Question

我编写了一个迄今为止运行良好的ws-security服务。我只有一个问题。我的服务只能是来自单个客户端的用户...这是因为我需要将service-config.xml命名为我希望加密的外发邮件的显式用户。我的服务bean看起来像这样

    <bean id="TimestampSignEncrypt_Request" class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
        <constructor-arg>
            <map>
                <!-- Use this action order for local clients -->
                <entry key="action" value="Timestamp Signature Encrypt"/>
                <!-- Use this action spec for WCF clients
               <entry key="action" value="Signature Encrypt Timestamp"/>
               -->
                <entry key="signaturePropFile"
                      value="de/narz/apacheCXFTest/helloWorld/keyManagement/config/alice.properties"/>
                <entry key="decryptionPropFile"
                      value="de/narz/apacheCXFTest/helloWorld/keyManagement/config/bob.properties"/>
                <entry key="passwordCallbackClass"
                      value="de.narz.apacheCXFTest.helloWorld.passwordHandling.PasswordCallbackHandler"/>
            </map>
        </constructor-arg>
    </bean>
    <!--
        WSS4JOutInterceptor for encoding and signing the SOAP response.
        There are some attacks that exploit the "cbc" mode of a Symmetric Encryption Algorithm. WSS4J has support for
         "gcm" mode algorithms as well. This can be specified via WSHandlerConstants.ENC_SYM_ALGO
         ("encryptionSymAlgorithm"), for example to "http://www.w3.org/2009/xmlenc11#aes128-gcm".
   -->
    <bean id="TimestampSignEncrypt_Response" class="org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor">
        <constructor-arg>
            <map>
                <entry key="action" value="Timestamp Signature Encrypt"/>
                <entry key="user" value="bob"/>
                <entry key="signaturePropFile"
                      value="de/narz/apacheCXFTest/helloWorld/keyManagement/config/bob.properties"/>
                <entry key="encryptionPropFile"
                      value="de/narz/apacheCXFTest/helloWorld/keyManagement/config/alice.properties"/>
                <entry key="signatureKeyIdentifier" value="DirectReference"/>
                <entry key="encryptionUser" value="Alice"/>
                <entry key="passwordCallbackClass"
                      value="de.narz.apacheCXFTest.helloWorld.passwordHandling.PasswordCallbackHandler"/>
                <entry key="signatureParts"
                      value="{Element}{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd}Timestamp;{Element}{http://schemas.xmlsoap.org/soap/envelope/}Body"/>
                <entry key="encryptionParts"
                      value="{Element}{http://www.w3.org/2000/09/xmldsig#}Signature;{Content}{http://schemas.xmlsoap.org/soap/envelope/}Body"/>
                <entry key="encryptionSymAlgorithm"
                      value="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/>
            </map>
        </constructor-arg>
    </bean>

我该怎么做才能强制服务自行确定客户端？像这样，我的alice-client是唯一能够与服务器通信的客户端。我想在我的密钥库中存储几个客户端密钥，服务应自行确定使用哪个密钥。

如果有人可以帮助我，那会很棒。 THX

Answer 1

而不是指定＆＃34; encryptionUser＆＃34; ＆＃34;爱丽丝＆＃34;在您的服务中，您可以改为指定＆＃34; encryptionUser＆＃34; ＆＃34; useReqSigCert＆＃34;。这是一个特殊值，告诉CXF / WSS4J使用客户端签名证书进行加密。

科尔姆。

apache cxf - 如何在密钥库中解析客户端证书

1 个答案: