CXF使用X509证书的WS-Security进行验证

[size=large][b]一、相关概念[/b][/size]
提到x509,就不得不提到几个相关概念。
1、Private key
2、Public key
3、KeyStore
4、TrustStore
Private key和Public key很简单,字面意思就可以理解,就是常说的私钥和公钥。
KeyStore和TrustStore简单的说就是存储私钥和密钥的容器。二者从存储结构上面都是一样的,只不过对其概念上做个区分,KeyStore主要用来存储私钥(也可能是Chain),TrustStore是用来存储公钥的。
更详细的可以看另外一篇文章:http://lukejin.iteye.com/blog/605634
在CXF中,使用加密签名的方式作为安全策略,配置上还有些麻烦。
先来看个图:
[img]http://dl.iteye.com/upload/picture/pic/74848/bdd0914b-c4ac-3e1d-b0c4-004cb70453a2.jpg[/img]
简单解释一下
1、客户端发送soap到服务端
首先A(客户端)需要使用自己的私钥进行签名,使用B(服务端)的公钥进行加密,然后将soap传给B,B用私钥进行解密,用A的公钥进行验签。
2、服务端返回数据到客户端
首先B用自己的私钥进行签名,用A的公钥进行加密,然后将soap传回给A,A用私钥进行解密,用B的公钥进行验签。
只要搞清楚这个过程,再使用CXF就显得比较容易了。

[size=large][b]二、搭建环境[/b][/size]

下面我们就可以搭建CXF的环境了
首先用maven创建一个简单的java工程,可以先创建好包com.tongtech.ti.cxf.demo.security
然后上pom文件,将下面的pom文件覆盖你自己工程中的pom文件。

xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
4.0.0
ti-cxf
ti-cxf-security
0.0.1-SNAPSHOT
jar
Tongtech Demo for CXF Security with wss4j

2.4.0-SNAPSHOT



org.apache.cxf
cxf-rt-frontend-jaxws
${cxf.version}


org.apache.cxf
cxf-rt-transports-http
${cxf.version}


org.apache.cxf
cxf-rt-ws-security
${cxf.version}


org.apache.cxf
cxf-rt-transports-http-jetty
${cxf.version}






org.apache.maven.plugins
maven-compiler-plugin

1.6
1.6



org.apache.cxf
cxf-codegen-plugin
${cxf.version}


generate-sources-static
generate-sources

${basedir}/target/generate


${basedir}/src/main/java/com/tongtech/ti/cxf/demo/security/security.wsdl

-db
jaxb
-p
com.tongtech.ti.cxf.demo.security.service
-all





wsdl2java










然后在上WSDL:
Security.wsdl


targetNamespace="http://demo.ti.tongtech.com/security/" xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/"
xmlns:tns="http://demo.ti.tongtech.com/security/" xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/">

targetNamespace="http://demo.ti.tongtech.com/security/">





























transport="http://schemas.xmlsoap.org/soap/http" />

















wsdl文件放在com.tongtech.ti.cxf.demo.security包下面。

下面执行mvn eclipse:myeclipse/eclipse:eclipse/idea:idea,maven会自动根据wsdl创建相关代码。代码生成后拷贝到com.tongtech.ti.cxf.demo.security.service下面。
[size=large][b]三、编写代码[/b][/size]
[size=medium][b](一)生成证书[/b][/size]
生成证书还是比较麻烦的,要用到jdk的一个工具——keytool
首先,创建客户端KeyStore和公钥
在命令行运行:
1、创建私钥和KeyStore:
keytool -genkey -alias clientprivatekey -keypass keypass -keystore Client_KeyStore.jks -storepass storepass -dname "CN=tongtech.com,C=CN" -keyalg RSA

创建KeyStore,文件名字为Client_KeyStore.jks,里面有个名为clientprivatekey的私钥。
2、给私钥进行自签名:
keytool -selfcert -keystore Client_KeyStore.jks -storepass storepass -alias clientprivatekey -keypass keypass

签名成功,无任何提示。
3、导出私钥
作用是导出的证书将作为公钥保存到TrustStore中。
keytool -export -alias clientprivatekey -file Client_PublicCert.cer -keystore Client_KeyStore.jks -storepass storepass

