我已经获得签名验证,可用于Spring WS和WSS4J的Spring Boot应用程序。根据准则,我们要限制(在接收方)允许的签名算法。默认情况下,WSS4J似乎允许任何算法。
我必须配置以下bean:
@Bean
public CryptoFactoryBean getCryptoFactoryBean() throws IOException {
CryptoFactoryBean cryptoFactoryBean = new CryptoFactoryBean();
cryptoFactoryBean.setKeyStorePassword(new String(keystorePassword));
cryptoFactoryBean.setKeyStoreLocation(new ClassPathResource(keystoreLocation));
// These properties don't seem to do anything to enforce the algoritm :s
Properties props = new Properties();
props.put(WSHandlerConstants.SIG_ALGO, "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256");
props.put(WSHandlerConstants.SIG_DIGEST_ALGO, "http://www.w3.org/2001/04/xmlenc#sha256");
cryptoFactoryBean.setConfiguration(props);
return cryptoFactoryBean;
}
拦截器:
@Bean
public Wss4jSecurityInterceptor securityInterceptor() throws Exception {
Wss4jSecurityInterceptor securityInterceptor = new Wss4jSecurityInterceptor();
securityInterceptor.setValidationActions("Signature");
securityInterceptor.setValidationSignatureCrypto(getCryptoFactoryBean().getObject());
return securityInterceptor;
}
我在做什么错? 我只允许列出的算法,并且签名验证应该在其他任何算法上都失败(例如sha1)。 我可以编写一个自定义验证,但我希望框架能够对此进行检查。