我想为JAX-WS Web服务提供消息级安全性。我们已经安装了证书,因此已经存在传输级安全性。 现在我们要提供消息级安全性。我们在soap标头中发送用户名和密码,因为Web服务将由不同的用户使用。根据用户名和密码,我们需要为该用户提供相关详细信息。
我们正在使用IBM WebSphere和RAD进行开发。 有人可以建议用最少配置提供消息级安全性的最简单方法吗?
答案 0 :(得分:0)
所以这是审稿人认为会更好的帖子。也许是,也许不是:
以下是为WebSphere中的JAX-WS应用程序配置UsernameToken的正确步骤。
由于您正在使用RAD并在管理控制台中应用策略/绑定,因此请确保您的RAD服务器配置中没有打开“在工作区中使用资源”。如果您这样做,请将其关闭,然后重新安装(而不仅仅是重新部署)您的应用。
为独立安全令牌(UsernameToken或LTPA令牌)配置策略集和绑定
您可以通过为独立安全令牌配置消息级WS-Security策略集和绑定来保护Web服务,该独立安全令牌是轻量级第三方认证(LTPA)令牌或用户名令牌。 开始之前
此任务假定您正在配置的服务提供者和客户端位于JaxWSServicesSamples应用程序中。请参阅有关访问示例的文档以了解如何获取和安装此应用程序。在服务器上指定以下跟踪规范,以便调试可能发生的任何未来配置问题。
=信息:com.ibm.wsspi.wssecurity =所有:com.ibm.ws.webservices.wssecurity =所有: com.ibm.ws.wssecurity。 = all:com.ibm.xml.soapsec。 = all:com.ibm.ws.webservices.trace。 = all: com.ibm.ws.websvcs.trace =所有:。com.ibm.ws.wssecurity.platform.audit =关:
如果使用LTPA令牌,则必须在用于客户端和服务的应用程序服务器上启用应用程序安全性。 关于此任务
本主题介绍如何为Username令牌或LTPA令牌配置WS-Security策略集和提供程序绑定。为简单起见,此过程演示了如何从策略中删除时间戳,数字签名和加密属性;但是,您可能希望在最终配置中包含这些属性。有关详细信息,请参阅有关使用客户端和提供程序应用程序特定绑定配置非对称XML数字签名或XML加密的策略集和绑定的文档。
在此任务中,默认提供程序常规绑定用于提供程序应用程序以使用令牌。如果需要调用者配置,则将为提供者添加特定于应用程序的绑定。
程序
Create the custom policy set.
In the administrative console, click Services > Policy sets > Application Policy sets.
Click New.
Specify Name = OneTokenPolicy.
Click Apply.
Under Policies, click Add > WS-Security.
Edit the custom policy set
Remove digital signature, encryption, and timestamp.
In the administrative console, clickWS-Security > Main Policy.
Deselect Message level protection.
Click Apply.
Add the UsernameToken or LTPA token.
Under Policy details, click Request token policies.
Select Add Token Type.
If you want to use a UsernameToken, select UserName. If you want to use an LTPA token, select LTPA.
Token name=myToken.
Click OK.
Configure the client to use the OneTokenPolicy policy set.
In the administrative console, click Applications > Application types > WebSphere enterprise applications > JaxWSServicesSamples > Service client policy sets and bindings.
Select the web services client resource.
Click Attach Policy Set.
Select OneTokenPolicy .
Create a custom binding for the client.
Select the web services resource again.
Click Assign Binding.
Click New Application Specific Binding to create an application-specific binding
Specify the bindings configuration name. name: oneTokenClientBinding
Click Add > WS-Security
If the Main Message Security Policy Bindings' panel does not display, select WS-Security.
Edit the custom binding for the client.
Edit the identity token generator to send the identity username.
Click request:myToken.
Click Apply.
Click Callback handler. User name=(yourUserid) Password=(yourPassword)
Avoid trouble Avoid trouble: This is a userid/password that is valid on the user registry on the provider's system. If you are using LTPA tokens, the userid/password must be valid on both the consumer and provider registries.
(Optional) If configuring a UsernameToken, add the following WS-Security custom properties:
*com.ibm.wsspi.wssecurity.token.username.addNonce=true
*com.ibm.wsspi.wssecurity.token.username.addTimestamp=true
These custom properties are added because they are specified on the UsernameToken consumer default general bindings. If we do not specify those properties here, you will either need to remove those properties from the default provider general bindings or create application-specific bindings for the provider that does not include those properties.
Click OK.
Click Save
Configure the provider to use the OneTokenPolicy policy set.
In the administrative console, click Applications > Application types > WebSphere enterprise applications > JaxWSServicesSamples > Service provider policy sets and bindings
Select the web services provider resource (OneTokenPolicy)
Click Attach Policy Set.
Select OneTokenPolicy
Note: Since no bindings are attached to the provider application, it will use the default provider general bindings for the token consumers.
(Optional) If you want to create a Caller configuration for the provider, create custom bindings for the provider.
Select the web services provider resource again.
Click Assign Binding
Click New Application Specific Binding to create an application-specific binding
Specify Bindings configuration name:oneTokenProvBinding
Click Add > WS-Security
If the Main Message Security Policy Bindings' Panel does not display, select WS-Security
(Optional) If a Caller configuration will be created, edit the custom bindings for the provider.
Click Caller > New. Name: myCaller.
If using a UsernameToken, enter the following:
Caller identity local name: [leave blank]
If using an LTPA token, enter the following:
Caller identity local name: LTPAv2
Caller identity local URI: http://www.ibm.com/websphere/appserver/tokentype
Click OK.
Click Save to save your configuration changes.
Restart the client provider.
Stop the client and the provider
Restart the client and the provider
Test the Service.
Point your web browser at the JaxWSServicesSamples: http://localhost:9080/wssamplesei/demo
Avoid trouble Avoid trouble: Make sure you provide the correct hostname and port if your profile is not on the same machine or the port is not 9080.
Select Message Type Synchronous Echo
Make sure Use SOAP 1.2 is not selected
Enter a message and click Send Message. The sample application should reply with JAXWS==>Message.
结果
JaxWSServicesSamples Web服务应用程序配置为在请求消息中生成和使用UsernameToken或LTPA令牌。
答案 1 :(得分:-1)
以下是为WebSphere中的JAX-WS应用程序配置UsernameToken的正确步骤:
由于您正在使用RAD并在管理控制台中应用策略/绑定,因此请确保您没有在工作区中使用资源'在您的RAD服务器配置中打开。如果您这样做,请将其关闭,然后重新安装(而不仅仅是重新部署)您的应用。