如果成功,可以看到提示:
保存在文件中的认证
然后创建服务端KeyStore
1、创建私钥和KeyStore
keytool -genkey -alias serverprivatekey -keypass keypass -keystore Server_KeyStore.jks -storepass storepass -dname "CN=tongtech.com,C=CN" -keyalg RSA

2、给私钥进行自签名
keytool -selfcert -keystore Server_KeyStore.jks -storepass storepass -alias serverprivatekey -keypass keypass

3、导出私钥
keytool -export -alias serverprivatekey -file Server_PublicCert.cer -keystore Server_KeyStore.jks -storepass storepass

接下来,将客户端公钥导入到服务端TrustStore中,将服务端公钥导入到客户端TrustStore中。
在命令行中输入:
keytool -import -alias clientpublickey -file Client_PublicCert.cer -keystore Server_TrustStore.jks -storepass storepass

回车后会提示
[quote]所有者:CN=tongtech.com, C=CN
签发人:CN=tongtech.com, C=CN
序列号:4cc7e86c
有效期: Wed Oct 27 16:53:00 CST 2010 至Tue Jan 25 16:53:00 CST 2011
证书指纹:
MD5:FB:AB:71:9F:56:F3:CB:65:16:DC:52:E0:2D:27:FF:F6
SHA1:06:A8:B1:B4:E2:42:9D:B2:F7:99:E7:70:34:08:96:52:E1:CD:4A:76
签名算法名称:SHA1withRSA
版本: 3
信任这个认证? [否]: [/quote]
打y即可,然后提示
[quote]认证已添加至keystore中[/quote]
同理,将服务端公钥导入到客户端TrustStore中
keytool -import -alias serverpublickey -file Server_PublicCert.cer -keystore Client_TrustStore.jks -storepass storepass

同样会出现提示,打y回车,提示成功就可以了。
[b]到这里会有个疑问,为什么都叫keystore?在最上面已经提到,KeyStore和TrustStore是概念上的区分。[/b]

[size=medium][b](二)编写代码[/b][/size]
将上面生成好的maven工程导入到eclipse中,在src/main/java下建立新的包,起名叫cert,将刚刚生成好的KeyStore和TrustStore拷到cert包下。
1、创建配置文件
建立客户端加密/解密配置:[b]Client_Encrypt.properties[/b]
org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin
org.apache.ws.security.crypto.merlin.keystore.type=jks
org.apache.ws.security.crypto.merlin.keystore.password=storepass
org.apache.ws.security.crypto.merlin.keystore.alias=serverpublickey
org.apache.ws.security.crypto.merlin.file=cert/Client_TrustStore.jks

建立客户端验签/签名配置:[b]Client_Sign.properties[/b]
org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin
org.apache.ws.security.crypto.merlin.keystore.type=jks
org.apache.ws.security.crypto.merlin.keystore.password=storepass
org.apache.ws.security.crypto.merlin.keystore.alias=clientprivatekey
org.apache.ws.security.crypto.merlin.file=cert/Client_KeyStore.jks

建立服务端加密/解密配置:[b]Server_Decrypt.properties[/b]
org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin
org.apache.ws.security.crypto.merlin.keystore.type=jks
org.apache.ws.security.crypto.merlin.keystore.password=storepass
org.apache.ws.security.crypto.merlin.keystore.alias=serverprivatekey
org.apache.ws.security.crypto.merlin.file=cert/Server_KeyStore.jks

建立服务端验签/签名配置:[b]Server_SignVerf.properties[/b]
org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin
org.apache.ws.security.crypto.merlin.keystore.type=jks
org.apache.ws.security.crypto.merlin.keystore.password=storepass
org.apache.ws.security.crypto.merlin.keystore.alias=clientpublickey
org.apache.ws.security.crypto.merlin.file=cert/Server_TrustStore.jks

