[size=large][b]一、相关概念[/b][/size]
提到x509,就不得不提到几个相关概念。
1、Private key
2、Public key
3、KeyStore
4、TrustStore
Private key和Public key很简单,字面意思就可以理解,就是常说的私钥和公钥。
KeyStore和TrustStore简单的说就是存储私钥和密钥的容器。二者从存储结构上面都是一样的,只不过对其概念上做个区分,KeyStore主要用来存储私钥(也可能是Chain),TrustStore是用来存储公钥的。
更详细的可以看另外一篇文章:http://lukejin.iteye.com/blog/605634
在CXF中,使用加密签名的方式作为安全策略,配置上还有些麻烦。
先来看个图:
[img]http://dl.iteye.com/upload/picture/pic/74848/bdd0914b-c4ac-3e1d-b0c4-004cb70453a2.jpg[/img]
简单解释一下
1、客户端发送soap到服务端
首先A(客户端)需要使用自己的私钥进行签名,使用B(服务端)的公钥进行加密,然后将soap传给B,B用私钥进行解密,用A的公钥进行验签。
2、服务端返回数据到客户端
首先B用自己的私钥进行签名,用A的公钥进行加密,然后将soap传回给A,A用私钥进行解密,用B的公钥进行验签。
只要搞清楚这个过程,再使用CXF就显得比较容易了。
[size=large][b]二、搭建环境[/b][/size]
下面我们就可以搭建CXF的环境了
首先用maven创建一个简单的java工程,可以先创建好包com.tongtech.ti.cxf.demo.security
然后上pom文件,将下面的pom文件覆盖你自己工程中的pom文件。
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd"> 4.0.0 ti-cxf ti-cxf-security 0.0.1-SNAPSHOT jar Tongtech Demo for CXF Security with wss4j 2.4.0-SNAPSHOT org.apache.cxf cxf-rt-frontend-jaxws ${cxf.version} org.apache.cxf cxf-rt-transports-http ${cxf.version} org.apache.cxf cxf-rt-ws-security ${cxf.version} org.apache.cxf cxf-rt-transports-http-jetty ${cxf.version} org.apache.maven.plugins maven-compiler-plugin 1.6 1.6 org.apache.cxf cxf-codegen-plugin ${cxf.version} generate-sources-static generate-sources ${basedir}/target/generate ${basedir}/src/main/java/com/tongtech/ti/cxf/demo/security/security.wsdl -db jaxb -p com.tongtech.ti.cxf.demo.security.service -all wsdl2java
然后在上WSDL:
Security.wsdl
targetNamespace="http://demo.ti.tongtech.com/security/" xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/" xmlns:tns="http://demo.ti.tongtech.com/security/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/"> targetNamespace="http://demo.ti.tongtech.com/security/"> transport="http://schemas.xmlsoap.org/soap/http" />
wsdl文件放在com.tongtech.ti.cxf.demo.security包下面。
下面执行mvn eclipse:myeclipse/eclipse:eclipse/idea:idea,maven会自动根据wsdl创建相关代码。代码生成后拷贝到com.tongtech.ti.cxf.demo.security.service下面。
[size=large][b]三、编写代码[/b][/size]
[size=medium][b](一)生成证书[/b][/size]
生成证书还是比较麻烦的,要用到jdk的一个工具——keytool
首先,创建客户端KeyStore和公钥
在命令行运行:
1、创建私钥和KeyStore:
keytool -genkey -alias clientprivatekey -keypass keypass -keystore Client_KeyStore.jks -storepass storepass -dname "CN=tongtech.com,C=CN" -keyalg RSA
创建KeyStore,文件名字为Client_KeyStore.jks,里面有个名为clientprivatekey的私钥。
2、给私钥进行自签名:
keytool -selfcert -keystore Client_KeyStore.jks -storepass storepass -alias clientprivatekey -keypass keypass
签名成功,无任何提示。
3、导出私钥
作用是导出的证书将作为公钥保存到TrustStore中。
keytool -export -alias clientprivatekey -file Client_PublicCert.cer -keystore Client_KeyStore.jks -storepass storepass
如果成功,可以看到提示:
保存在文件中的认证
然后创建服务端KeyStore
1、创建私钥和KeyStore
keytool -genkey -alias serverprivatekey -keypass keypass -keystore Server_KeyStore.jks -storepass storepass -dname "CN=tongtech.com,C=CN" -keyalg RSA
2、给私钥进行自签名
keytool -selfcert -keystore Server_KeyStore.jks -storepass storepass -alias serverprivatekey -keypass keypass
3、导出私钥
keytool -export -alias serverprivatekey -file Server_PublicCert.cer -keystore Server_KeyStore.jks -storepass storepass
