xfire的webservice保险机制之加密(一)
xfire的webservice安全机制之加密(一)
xfire的webservice安全机制
在原来使用xfire和spring集成的基础上,需要加入下面的这些包
在集成到jboss的时候还出了一个问题,wss4j-1.5.0.jar这个包还死活找不到,不知道是什么原因,后来找了半天
发现jboss4.2这娃在这个路径上有些安全相关的jar吧,拷贝到这里后,jboss运行正常了
D:\tool\jboss-4.2\server\default\deploy\jbossws.sar
其他的包,都仍到WEB-INF/lib下面就可以了
commons-discovery-0.2.jar
bcprov-jdk15-133.jar
wss4j-1.5.0.jar
xalan-2.7.0.jar
先说server端如何配置和加入程序:
1、server端提供出来的webservice先写个接口,可以直接继承自原来的WS接口UserServiceEnc.java:
package com.megaeyes.ipcamera.service.webservice.iface;
public interface UserServiceEnc extends UserService {
}
2、写一个passwordHandler来校验用户名,PasswordHandler.java:
package com.megaeyes.ipcamera.service.webservice.tools;
import java.util.HashMap;
import java.util.Map;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import org.apache.ws.security.WSPasswordCallback;
public class PasswordHandler implements CallbackHandler {
private final Map passwords = new HashMap();
@SuppressWarnings("unchecked")
public PasswordHandler() {
passwords.put("safedv", "safedv");
passwords.put("tianyi", "tianyi");
}
public void handle(Callback[] callbacks) {
WSPasswordCallback callback = (WSPasswordCallback) callbacks[0];
String id = callback.getIdentifer();
callback.setPassword((String) passwords.get(id));
}
}
3、写一个WSS4JTokenHandler对加密内容的操作的handler,WSS4JTokenHandler.java:
package com.megaeyes.ipcamera.service.webservice.tools;
import java.security.cert.X509Certificate;
import java.util.Vector;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.ws.security.WSConstants;
import org.apache.ws.security.WSSecurityEngineResult;
import org.apache.ws.security.WSUsernameTokenPrincipal;
import org.apache.ws.security.handler.WSHandlerConstants;
import org.apache.ws.security.handler.WSHandlerResult;
import org.codehaus.xfire.MessageContext;
import org.codehaus.xfire.handler.AbstractHandler;
import sun.security.x509.X500Name;
public class WSS4JTokenHandler extends AbstractHandler {
private static final Log log = LogFactory.getLog(WSS4JTokenHandler.class);
public void invoke(MessageContext context) throws Exception {
Vector result = (Vector) context.getProperty(WSHandlerConstants.RECV_RESULTS);
if (result == null) {
log.error("Client does not contain Security Header, need WSSJOutHandler");
return;
}
for (int i = 0; i < result.size(); i++) {
WSHandlerResult res = (WSHandlerResult) result.get(i);
for (int j = 0; j < res.getResults().size(); j++) {
WSSecurityEngineResult secRes = (WSSecurityEngineResult) res.getResults().get(j);
int action = secRes.getAction();
// USER TOKEN
if ((action & WSConstants.UT) > 0) {
WSUsernameTokenPrincipal principal = (WSUsernameTokenPrincipal) secRes
.getPrincipal();
// Set user property to user from UT to allow response encryption
context.setProperty(WSHandlerConstants.ENCRYPTION_USER, principal.getName());
log.info("Client's Username: " + principal.getName() + " Client's Password: "
+ principal.getPassword() + "\n");
}
// SIGNATURE
if ((action & WSConstants.SIGN) > 0) {
@SuppressWarnings("unused")
X509Certificate cert = secRes.getCertificate();
X500Name principal = (X500Name) secRes.getPrincipal();
// Do something whith cert
log.info("Signature for : " + principal.getCommonName());
}
}
}
log.info("WSS4JTokenHandler Done!");
}
}
4、applicationContext-webservice.xml服务端专门配置文件里面加入:
<bean name="userServiceEnc" parent="baseWebService">
<property name="serviceBean" ref="UserServiceImpl" />
<property name="serviceClass"
value="com.megaeyes.ipcamera.service.webservice.iface.UserServiceEnc" />
<property name="inHandlers">
<list>
<ref bean="domInHandler" />
<ref bean="wss4jInHandlerEnc" />
<ref bean="validateUserTokenHandler" />
</list>
</property>
</bean>
<bean id="domInHandler" class="org.codehaus.xfire.util.dom.DOMInHandler"/>
<bean id="wss4jInHandlerEnc" class="org.codehaus.xfire.security.wss4j.WSS4JInHandler">
<property name="properties">
<props>
<prop key="action">Encrypt</prop>
<prop key="decryptionPropFile">
insecurity_enc.properties
</prop>
<prop key="passwordCallbackClass">
com.megaeyes.ipcamera.service.webservice.tools.PasswordHandler
</prop>
</props>
</property>
</bean>
<bean id="validateUserTokenHandler"
class="com.megaeyes.ipcamera.service.webservice.tools.WSS4JTokenHandler"/>
4、在SRPING的配置文件里面的那个properties,放置到classpath下面就可以了insecurity_enc.properties:
#调用的类
org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin
org.apache.ws.security.crypto.merlin.keystore.type=jks
#加密的密匙的打开密码
org.apache.ws.security.crypto.merlin.keystore.password=ipcamera
#私匙的名字
org.apache.ws.security.crypto.merlin.file=safedv_private.jks
5、在服务端的classpath里面要放置自己的私匙。关于这几个私匙的生成。后续会讲。以上5步服务端的配置就结束了。