整理一下:
[quote]
可能说这里名字起的有些怪异,这些文件是我从cxf的example中拷贝过来,我想原意应该是客户端进行签名加密,服务器进行验签解密,并没有对返回数据进行签名加密的意图,所以名字起成这样,不过没关系,整理一下,思路会更清楚。
Client_Encrypt.properties————Client_TrustStore.jks————serverpublickey
Client_Sign.properties————Client_KeyStore.jks————clientprivatekey
Server_Decrypt.properties————Server_KeyStore.jks————serverprivatekey
Server_SignVerf.properties————Server_TrustStore.jks————clientpublickey
[/quote]
2、编写客户端、服务端以及各自的Callback
首先先将target/generate中将代码拷贝到com.tongtech.ti.cxf.demo.security.service中,然后在security目录下面建立X509.client和X509.server,分别把ISecuriyDemo_ISecuriyServicePort_Client.java和ISecuriyDemo_ISecuriyServicePort_Server.java改名成Client和Server并移动到X509.client和X509.server包下,然后在client包下建立UTPasswordClientCallBack.java类。
UTPasswordClientCallBack.java代码如下:
package com.tongtech.ti.cxf.demo.security.X509.client;

import java.io.IOException;

import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.UnsupportedCallbackException;

import org.apache.ws.security.WSPasswordCallback;

public class UTPasswordClientCallBack implements CallbackHandler {

public void handle(Callback[] callbacks) throws IOException,
UnsupportedCallbackException {
WSPasswordCallback pc = (WSPasswordCallback) callbacks[0];
pc.setPassword("keypass");
System.out.println("Client Identifier=" + pc.getIdentifier());
System.out.println("Client Password=" + pc.getPassword());
}

}


在server包下建立UTPasswordServerCallBack.java
UTPasswordServerCallBack.java代码如下:
package com.tongtech.ti.cxf.demo.security.X509.server;

import java.io.IOException;

import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.UnsupportedCallbackException;

import org.apache.ws.security.WSPasswordCallback;

public class UTPasswordServerCallBack implements CallbackHandler {

public void handle(Callback[] callbacks) throws IOException,
UnsupportedCallbackException {
WSPasswordCallback pc = (WSPasswordCallback) callbacks[0];
pc.setPassword("keypass");
System.out.println("Server Identifier=" + pc.getIdentifier());
System.out.println("Server Password=" + pc.getPassword());
}
}

这两个类中,pc.setPassword方法参数都是[b]keypass[/b],因为我们生成的所有密钥的密码均是keypass,如果密钥密码不同,在这里需要对密钥的Identifier(等同于alias)进行判断,从而设置不同的密码。

接下来将要编写客户端和服务端了。
首先打开Client.java类,将如下代码完整复制,覆盖进去
package com.tongtech.ti.cxf.demo.security.X509.client;

/**
* Please modify this class to meet your needs
* This class is not complete
*/

import java.net.URL;
import java.util.HashMap;
import java.util.Map;

import javax.xml.namespace.QName;

import org.apache.cxf.endpoint.Endpoint;
import org.apache.cxf.frontend.ClientProxy;
import org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor;
import org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor;
import org.apache.ws.security.handler.WSHandlerConstants;

import com.tongtech.ti.cxf.demo.security.service.ISecuriyDemo;
import com.tongtech.ti.cxf.demo.security.service.ISecuriyService;

/**
* This class was generated by Apache CXF 2.4.0-SNAPSHOT Tue Oct 26 16:45:43 CST
* 2010 Generated source version: 2.4.0-SNAPSHOT
*
*/

public final class Client {

private static final QName SERVICE_NAME = new QName(
"http://demo.ti.tongtech.com/security/", "ISecuriyService");

private Client() {
}

public static void main(String args[]) throws Exception {
URL wsdlURL = ISecuriyService.WSDL_LOCATION;

ISecuriyService ss = new ISecuriyService(wsdlURL, SERVICE_NAME);
ISecuriyDemo port = ss.getISecuriyServicePort();
org.apache.cxf.endpoint.Client client = ClientProxy.getClient(port);
Endpoint cxfEp = client.getEndpoint();

// Clint Out
Map outProp = new HashMap();
outProp.put(WSHandlerConstants.ACTION, WSHandlerConstants.TIMESTAMP
+ " " + WSHandlerConstants.SIGNATURE + " "
+ WSHandlerConstants.ENCRYPT);
outProp.put(WSHandlerConstants.USER, "clientprivatekey");
outProp.put(WSHandlerConstants.ENCRYPTION_USER, "serverpublickey");
outProp.put(WSHandlerConstants.PW_CALLBACK_CLASS,
UTPasswordClientCallBack.class.getName());
outProp.put(WSHandlerConstants.SIG_PROP_FILE,
"cert/Client_Sign.properties");
outProp.put(WSHandlerConstants.ENC_PROP_FILE,
"cert/Client_Encrypt.properties");
cxfEp.getOutInterceptors().add(new WSS4JOutInterceptor(outProp));

