Axis2 + Rampart WebService签名和加密

时间:2011-06-15 10:58:08

标签: web-services axis2 ws-security policy

我在一个Web服务和他的客户端之间存在安全性问题。 我使用Axis2和Rampart构建自下而上的webservice,而不是从生成的wsdl创建客户端。 我告诉你我的代码和具体问题。

Client.java

package de.security.tutorial;

import java.io.InputStream;
import java.rmi.RemoteException;

import javax.xml.stream.XMLStreamException;
import org.apache.axiom.om.impl.builder.StAXOMBuilder;
import org.apache.axis2.client.Options;
import org.apache.axis2.client.ServiceClient;
import org.apache.axis2.context.ConfigurationContext;
import org.apache.axis2.context.ConfigurationContextFactory;
import org.apache.neethi.Policy;
import org.apache.neethi.PolicyEngine;
import org.apache.rampart.RampartMessageData;

import de.security.tutorial.ServerStub.GetWelcomeResponse;

public class Client {

    /**
     * Load policy file from classpath.
     */
    private static Policy loadPolicy(String name) throws XMLStreamException {
        ClassLoader loader = new ClassLoader() {};
        InputStream resource = loader.getResourceAsStream(name);
        StAXOMBuilder builder = new StAXOMBuilder(resource);
        return PolicyEngine.getPolicy(builder.getDocumentElement());
    }

    public static void main(String[] arg) throws RemoteException{
        String url = "http://localhost:8080/axis2/services/Server";
        try {
            // get Modulrepository
            ConfigurationContext ctx = ConfigurationContextFactory.createConfigurationContextFromFileSystem("WebContent/WEB-INF/", null);

            // create new Stub
            ServerStub stub = new ServerStub(ctx, url);

            // configure and engage Rampart
            ServiceClient client = stub._getServiceClient();
            Options options = client.getOptions();

            Policy policy = loadPolicy("policy.xml");
//          client.getAxisService().getPolicySubject().attachPolicy(policy);
            options.setProperty(RampartMessageData.KEY_RAMPART_POLICY, policy);
            options.setUserName("libuser");
            options.setPassword("books");

            client.setOptions( options );           
            client.engageModule( "addressing" );        
            client.engageModule( "rampart" );
            stub._setServiceClient( client );

            // send request
            GetWelcomeResponse response = stub.getWelcome();

            // print response to console
            if(response.local_returnTracker){
                String string = response.get_return();
                System.out.println(string);
            }

        } catch(Exception e) {
            System.out.println("Exception: " + e.getMessage());
        }

    }

}

PasswordCallbackHandler.java

package de.security.tutorial;

import org.apache.ws.security.WSPasswordCallback;

import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;

import java.io.IOException;

/**
 * Simple password callback handler. This just checks if the password for the private key
 * is being requested, and if so sets that value.
 */
public class PWCBHandler implements CallbackHandler
{
    public void handle(Callback[] callbacks) throws IOException {
        for (int i = 0; i < callbacks.length; i++) {
            WSPasswordCallback pwcb = (WSPasswordCallback)callbacks[i];
            String id = pwcb.getIdentifer();
            int usage = pwcb.getUsage();
            if (usage == WSPasswordCallback.DECRYPT || usage == WSPasswordCallback.SIGNATURE) {

                // used to retrieve password for private key
                if ("clientkey".equals(id)) {
                    pwcb.setPassword("clientpass");
                }

            }
        }
    }
}

的policy.xml

<?xml version="1.0" encoding="UTF-8"?>

<wsp:Policy wsu:Id="SigEncr"
    xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
    xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
    <wsp:ExactlyOne>
        <wsp:All>
            <sp:AsymmetricBinding
                xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
                <wsp:Policy>
                    <sp:InitiatorToken>
                        <wsp:Policy>
                            <sp:X509Token
                                sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
                                <wsp:Policy>
                                    <sp:RequireThumbprintReference />
                                    <sp:WssX509V1Token10 />
                                </wsp:Policy>
                            </sp:X509Token>
                        </wsp:Policy>
                    </sp:InitiatorToken>
                    <sp:RecipientToken>
                        <wsp:Policy>
                            <sp:X509Token
                                sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never">
                                <wsp:Policy>
                                    <sp:RequireThumbprintReference />
                                    <sp:WssX509V3Token10 />
                                </wsp:Policy>
                            </sp:X509Token>
                        </wsp:Policy>
                    </sp:RecipientToken>
                    <sp:AlgorithmSuite>
                        <wsp:Policy>
                            <sp:TripleDesRsa15 />
                        </wsp:Policy>
                    </sp:AlgorithmSuite>
                    <sp:Layout>
                        <wsp:Policy>
                            <sp:Strict />
                        </wsp:Policy>
                    </sp:Layout>
                    <sp:IncludeTimestamp />
                    <sp:OnlySignEntireHeadersAndBody />
                </wsp:Policy>
            </sp:AsymmetricBinding>
            <sp:Wss10 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
                <wsp:Policy>
                    <sp:MustSupportRefKeyIdentifier />
                    <sp:MustSupportRefIssuerSerial />
                </wsp:Policy>
            </sp:Wss10>
            <sp:SignedParts
                xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
                <sp:Body />
            </sp:SignedParts>
            <sp:EncryptedParts
                xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
                <sp:Body />
            </sp:EncryptedParts>
            <ramp:RampartConfig xmlns:ramp="http://ws.apache.org/rampart/policy">
                <ramp:user>clientkey</ramp:user>
                <ramp:encryptionUser>serverkey</ramp:encryptionUser>
                <ramp:passwordCallbackClass>de.security.tutorial.PWCBHandler
                </ramp:passwordCallbackClass>
                <ramp:signatureCypto>
                    <ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin">
                        <ramp:property
                            name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property>
                        <ramp:property name="org.apache.ws.security.crypto.merlin.file">D:/keystore/client.keystore
                        </ramp:property>
                        <ramp:property
                            name="org.apache.ws.security.crypto.merlin.keystore.password">nosecret</ramp:property>
                    </ramp:crypto>
                </ramp:signatureCypto>

                <ramp:encryptionCypto>
                    <ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin">
                        <ramp:property
                            name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property>
                        <ramp:property name="org.apache.ws.security.crypto.merlin.file">D:/keystore/client.keystore
                        </ramp:property>
                        <ramp:property
                            name="org.apache.ws.security.crypto.merlin.keystore.password">nosecret</ramp:property>
                    </ramp:crypto>
                </ramp:encryptionCypto>

            </ramp:RampartConfig>

        </wsp:All>
    </wsp:ExactlyOne>
</wsp:Policy>

行。我有一个名为“Server”的WebService,其中一个函数“getWelcome”返回了一个简单的String。 Importent只是安全性。

问题: 如果我执行我的客户端,他返回一个NullPointerException并且他没有与该服务连接。这一行引发了异常:

GetWelcomeResponse response = stub.getWelcome();

但是如果我禁用了垒模块,那么我得到了与服务的连接,但是他错过了安全标头。问题是这一行:

client.engageModule( "rampart" );

有人能帮助我吗?

1 个答案:

答案 0 :(得分:0)

从下面的代码我会说你需要包括注释掉的行并注释掉下面的其他5行。

//      client.getAxisService().getPolicySubject().attachPolicy(policy);
        options.setProperty(RampartMessageData.KEY_RAMPART_POLICY, policy);
        options.setUserName("libuser");
        options.setPassword("books");

        client.setOptions( options );           
        client.engageModule( "addressing" );