X509IssuerName>
                        <ds:X509SerialNumber>10734339032782376985</ds:X509SerialNumber>
                    </ds:X509IssuerSerial>
                </ds:X509Data>
            </wsse:SecurityTokenReference>
        </ds:KeyInfo>
        <xenc:CipherData>
            <xenc:CipherValue>B5Aj663c9Sp+nkyi3BlVHbeeyj+dJLVBmhQhmyi2/HlbUbvI00kfs5Ce26dyE/dP0lJOcOt2LhqmU5ggeuh/YfJHwDSPwkiKdO5Eu8UgunLc/YIBXoj0w7/pQtNyzENbt5hlMgVrDri2abOOgv1iII1+9cMosov0+L7zk2tetCs=
            </xenc:CipherValue>
        </xenc:CipherData>
        <xenc:ReferenceList>
            <xenc:DataReference URI="#ED-B9E9615202664FEC1B14006659903108" />
            <xenc:DataReference URI="#ED-B9E9615202664FEC1B14006659903459" />
        </xenc:ReferenceList>
    </xenc:EncryptedKey>
    <wsse:BinarySecurityToken
        EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"
        ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"
        wsu:Id="X509-B9E9615202664FEC1B14006659901732">MIIDRDCCAq2gAwIBAgIEbBKg+TANBgkqhkiG9w0BAQUFADCBgzELMAkGA1UEBhMCQVQxDTALBgNVBAgMBFdpZW4xDTALBgNVBAcMBFdpZW4xEDAOBgNVBAoMB1Rlc3QgQ0ExEDAOBgNVBAsMB1Rlc3QgQ0ExEDAOBgNVBAMMB1Rlc3QgQ0ExIDAeBgkqhkiG9w0BCQEWEXRlc3RjYUB0ZXN0Y2EuY29tMB4XDTE0MDUyMDE0MjQxOFoXDTIzMDUzMDIyMDAwMFowYDELMAkGA1UEBhMCYWExDDAKBgNVBAgTA2FhYTEMMAoGA1UEBxMDYWFhMQwwCgYDVQQKEwNhYWExDDAKBgNVBAsTA2FhYTEZMBcGA1UEAwwQdGVzdF91c2VyX3RpZ3JpczCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJ6CinbHxp4hQ5Hw1Kt0QAQCTLVOBSwYsGfZKYRIj6kwDR2vZFa9uhLp7IE+q8nbyuPMidAMnFUW5GjCZ1MTDnrMswvfowbxHb5SNE7R1QGCKxJhS5B+C3QMWLz11/YZ2ky7dGBjJdqOM0KCXDi6JvG6OcHokSRk+Io6jRVWXGOIBaiEd+ScaQJRDj7OOiZ0F+9lQAymMZ6LKVZjxB5uBxEh78YRG+w9fGBG1+ocZLGYE/qungcK5EWQm+RkG69popNzQ+u4M4qBBeoQ0LmLqyO2+1If7W95qkpsy+aLi/2o0Jtt4sO3lHPPrYgukakFqZZErSDyxdi1+ZE/j56Sl7MCAwEAAaNjMGEwEgYDVR0TAQH/BAgwBgEB/wIBADAdBgNVHQ4EFgQU6sJp945yr6HOFN9cKvgxd7UkeEkwHwYDVR0jBBgwFoAUwADKArmClT0eV56ZtBgFHrnqi/kwCwYDVR0PBAQDAgGGMA0GCSqGSIb3DQEBBQUAA4GBAAiGTiOHpwGE/0Xjcjzhfoa1w0Qnum/rlAIlT/B1skUw7/KYDksUENYDKGdXOppDYJBbG0pD34nDw5jqqQDsDPjJbJjszO/UHnJf7r64RjOZ9nVtN7vPipd0+MoX4rFzCotdfxjU6IsxHHxGPMZtsGL6tmcZxtkEQiKocEBhwEv7
    </wsse:BinarySecurityToken>
    <xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
        Id="ED-B9E9615202664FEC1B14006659903108" Type="http://www.w3.org/2001/04/xmlenc#Element">
        <xenc:EncryptionMethod
            Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc" />
        <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
            <wsse:SecurityTokenReference
                xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
                xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd"
                wsse11:TokenType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey">
                <wsse:Reference URI="#EK-B9E9615202664FEC1B14006659902977" />
            </wsse:SecurityTokenReference>
        </ds:KeyInfo>
        <xenc:CipherData>
            <xenc:CipherValue>syhXx1cPSGDAB43xWqpgwW9hPXVETwn8k6jC6kEf4al7zbQNOWfq2RMLP3DkRlhcZgC9SY933RCBZJh1P4BIgVTg63O2CUApcOzsYf8ZccSGyDcaRTy8mJai3T1dvbx9QhTkSdo57cJQeam4TaRHdsd4/Q8xMseS52EykcDdt5x+uJlprVH6ILrijTnu5Vt+JJEjMjE+N6P1q4MoEZDWVCTe5fQMCMU0B8/VBV6SMHC1riIrugeUpUVMzDq34yU3jwwCqVGGp8ZuLgMlWvaE3zSzOr40ZOaPHpR/X5IeN52NhKPVTXEoJ76ncFpjKy0iL+KB/Cf856khLONSqJiVTf7daxj22grHBIOtNFYqRL8MZm0c+R3DRcj/yKoU3WqCMHk0zqGgqCInFwHym4lg2LyXBqbJd6hFoVcu/SUjOWTxMDOoqBZ4YPYOO7TtckOvChHDWOCd0Jlqepg8Ofi6JaqqE4XybxvIkdLcJOjn3fS8EP3LB075GIVjWdO+svELjWRTbHbruUBs553wH47Pl7sj1S1MU9nf1tbs6tK4ZlNXwkcZjTw4yRjzZP5WCV/zbXBC12VdBuCMSM+wQjKujplxnjxi+ll63p3EOQVUi/hODA1P9I/JtV17YznKKanzCt3FC289szFCuhPnV39kCj3r8YAVuunMVAZDKFsji4r1TlXTDTczlrWRaPBouoZYHs8JKpa5vmzPbhXy3Hs890mvMGZcZYHAZd7L0XydCZcyBNHs3LHeAd9XLQD6Nn0kG1wKDfE12Ff1l98J5Yl5yNiey8y2iFVEDlXyvEvKQRjg3elmWTU/qEfy1seTszBs8eDbuoKJuAT6+zEYOy+XqcwqZaS0XvfD5ySJDfapCIj6g3CvlvuzYxejqgMZ84Ns2sR0oy/afJrJkeBJ+bfYBlHhW+Cp+yL0C+tmAgBgL2lQPYmmic0hrfdYwXVWGz2pp+t5GCJ1lVzMuU8HFdfugKd20W2jE7UjzhlQZTzaelJMWvg0WmcfmxjX2lHSncJ9DWU9NmEZQRxtOxpB//yAdIF8xTRdawXl2XlwiEDkH8D6b+kd1akOmKhDofaBOJxO6XGgotTosbNhoAVQYv1YrwQfWRI7GS0H/AbPF0ddQqwnvCANfsp9UQslkBE6cVQVaKIuTEouJTBhjIRXVhECBQ0pzkP+VI7JEBmZGTEvOdQyTtv/UgXlnX18pnVIQIRBGIAHXVTaMNyaI056D/Xw1JtUihqt3euzJSXUnW65U13ZnZylrgn5oElZVfNuqvyR38xoy1duQhicW8NAQX8qKLv2uIoTbwXXjxeLeWgfSWYqnWf7LsFnoHMiXl0vEeFLyJ8P2ho9s9w18B5T3Rb1rAs8HAGYah0kRK7VDujQioGUC5IvYSB7bNB6GYBPPwrdFeI38jVRbfzGAOHuPp7LjgvBg6gmciRKZwe6NobhyE1Dl2D+w1H8GH/UsNBtazJ1tYxFBPUTJIEiCLHBGD7T+4Z0iKNqF8t04awvKJleeClifF4EH0MI/d9bscL8yF0ODsEMmDCmwGlp2raH5Gr9g/mA9RmS2EgLCfR1U+X2eHq+HkXdh3ai2ig+K91n3WfbC8U+x16f1FykY92I21QzYAMA9ZSnfdliEZckHSVAkfH3HXIJ3Cxu+Dl2O59wG+FLsk4wMY3iRGAaxFOa3UYPAcHL5isMQpcZBfc1rduhYdGor2FfFbu0fTEr5EZdsMi7SqUZOp6UkSE10G7TyzSwgfe/jB4w6ZPeJChSGrGq93h7YBK5ZxdjX+8lyBtqquRWWlA9JDw+2CaMOFgrO5QpyI60s9s0l/F68zDnfs3aJEZnMU9SvjMpI0koCORf5T4hOjpxhxqxs2KGGVVNB4//VkL7H92X8mQWi+T/tNbIr7nnTMEfvaNrGHXsC2r+YlwocG80N/niu2Tdq1XFfpm9BQI+v9ruKm+uNb8yQ7T/UMRAyRQJVSpDSX8Y0vR7aqgCROXXoHtaQr3iJA8qfMs1bi0+qxsPcsNyaDq8LlyBZuBLhc+beKt6rIbnU0fQKbFjypvl3BZjA0Lo8tT60gv84Qog0QL86P2cel1wOmWOwegOIDzCZahxjBSiJKU9acVDmJLKxn8rceJas2zlMDcS1GaHtR/xnm15Icb/i2OU7wS7QnqwqnvAXLxx2BQtOe566Yzrb+OguLLo0MzGT59yt4/3jw8bYH113G5PoXc1gccW01F5Y3suOqCd+qmGjOk9Cb6XyD4YAstuFhWb7Qx+6aKjFZrKSMxKhfH40p35/aPrmLHNWx6ZJk+/XGEU1RZi9fCxQKLNQVN132M9S13dOpR4R+vj6+tZaze2BIrnEFw6816ovijoPSGsPGJluQ1ujA0YYXaRSc4WH1GwlXIQFZH/l0+/LHN2KZz7D43a79gf7P0FCRkhz8ibEK5CToWP6iHu4Mh37v6KnnQ+cwHjLNHFuKdRjqx+6uvI/m47wRJXVhUweRRn+TZUDEEa6uulWj6T36rwDWq3MWnzIAny1Uvr3DuJTDaesSYqkEmZE0NYy96aM3lJGqGnTGzmaqwQD92PVARDSf5j6xqhqxWkL016KwikTzIzm7q4n017lKpJf1a3htWtWKrnU767nDyDq9Mvd3xBoiYBzFfFd4GuefpQ4Jm6IMrTrv1I+L8c06WhxL9cbnre5tWcH3gJkUZOWhn3swBWvTTneD6wO0h63y9OEDAcMOaR97c9y7ifXDR6E8ydDlksuDc4x2RxrPjtvREUDly2xZH/n+roPDakcnkjfFz7SpYYDdbsHdhiAu5Zt68xiNUosuLJcRW0KyUi
            </xenc:CipherValue>
        </xenc:CipherData>
    </xenc:EncryptedData>
    <wsu:Timestamp wsu:Id="TS-B9E9615202664FEC1B14006659901631">
        <wsu:Created>2014-05-21T09:53:10.162Z</wsu:Created>
        <wsu:Expires>2014-05-21T09:58:10.162Z</wsu:Expires>
    </wsu:Timestamp>
</wsse:Security>
</soap:Header>
<soap:Body
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
wsu:Id="id-B9E9615202664FEC1B14006659901845">
<xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
    Id="ED-B9E9615202664FEC1B14006659903459" Type="http://www.w3.org/2001/04/xmlenc#Content">
    <xenc:EncryptionMethod
        Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc" />
    <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <wsse:SecurityTokenReference
            xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
            xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd"
            wsse11:TokenType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey">
            <wsse:Reference URI="#EK-B9E9615202664FEC1B14006659902977" />
        </wsse:SecurityTokenReference>
        </ds:KeyInfo>
        <xenc:CipherData>
           OMITTED
        </xenc:CipherData>
    </xenc:EncryptedData>
</soap:Body>