// Client In(Return)
Map inProp = new HashMap();
inProp.put(WSHandlerConstants.ACTION, WSHandlerConstants.TIMESTAMP
+ " " + WSHandlerConstants.SIGNATURE + " "
+ WSHandlerConstants.ENCRYPT);
inProp.put(WSHandlerConstants.PW_CALLBACK_CLASS,
UTPasswordClientCallBack.class.getName());
inProp.put(WSHandlerConstants.DEC_PROP_FILE,
"cert/Client_Sign.properties");
inProp.put(WSHandlerConstants.SIG_PROP_FILE,
"cert/Client_Encrypt.properties");
cxfEp.getInInterceptors().add(new WSS4JInInterceptor(inProp));

{
System.out.println("Invoking input...");
java.lang.String _input_in = "Input Value!";
java.lang.String _input__return = port.input(_input_in);
System.out.println("input.result=" + _input__return);
}

System.exit(0);
}

}


打开Server.java,同理将下面代码完整复制并完整覆盖:
package com.tongtech.ti.cxf.demo.security.X509.server;

import java.util.HashMap;
import java.util.Map;

import javax.xml.ws.Endpoint;

import org.apache.cxf.jaxws.EndpointImpl;
import org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor;
import org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor;
import org.apache.ws.security.handler.WSHandlerConstants;

import com.tongtech.ti.cxf.demo.security.service.ISecuriyDemoImpl;

/**
* This class was generated by Apache CXF 2.4.0-SNAPSHOT Tue Oct 26 16:45:43 CST
* 2010 Generated source version: 2.4.0-SNAPSHOT
*
*/

public class Server {

protected Server() throws Exception {
System.out.println("Starting Server");
Object implementor = new ISecuriyDemoImpl();
String address = "http://localhost:8080/sec";
EndpointImpl ep = (EndpointImpl) Endpoint.publish(address, implementor);
org.apache.cxf.endpoint.Endpoint cxfEp = ep.getServer().getEndpoint();

// ///

Map inProp = new HashMap();
inProp.put(WSHandlerConstants.ACTION, WSHandlerConstants.TIMESTAMP
+ " " + WSHandlerConstants.SIGNATURE + " "
+ WSHandlerConstants.ENCRYPT);
inProp.put(WSHandlerConstants.PW_CALLBACK_CLASS,
UTPasswordServerCallBack.class.getName());
inProp.put(WSHandlerConstants.SIG_PROP_FILE,
"cert/Server_SignVerf.properties");
inProp.put(WSHandlerConstants.DEC_PROP_FILE,
"cert/Server_Decrypt.properties");
cxfEp.getInInterceptors().add(new WSS4JInInterceptor(inProp));

// /

Map outProp = new HashMap();
outProp.put(WSHandlerConstants.ACTION, WSHandlerConstants.TIMESTAMP
+ " " + WSHandlerConstants.SIGNATURE + " "
+ WSHandlerConstants.ENCRYPT);
outProp.put(WSHandlerConstants.USER, "serverprivatekey");
outProp.put(WSHandlerConstants.PW_CALLBACK_CLASS,
UTPasswordServerCallBack.class.getName());
outProp.put(WSHandlerConstants.ENCRYPTION_USER, "clientpublickey");
outProp.put(WSHandlerConstants.SIG_PROP_FILE,
"cert/Server_Decrypt.properties");// 私钥
outProp.put(WSHandlerConstants.ENC_PROP_FILE,
"cert/Server_SignVerf.properties");// 公钥
cxfEp.getOutInterceptors().add(new WSS4JOutInterceptor(outProp));
}

public static void main(String args[]) throws Exception {
new Server();
System.out.println("Server ready...");

Thread.sleep(60 * 60 * 1000);
System.out.println("Server exiting");
System.exit(0);
}
}


复制完成后,运行服务端和客户端进行测试即可。没有出以外的话,客户端能够顺利收到返回信息。

如果要看soap内容,打开service包下的ISecuriyDemo.java,加入如下标注代码:

@WebService(targetNamespace = "http://demo.ti.tongtech.com/security/", name = "ISecuriyDemo")
@XmlSeeAlso({ObjectFactory.class})
//====加入如下代码====
@InInterceptors(interceptors = { "org.apache.cxf.interceptor.LoggingInInterceptor" })
@OutInterceptors(interceptors = { "org.apache.cxf.interceptor.LoggingOutInterceptor" })
//====加入代码结束====
public interface ISecuriyDemo {

@WebResult(name = "out", targetNamespace = "")
@RequestWrapper(localName = "input", targetNamespace = "http://demo.ti.tongtech.com/security/", className = "com.tongtech.ti.cxf.demo.security.service.Input")
@WebMethod(action = "http://demo.ti.tongtech.com/security/input")
@ResponseWrapper(localName = "inputResponse", targetNamespace = "http://demo.ti.tongtech.com/security/", className = "com.tongtech.ti.cxf.demo.security.service.InputResponse")
public java.lang.String input(
@WebParam(name = "in", targetNamespace = "")
java.lang.String in
);
}


最后以客户端为例,简单讲解一下出入站配置:
客户端包括:

org.apache.cxf.endpoint.Client client = ClientProxy.getClient(port);
Endpoint cxfEp = client.getEndpoint();

// Clint Out
Map outProp = new HashMap();
outProp.put(WSHandlerConstants.ACTION, WSHandlerConstants.TIMESTAMP
+ " " + WSHandlerConstants.SIGNATURE + " "
+ WSHandlerConstants.ENCRYPT);
outProp.put(WSHandlerConstants.USER, "clientprivatekey");
outProp.put(WSHandlerConstants.ENCRYPTION_USER, "serverpublickey");
outProp.put(WSHandlerConstants.PW_CALLBACK_CLASS,
UTPasswordClientCallBack.class.getName());
outProp.put(WSHandlerConstants.SIG_PROP_FILE,
"cert/Client_Sign.properties");
outProp.put(WSHandlerConstants.ENC_PROP_FILE,
"cert/Client_Encrypt.properties");
cxfEp.getOutInterceptors().add(new WSS4JOutInterceptor(outProp));

// Client In(Return)
Map inProp = new HashMap();
inProp.put(WSHandlerConstants.ACTION, WSHandlerConstants.TIMESTAMP
+ " " + WSHandlerConstants.SIGNATURE + " "
+ WSHandlerConstants.ENCRYPT);
inProp.put(WSHandlerConstants.PW_CALLBACK_CLASS,
UTPasswordClientCallBack.class.getName());
inProp.put(WSHandlerConstants.DEC_PROP_FILE,
"cert/Client_Sign.properties");
inProp.put(WSHandlerConstants.SIG_PROP_FILE,
"cert/Client_Encrypt.properties");
cxfEp.getInInterceptors().add(new WSS4JInInterceptor(inProp));

第一行,使用CXF的Client代理(ClientProxy)来获得Endpoint,然后将WSS4J的Intercepter加入到Endpoint中。
需要加入两个WSS4J的Intercepter,WSS4JOutInterceptor和WSS4JInInterceptor,outIntercepter是客户端向服务端请求时,作为客户端出站(OutBound)的Intercepter,需要配置WSS4J相关属性:
WSHandlerConstants.ACTION,WSHandlerConstants.USER,WSHandlerConstants.ENCRYPTION_USER,WSHandlerConstants.PW_CALLBACK_CLASS,WSHandlerConstants.SIG_PROP_FILE,WSHandlerConstants.ENC_PROP_FILE,将这些属性放入map中,传入WSS4JOutInterceptor中。
对于客户端出站来说,签名需要客户端私钥(Client_Sign.properties)进行签名,加密需要服务端公钥(Client_Encrypt.properties)进行加密,属性中WSHandlerConstants.SIG_PROP_FILE为签名配置文件,WSHandlerConstants.ENC_PROP_FILE为加密配置文件。
入站则相反,验签需要服务端公钥(Client_Encrypt.properties),解密需要客户端私钥(Client_Sign.properties)。
服务器端与客户端相反,意思和客户端相同。

你可能感兴趣的:(WS-Security)