xfire的webservice安全机制
在原来使用xfire和spring集成的基础上,需要加入下面的这些包
在集成到jboss的时候还出了一个问题,wss4j-1.5.0.jar这个包还死活找不到,不知道是什么原因,后来找了半天
发现jboss4.2这娃在这个路径上有些安全相关的jar吧,拷贝到这里后,jboss运行正常了
D:\tool\jboss-4.2\server\default\deploy\jbossws.sar
其他的包,都仍到WEB-INF/lib下面就可以了
commons-discovery-0.2.jar
bcprov-jdk15-133.jar
wss4j-1.5.0.jar
xalan-2.7.0.jar
先说server端如何配置和加入程序:
1、server端提供出来的webservice先写个接口,可以直接继承自原来的WS接口UserServiceEnc.java:
package com.megaeyes.ipcamera.service.webservice.iface;
public interface UserServiceEnc extends UserService {
}
2、写一个passwordHandler来校验用户名,PasswordHandler.java:
package com.megaeyes.ipcamera.service.webservice.tools;
import java.util.HashMap;
import java.util.Map;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import org.apache.ws.security.WSPasswordCallback;
public class PasswordHandler implements CallbackHandler {
private final Map passwords = new HashMap();
@SuppressWarnings("unchecked")
public PasswordHandler() {
passwords.put("safedv", "safedv");
passwords.put("tianyi", "tianyi");
}
public void handle(Callback[] callbacks) {
WSPasswordCallback callback = (WSPasswordCallback) callbacks[0];
String id = callback.getIdentifer();
callback.setPassword((String) passwords.get(id));
}
}
3、写一个WSS4JTokenHandler对加密内容的操作的handler,WSS4JTokenHandler.java:
package com.megaeyes.ipcamera.service.webservice.tools;
import java.security.cert.X509Certificate;
import java.util.Vector;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.ws.security.WSConstants;
import org.apache.ws.security.WSSecurityEngineResult;
import org.apache.ws.security.WSUsernameTokenPrincipal;
import org.apache.ws.security.handler.WSHandlerConstants;
import org.apache.ws.security.handler.WSHandlerResult;
import org.codehaus.xfire.MessageContext;
import org.codehaus.xfire.handler.AbstractHandler;
import sun.security.x509.X500Name;
public class WSS4JTokenHandler extends AbstractHandler {
private static final Log log = LogFactory.getLog(WSS4JTokenHandler.class);
public void invoke(MessageContext context) throws Exception {
Vector result = (Vector) context.getProperty(WSHandlerConstants.RECV_RESULTS);
if (result == null) {
log.error("Client does not contain Security Header, need WSSJOutHandler");
return;
}
for (int i = 0; i < result.size(); i++) {
WSHandlerResult res = (WSHandlerResult) result.get(i);
for (int j = 0; j < res.getResults().size(); j++) {
WSSecurityEngineResult secRes = (WSSecurityEngineResult) res.getResults().get(j);
int action = secRes.getAction();
// USER TOKEN
if ((action & WSConstants.UT) > 0) {
WSUsernameTokenPrincipal principal = (WSUsernameTokenPrincipal) secRes
.getPrincipal();
// Set user property to user from UT to allow response encryption
context.setProperty(WSHandlerConstants.ENCRYPTION_USER, principal.getName());
log.info("Client's Username: " + principal.getName() + " Client's Password: "
+ principal.getPassword() + "\n");
}
// SIGNATURE
if ((action & WSConstants.SIGN) > 0) {
@SuppressWarnings("unused")
X509Certificate cert = secRes.getCertificate();
X500Name principal = (X500Name) secRes.getPrincipal();
// Do something whith cert
log.info("Signature for : " + principal.getCommonName());
}
}
}
log.info("WSS4JTokenHandler Done!");
}
}
4、applicationContext-webservice.xml服务端专门配置文件里面加入:
<bean name="userServiceEnc" parent="baseWebService">
<property name="serviceBean" ref="UserServiceImpl" />
<property name="serviceClass"
value="com.megaeyes.ipcamera.service.webservice.iface.UserServiceEnc" />
<property name="inHandlers">
<list>
<ref bean="domInHandler" />
<ref bean="wss4jInHandlerEnc" />
<ref bean="validateUserTokenHandler" />
</list>
</property>
</bean>
<bean id="domInHandler" class="org.codehaus.xfire.util.dom.DOMInHandler"/>
<bean id="wss4jInHandlerEnc" class="org.codehaus.xfire.security.wss4j.WSS4JInHandler">
<property name="properties">
<props>
<prop key="action">Encrypt</prop>
<prop key="decryptionPropFile">
insecurity_enc.properties
</prop>
<prop key="passwordCallbackClass">
com.megaeyes.ipcamera.service.webservice.tools.PasswordHandler
</prop>
</props>
</property>
</bean>
<bean id="validateUserTokenHandler"
class="com.megaeyes.ipcamera.service.webservice.tools.WSS4JTokenHandler"/>
4、在SRPING的配置文件里面的那个properties,放置到classpath下面就可以了insecurity_enc.properties:
#调用的类
org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin
org.apache.ws.security.crypto.merlin.keystore.type=jks
#加密的密匙的打开密码
org.apache.ws.security.crypto.merlin.keystore.password=ipcamera
#私匙的名字
org.apache.ws.security.crypto.merlin.file=safedv_private.jks
5、在服务端的classpath里面要放置自己的私匙。关于这几个私匙的生成。后续会讲。以上5步服务端的配置就结束了。