接下来,将客户端公钥导入到服务端TrustStore中,将服务端公钥导入到客户端TrustStore中。
在命令行中输入:
keytool -import -alias clientpublickey -file Client_PublicCert.cer -keystore Server_TrustStore.jks -storepass storepass
回车后会提示
[quote]所有者:CN=tongtech.com, C=CN
签发人:CN=tongtech.com, C=CN
序列号:4cc7e86c
有效期: Wed Oct 27 16:53:00 CST 2010 至Tue Jan 25 16:53:00 CST 2011
证书指纹:
MD5:FB:AB:71:9F:56:F3:CB:65:16:DC:52:E0:2D:27:FF:F6
SHA1:06:A8:B1:B4:E2:42:9D:B2:F7:99:E7:70:34:08:96:52:E1:CD:4A:76
签名算法名称:SHA1withRSA
版本: 3
信任这个认证? [否]: [/quote]
打y即可,然后提示
[quote]认证已添加至keystore中[/quote]
同理,将服务端公钥导入到客户端TrustStore中
keytool -import -alias serverpublickey -file Server_PublicCert.cer -keystore Client_TrustStore.jks -storepass storepass
同样会出现提示,打y回车,提示成功就可以了。
[b]到这里会有个疑问,为什么都叫keystore?在最上面已经提到,KeyStore和TrustStore是概念上的区分。[/b]
[size=medium][b](二)编写代码[/b][/size]
将上面生成好的maven工程导入到eclipse中,在src/main/java下建立新的包,起名叫cert,将刚刚生成好的KeyStore和TrustStore拷到cert包下。
1、创建配置文件
建立客户端加密/解密配置:[b]Client_Encrypt.properties[/b]
org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin org.apache.ws.security.crypto.merlin.keystore.type=jks org.apache.ws.security.crypto.merlin.keystore.password=storepass org.apache.ws.security.crypto.merlin.keystore.alias=serverpublickey org.apache.ws.security.crypto.merlin.file=cert/Client_TrustStore.jks
建立客户端验签/签名配置:[b]Client_Sign.properties[/b]
org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin org.apache.ws.security.crypto.merlin.keystore.type=jks org.apache.ws.security.crypto.merlin.keystore.password=storepass org.apache.ws.security.crypto.merlin.keystore.alias=clientprivatekey org.apache.ws.security.crypto.merlin.file=cert/Client_KeyStore.jks
建立服务端加密/解密配置:[b]Server_Decrypt.properties[/b]
org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin org.apache.ws.security.crypto.merlin.keystore.type=jks org.apache.ws.security.crypto.merlin.keystore.password=storepass org.apache.ws.security.crypto.merlin.keystore.alias=serverprivatekey org.apache.ws.security.crypto.merlin.file=cert/Server_KeyStore.jks
建立服务端验签/签名配置:[b]Server_SignVerf.properties[/b]
org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin org.apache.ws.security.crypto.merlin.keystore.type=jks org.apache.ws.security.crypto.merlin.keystore.password=storepass org.apache.ws.security.crypto.merlin.keystore.alias=clientpublickey org.apache.ws.security.crypto.merlin.file=cert/Server_TrustStore.jks
整理一下:
[quote]
可能说这里名字起的有些怪异,这些文件是我从cxf的example中拷贝过来,我想原意应该是客户端进行签名加密,服务器进行验签解密,并没有对返回数据进行签名加密的意图,所以名字起成这样,不过没关系,整理一下,思路会更清楚。
Client_Encrypt.properties————Client_TrustStore.jks————serverpublickey
Client_Sign.properties————Client_KeyStore.jks————clientprivatekey
Server_Decrypt.properties————Server_KeyStore.jks————serverprivatekey
Server_SignVerf.properties————Server_TrustStore.jks————clientpublickey
[/quote]
2、编写客户端、服务端以及各自的Callback
首先先将target/generate中将代码拷贝到com.tongtech.ti.cxf.demo.security.service中,然后在security目录下面建立X509.client和X509.server,分别把ISecuriyDemo_ISecuriyServicePort_Client.java和ISecuriyDemo_ISecuriyServicePort_Server.java改名成Client和Server并移动到X509.client和X509.server包下,然后在client包下建立UTPasswordClientCallBack.java类。
