实施webservice provider + sts

时间:2016-02-10 09:28:54

标签: java web-services cxf jax-ws

我必须整合两个系统:

  • 用DELPHI编写的应用程序。该应用程序充当Web服务客户端(WSC)
  • 充当网络服务提供商(WSP)的第二个系统

整个沟通必须遵守ws-policy asserions:

<wsp:Policy wsu:Id="WSHttpBinding_policy">
    <wsp:ExactlyOne>
        <wsp:All>
                <sp:TransportBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
                        <wsp:Policy>
                                <sp:TransportToken>
                                        <wsp:Policy>
                                                <sp:HttpsToken RequireClientCertificate="false"/>
                                        </wsp:Policy>
                                </sp:TransportToken>
                                <sp:AlgorithmSuite>
                                        <wsp:Policy>
                                                <sp:Basic256/>
                                        </wsp:Policy>
                                </sp:AlgorithmSuite>
                                <sp:Layout>
                                        <wsp:Policy>
                                                <sp:Strict/>
                                        </wsp:Policy>
                                </sp:Layout>
                                <sp:IncludeTimestamp/>
                        </wsp:Policy>
                </sp:TransportBinding>
                <sp:EndorsingSupportingTokens xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
                        <wsp:Policy>
                                <sp:SecureConversationToken sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
                                        <wsp:Policy>
                                                <sp:BootstrapPolicy>
                                                        <wsp:Policy>
                                                                <sp:SignedParts>
                                                                        <sp:Body/>
                                                                        <sp:Header Name="To" Namespace="http://www.w3.org/2005/08/addressing"/>
                                                                        <sp:Header Name="From" Namespace="http://www.w3.org/2005/08/addressing"/>
                                                                        <sp:Header Name="FaultTo" Namespace="http://www.w3.org/2005/08/addressing"/>
                                                                        <sp:Header Name="ReplyTo" Namespace="http://www.w3.org/2005/08/addressing"/>
                                                                        <sp:Header Name="MessageID" Namespace="http://www.w3.org/2005/08/addressing"/>
                                                                        <sp:Header Name="RelatesTo" Namespace="http://www.w3.org/2005/08/addressing"/>
                                                                        <sp:Header Name="Action" Namespace="http://www.w3.org/2005/08/addressing"/>
                                                                </sp:SignedParts>
                                                                <sp:EncryptedParts>
                                                                        <sp:Body/>
                                                                </sp:EncryptedParts>
                                                                <sp:TransportBinding>
                                                                        <wsp:Policy>
                                                                                <sp:TransportToken>
                                                                                        <wsp:Policy>
                                                                                                <sp:HttpsToken RequireClientCertificate="false"/>
                                                                                        </wsp:Policy>
                                                                                </sp:TransportToken>
                                                                                <sp:AlgorithmSuite>
                                                                                        <wsp:Policy>
                                                                                                <sp:Basic256/>
                                                                                        </wsp:Policy>
                                                                                </sp:AlgorithmSuite>
                                                                                <sp:Layout>
                                                                                        <wsp:Policy>
                                                                                                <sp:Strict/>
                                                                                        </wsp:Policy>
                                                                                </sp:Layout>
                                                                                <sp:IncludeTimestamp/>
                                                                        </wsp:Policy>
                                                                </sp:TransportBinding>
                                                                <sp:SignedSupportingTokens>
                                                                        <wsp:Policy>
                                                                                <sp:UsernameToken sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
                                                                                        <wsp:Policy>
                                                                                                <sp:WssUsernameToken10/>
                                                                                        </wsp:Policy>
                                                                                </sp:UsernameToken>
                                                                        </wsp:Policy>
                                                                </sp:SignedSupportingTokens>
                                                                <sp:Wss11>
                                                                        <wsp:Policy/>
                                                                </sp:Wss11>
                                                                <sp:Trust10>
                                                                        <wsp:Policy>
                                                                                <sp:MustSupportIssuedTokens/>
                                                                                <sp:RequireClientEntropy/>
                                                                                <sp:RequireServerEntropy/>
                                                                        </wsp:Policy>
                                                                </sp:Trust10>
                                                        </wsp:Policy>
                                                </sp:BootstrapPolicy>
                                        </wsp:Policy>
                                </sp:SecureConversationToken>
                        </wsp:Policy>
                </sp:EndorsingSupportingTokens>
                <sp:Wss11 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
                        <wsp:Policy/>
                </sp:Wss11>
                <sp:Trust10 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
                        <wsp:Policy>
                                <sp:MustSupportIssuedTokens/>
                                <sp:RequireClientEntropy/>
                                <sp:RequireServerEntropy/>
                        </wsp:Policy>
                </sp:Trust10>
                <wsaw:UsingAddressing/>
        </wsp:All>
    </wsp:ExactlyOne>
</wsp:Policy>

我的任务是在java中实现WSP(最好是在Apache CXF中)。分析ws-policy:

  • communiaction应该使用安全连接(HttpsToken)
  • 需要有一种&#34;令牌&#34; (可能是安全令牌服务(STS)令牌)

似乎我需要使用WS-TRUST规范,除了真正的WSP之外我还需要创建STS。

在DELPHI应用程序中,我只能为webservice指定一个URL。如何实现这样的webservice:

  • 生成STS令牌
  • 运行真正的WSP操作。

2 个答案:

答案 0 :(得分:0)

我使用spring,CXF和jetty服务器创建了WSP项目:

<cxf:bus>
    <cxf:features>
        <cxf:logging/>
        <policy:policies />
    </cxf:features>
</cxf:bus>

<httpj:engine-factory id="tls-settings" bus="cxf">
    <httpj:engine port="8282">
        <httpj:tlsServerParameters>
            <sec:keyManagers keyPassword="s3cret">
                <sec:keyStore resource="keystore.jks" password="test" type="JKS"/>
            </sec:keyManagers>
            <sec:trustManagers>
                <sec:keyStore resource="keystore.jks" password="test" type="JKS"/>
            </sec:trustManagers>
            <sec:clientAuthentication want="false" required="false"/>
        </httpj:tlsServerParameters>
    </httpj:engine>
</httpj:engine-factory>

<bean id="serverCallbackHandler" class="pl.ws.ServerCallbackHandler"/>

<jaxws:endpoint id="serviceEndpoint"
                address="https://localhost:8282/ws/Service"
                implementor="pl.ws.IServiceImpl"
                wsdlLocation="WEB-INF/Service.wsdl"
                endpointName="s:WSHttpBinding_IService"
                serviceName="s:Service"
                xmlns:s="https://ws.pl/"
                depends-on="tls-settings">
    <jaxws:properties>
        <entry key="ws-security.signature.properties.sct" value="keystore.properties"/>
        <entry key="ws-security.signature.username.sct" value="test"/>
        <entry key="ws-security.encryption.username.sct" value="test"/>
        <entry key="ws-security.callback-handler.sct" value-ref="serverCallbackHandler"/>
    </jaxws:properties>
    <jaxws:binding>
        <soap:soapBinding version="1.2" mtomEnabled="true" />
    </jaxws:binding>
    <jaxws:features>
        <wsa:addressing />
    </jaxws:features>
</jaxws:endpoint>

当我从用DELPHI编写的客户端应用程序调用WSP时,它发送以下请求:

<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://www.w3.org/2003/05/soap-envelope"
                    xmlns:xsd="http://www.w3.org/2001/XMLSchema"
                    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                    xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
                    xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
                    xmlns:a="http://www.w3.org/2005/08/addressing" xmlns:c="http://schemas.xmlsoap.org/ws/2005/02/sc"
                    xmlns:d="http://www.w3.org/2000/09/xmldsig#"
                    xmlns:t="http://schemas.xmlsoap.org/ws/2005/02/trust">
    <SOAP-ENV:Header>
        <a:MessageID>urn:uuid:413cf8e3-22eb-4ffe-aeff-1425cf08a597</a:MessageID>
        <a:ReplyTo>
            <a:Address>http://www.w3.org/2005/08/addressing/anonymous</a:Address>
        </a:ReplyTo>
        <a:To SOAP-ENV:mustUnderstand="1">https://localhost:8282/ws/Service?wsdl</a:To>
        <a:Action SOAP-ENV:mustUnderstand="1">http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT</a:Action>
        <o:Security SOAP-ENV:mustUnderstand="1">
            <u:Timestamp u:Id="_0">
                <u:Created>2016-02-10T14:11:00.090Z</u:Created>
                <u:Expires>2016-02-11T14:11:00.090Z</u:Expires>
            </u:Timestamp>
            <o:UsernameToken u:Id="uuid-739d91bf-7f86-40f1-a581-8a67a8dcfcda-1">
                <o:Username>test</o:Username>
                <o:Password
                        Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">
                    s3cret
                </o:Password>
            </o:UsernameToken>
        </o:Security>
    </SOAP-ENV:Header>
    <SOAP-ENV:Body>
        <t:RequestSecurityToken>
            <t:TokenType>http://schemas.xmlsoap.org/ws/2005/02/sc/sct</t:TokenType>
            <t:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Issue</t:RequestType>
            <t:Entropy>
                <t:BinarySecret u:Id="uuid-4c1bb6cc-a1bb-456c-8c8e-bfe3cc185c44-1"
                                Type="http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce">
                    rkUVjF6Wz2P9K15+KVGIo+kI8CACD9/bNAhcBH5Dm4F=
                </t:BinarySecret>
            </t:Entropy>
            <t:KeySize>256</t:KeySize>
        </t:RequestSecurityToken>
    </SOAP-ENV:Body>
</SOAP-ENV:Envelope>

我的WSP应用程序回复:

09:25:07.399 [qtp748720198-33] ERROR o.a.c.w.p.PolicyVerificationInInterceptor - Inbound policy verification failed: These policy alternatives can not be satisfied: 
{http://schemas.xmlsoap.org/ws/2005/07/securitypolicy}HttpsToken

你能帮我理解它的错误吗?

答案 1 :(得分:0)

您实际上并不需要此Web服务的STS - WSDL中没有IssuedToken策略。只是安全对话引导程序的UsernameToken。该错误类似于通过普通http而不是https接收消息的错误。尝试将日志转到DEBUG / FINE并在那里查找错误消息。