我是WSO2 ESB 5.0.0的新手,但我在过去几年里一直致力于WSO2 ESB 4.7.0。有谁知道,如何在WSO2 ESB 5.0.0上保护Axis2 WebService?
在文档(https://docs.wso2.com/display/ESB500/WSO2+Enterprise+Service+Bus+Documentation)中,我仅查找了保护代理服务的说明,它适用于代理。
问题是,在WSB ESB 5.0.0的Web控制台中,没有安全服务的可靠性。当我使用Axis2 Web Service部署CAR存档时,或者在WSO2上部署AAR存档时,ESB 5.0.0 axis2服务部署为不安全。
在版本4.7.0中,我可以从Web控制台保护Axis2 WebService,在5.0.0中我无法做到这一点。
对于5.0.0中的代理服务,保护它非常简单: - 在注册表中创建政策 - 在代理定义中添加两行,如:
List对于axis2 webservice,在axis2 serwis的services.xml描述中添加这样的行是如何工作的呢?有什么建议吗?
感谢 的Jakub
答案 0 :(得分:1)
正如您所注意到的,ESB 5.0.0不支持通过管理控制台应用服务安全性。但您可以按照以下步骤在axis2服务上启用安全性。
<service>标记内添加配置。 (您可以使用WSO2 Developer studio生成策略配置。按照doc [1]中的步骤操作,然后转到源视图以获取策略配置。<service>标记内添加rampart配置。
<module ref="rampart"/> 我附上了一个示例services.xml供您参考。
<?xml version="1.0" encoding="UTF-8"?>
<!--
~ Copyright 2005-2011 WSO2, Inc. (http://wso2.com)
~
~ Licensed under the Apache License, Version 2.0 (the "License");
~ you may not use this file except in compliance with the License.
~ You may obtain a copy of the License at
~
~ http://www.apache.org/licenses/LICENSE-2.0
~
~ Unless required by applicable law or agreed to in writing, software
~ distributed under the License is distributed on an "AS IS" BASIS,
~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
~ See the License for the specific language governing permissions and
~ limitations under the License.
-->
<service name="echo">
<schema elementFormDefaultQualified="false" />
<description>This service echos the input provided to it.</description>
<transports>
<transport>https</transport>
<transport>http</transport>
</transports>
<parameter name="ServiceClass" locked="true">org.wso2.carbon.core.services.echo.Echo</parameter>
<wsp:Policy xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="UTOverTransport">
<wsp:ExactlyOne>
<wsp:All>
<sp:TransportBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:TransportToken>
<wsp:Policy>
<sp:HttpsToken RequireClientCertificate="false" />
</wsp:Policy>
</sp:TransportToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic256 />
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Lax />
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp />
</wsp:Policy>
</sp:TransportBinding>
<sp:SignedSupportingTokens xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:UsernameToken sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient" />
</wsp:Policy>
</sp:SignedSupportingTokens>
</wsp:All>
</wsp:ExactlyOne>
<rampart:RampartConfig xmlns:rampart="http://ws.apache.org/rampart/policy">
<rampart:user>wso2carbon</rampart:user>
<rampart:encryptionUser>useReqSigCert</rampart:encryptionUser>
<rampart:timestampPrecisionInMilliseconds>true</rampart:timestampPrecisionInMilliseconds>
<rampart:timestampTTL>300</rampart:timestampTTL>
<rampart:timestampMaxSkew>300</rampart:timestampMaxSkew>
<rampart:timestampStrict>false</rampart:timestampStrict>
<rampart:tokenStoreClass>org.wso2.carbon.security.util.SecurityTokenStore</rampart:tokenStoreClass>
<rampart:nonceLifeTime>300</rampart:nonceLifeTime>
</rampart:RampartConfig>
<sec:CarbonSecConfig xmlns:sec="http://www.wso2.org/products/carbon/security">
<sec:Authorization>
<sec:property name="org.wso2.carbon.security.allowedroles">admin</sec:property>
</sec:Authorization>
</sec:CarbonSecConfig>
</wsp:Policy>
<module ref="rampart"/>
</service>