UTPasswordClientCallBack.java代码如下:
package com.tongtech.ti.cxf.demo.security.X509.client; import java.io.IOException; import javax.security.auth.callback.Callback; import javax.security.auth.callback.CallbackHandler; import javax.security.auth.callback.UnsupportedCallbackException; import org.apache.ws.security.WSPasswordCallback; public class UTPasswordClientCallBack implements CallbackHandler { public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException { WSPasswordCallback pc = (WSPasswordCallback) callbacks[0]; pc.setPassword("keypass"); System.out.println("Client Identifier=" + pc.getIdentifier()); System.out.println("Client Password=" + pc.getPassword()); } }
在server包下建立UTPasswordServerCallBack.java
UTPasswordServerCallBack.java代码如下:
package com.tongtech.ti.cxf.demo.security.X509.server; import java.io.IOException; import javax.security.auth.callback.Callback; import javax.security.auth.callback.CallbackHandler; import javax.security.auth.callback.UnsupportedCallbackException; import org.apache.ws.security.WSPasswordCallback; public class UTPasswordServerCallBack implements CallbackHandler { public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException { WSPasswordCallback pc = (WSPasswordCallback) callbacks[0]; pc.setPassword("keypass"); System.out.println("Server Identifier=" + pc.getIdentifier()); System.out.println("Server Password=" + pc.getPassword()); } }
这两个类中,pc.setPassword方法参数都是[b]keypass[/b],因为我们生成的所有密钥的密码均是keypass,如果密钥密码不同,在这里需要对密钥的Identifier(等同于alias)进行判断,从而设置不同的密码。
接下来将要编写客户端和服务端了。
首先打开Client.java类,将如下代码完整复制,覆盖进去
package com.tongtech.ti.cxf.demo.security.X509.client; /** * Please modify this class to meet your needs * This class is not complete */ import java.net.URL; import java.util.HashMap; import java.util.Map; import javax.xml.namespace.QName; import org.apache.cxf.endpoint.Endpoint; import org.apache.cxf.frontend.ClientProxy; import org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor; import org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor; import org.apache.ws.security.handler.WSHandlerConstants; import com.tongtech.ti.cxf.demo.security.service.ISecuriyDemo; import com.tongtech.ti.cxf.demo.security.service.ISecuriyService; /** * This class was generated by Apache CXF 2.4.0-SNAPSHOT Tue Oct 26 16:45:43 CST * 2010 Generated source version: 2.4.0-SNAPSHOT * */ public final class Client { private static final QName SERVICE_NAME = new QName( "http://demo.ti.tongtech.com/security/", "ISecuriyService"); private Client() { } public static void main(String args[]) throws Exception { URL wsdlURL = ISecuriyService.WSDL_LOCATION; ISecuriyService ss = new ISecuriyService(wsdlURL, SERVICE_NAME); ISecuriyDemo port = ss.getISecuriyServicePort(); org.apache.cxf.endpoint.Client client = ClientProxy.getClient(port); Endpoint cxfEp = client.getEndpoint(); // Clint Out Map outProp = new HashMap(); outProp.put(WSHandlerConstants.ACTION, WSHandlerConstants.TIMESTAMP + " " + WSHandlerConstants.SIGNATURE + " " + WSHandlerConstants.ENCRYPT); outProp.put(WSHandlerConstants.USER, "clientprivatekey"); outProp.put(WSHandlerConstants.ENCRYPTION_USER, "serverpublickey"); outProp.put(WSHandlerConstants.PW_CALLBACK_CLASS, UTPasswordClientCallBack.class.getName()); outProp.put(WSHandlerConstants.SIG_PROP_FILE, "cert/Client_Sign.properties"); outProp.put(WSHandlerConstants.ENC_PROP_FILE, "cert/Client_Encrypt.properties"); cxfEp.getOutInterceptors().add(new WSS4JOutInterceptor(outProp)); // Client In(Return) Map inProp = new HashMap(); inProp.put(WSHandlerConstants.ACTION, WSHandlerConstants.TIMESTAMP + " " + WSHandlerConstants.SIGNATURE + " " + WSHandlerConstants.ENCRYPT); inProp.put(WSHandlerConstants.PW_CALLBACK_CLASS, UTPasswordClientCallBack.class.getName()); inProp.put(WSHandlerConstants.DEC_PROP_FILE, "cert/Client_Sign.properties"); inProp.put(WSHandlerConstants.SIG_PROP_FILE, "cert/Client_Encrypt.properties"); cxfEp.getInInterceptors().add(new WSS4JInInterceptor(inProp)); { System.out.println("Invoking input..."); java.lang.String _input_in = "Input Value!"; java.lang.String _input__return = port.input(_input_in); System.out.println("input.result=" + _input__return); } System.exit(0); } }
打开Server.java,同理将下面代码完整复制并完整覆盖:
package com.tongtech.ti.cxf.demo.security.X509.server; import java.util.HashMap; import java.util.Map; import javax.xml.ws.Endpoint; import org.apache.cxf.jaxws.EndpointImpl; import org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor; import org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor; import org.apache.ws.security.handler.WSHandlerConstants; import com.tongtech.ti.cxf.demo.security.service.ISecuriyDemoImpl; /** * This class was generated by Apache CXF 2.4.0-SNAPSHOT Tue Oct 26 16:45:43 CST * 2010 Generated source version: 2.4.0-SNAPSHOT * */ public class Server { protected Server() throws Exception { System.out.println("Starting Server"); Object implementor = new ISecuriyDemoImpl(); String address = "http://localhost:8080/sec"; EndpointImpl ep = (EndpointImpl) Endpoint.publish(address, implementor); org.apache.cxf.endpoint.Endpoint cxfEp = ep.getServer().getEndpoint(); // /// Map inProp = new HashMap(); inProp.put(WSHandlerConstants.ACTION, WSHandlerConstants.TIMESTAMP + " " + WSHandlerConstants.SIGNATURE + " " + WSHandlerConstants.ENCRYPT); inProp.put(WSHandlerConstants.PW_CALLBACK_CLASS, UTPasswordServerCallBack.class.getName()); inProp.put(WSHandlerConstants.SIG_PROP_FILE, "cert/Server_SignVerf.properties"); inProp.put(WSHandlerConstants.DEC_PROP_FILE, "cert/Server_Decrypt.properties"); cxfEp.getInInterceptors().add(new WSS4JInInterceptor(inProp)); // / Map outProp = new HashMap(); outProp.put(WSHandlerConstants.ACTION, WSHandlerConstants.TIMESTAMP + " " + WSHandlerConstants.SIGNATURE + " " + WSHandlerConstants.ENCRYPT); outProp.put(WSHandlerConstants.USER, "serverprivatekey"); outProp.put(WSHandlerConstants.PW_CALLBACK_CLASS, UTPasswordServerCallBack.class.getName()); outProp.put(WSHandlerConstants.ENCRYPTION_USER, "clientpublickey"); outProp.put(WSHandlerConstants.SIG_PROP_FILE, "cert/Server_Decrypt.properties");// 