如果有人可以为我这个配置编写SecurityPolicy,或者建议我使用WS-Security和WS-SecurityPolicy的优秀而全面的文档来帮助我自己编写文件,我将非常感激。

谢谢!

1 个答案:

答案 0 :(得分:3)

开发Web服务有两种方法,wsdl-first和java-first。对于基于Java的端点开发,Apache CXF附带org.apache.cxf.annotations.Policy和org.apache.cxf.annotations.Policies注释,用于将策略片段附加到部署时生成的wsdl。

以下是代码优先端点的示例,包括@Policy批注:

import javax.jws.WebService;
import org.apache.cxf.annotations.Policy;

@WebService(portName = "MyServicePort",
            serviceName = "MyService",
            name = "MyServiceIface",
            targetNamespace = "http://www.test.com/example/foo")
@Policy(placement = Policy.Placement.BINDING, uri = "JavaFirstPolicy.xml")
public class MyServiceImpl {
   public String sayHello() {
      return "Hello World!";
   }
}

引用的描述符将添加到部署中,并包含要附加的策略;合同中的附件位置是通过placement属性定义的。这是一个描述符示例:

<?xml version="1.0" encoding="UTF-8" ?>
<wsp:Policy wsu:Id="MyPolicy" xmlns:wsp="http://www.w3.org/ns/ws-policy"
    xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
    <wsp:ExactlyOne>
        <wsp:All>
            <sp:SupportingTokens xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
                <wsp:Policy>
                    <sp:UsernameToken sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
                        <wsp:Policy>
                            <sp:WssUsernameToken10/>
                        </wsp:Policy>
                    </sp:UsernameToken>
                </wsp:Policy>
            </sp:SupportingTokens>
        </wsp:All>
    </wsp:ExactlyOne>
</wsp:Policy>

您还可以参考http://cxf.apache.org/docs/annotations.html以获取有关@Policy注释的更多信息。