私钥 outProp.put(WSHandlerConstants.ENC_PROP_FILE, "cert/Server_SignVerf.properties");// 公钥 cxfEp.getOutInterceptors().add(new WSS4JOutInterceptor(outProp)); } public static void main(String args[]) throws Exception { new Server(); System.out.println("Server ready..."); Thread.sleep(60 * 60 * 1000); System.out.println("Server exiting"); System.exit(0); } }
复制完成后,运行服务端和客户端进行测试即可。没有出以外的话,客户端能够顺利收到返回信息。
如果要看soap内容,打开service包下的ISecuriyDemo.java,加入如下标注代码:
@WebService(targetNamespace = "http://demo.ti.tongtech.com/security/", name = "ISecuriyDemo") @XmlSeeAlso({ObjectFactory.class}) //====加入如下代码==== @InInterceptors(interceptors = { "org.apache.cxf.interceptor.LoggingInInterceptor" }) @OutInterceptors(interceptors = { "org.apache.cxf.interceptor.LoggingOutInterceptor" }) //====加入代码结束==== public interface ISecuriyDemo { @WebResult(name = "out", targetNamespace = "") @RequestWrapper(localName = "input", targetNamespace = "http://demo.ti.tongtech.com/security/", className = "com.tongtech.ti.cxf.demo.security.service.Input") @WebMethod(action = "http://demo.ti.tongtech.com/security/input") @ResponseWrapper(localName = "inputResponse", targetNamespace = "http://demo.ti.tongtech.com/security/", className = "com.tongtech.ti.cxf.demo.security.service.InputResponse") public java.lang.String input( @WebParam(name = "in", targetNamespace = "") java.lang.String in ); }
最后以客户端为例,简单讲解一下出入站配置:
客户端包括:
org.apache.cxf.endpoint.Client client = ClientProxy.getClient(port); Endpoint cxfEp = client.getEndpoint(); // Clint Out Map outProp = new HashMap(); outProp.put(WSHandlerConstants.ACTION, WSHandlerConstants.TIMESTAMP + " " + WSHandlerConstants.SIGNATURE + " " + WSHandlerConstants.ENCRYPT); outProp.put(WSHandlerConstants.USER, "clientprivatekey"); outProp.put(WSHandlerConstants.ENCRYPTION_USER, "serverpublickey"); outProp.put(WSHandlerConstants.PW_CALLBACK_CLASS, UTPasswordClientCallBack.class.getName()); outProp.put(WSHandlerConstants.SIG_PROP_FILE, "cert/Client_Sign.properties"); outProp.put(WSHandlerConstants.ENC_PROP_FILE, "cert/Client_Encrypt.properties"); cxfEp.getOutInterceptors().add(new WSS4JOutInterceptor(outProp)); // Client In(Return) Map inProp = new HashMap(); inProp.put(WSHandlerConstants.ACTION, WSHandlerConstants.TIMESTAMP + " " + WSHandlerConstants.SIGNATURE + " " + WSHandlerConstants.ENCRYPT); inProp.put(WSHandlerConstants.PW_CALLBACK_CLASS, UTPasswordClientCallBack.class.getName()); inProp.put(WSHandlerConstants.DEC_PROP_FILE, "cert/Client_Sign.properties"); inProp.put(WSHandlerConstants.SIG_PROP_FILE, "cert/Client_Encrypt.properties"); cxfEp.getInInterceptors().add(new WSS4JInInterceptor(inProp));
第一行,使用CXF的Client代理(ClientProxy)来获得Endpoint,然后将WSS4J的Intercepter加入到Endpoint中。
需要加入两个WSS4J的Intercepter,WSS4JOutInterceptor和WSS4JInInterceptor,outIntercepter是客户端向服务端请求时,作为客户端出站(OutBound)的Intercepter,需要配置WSS4J相关属性:
WSHandlerConstants.ACTION,WSHandlerConstants.USER,WSHandlerConstants.ENCRYPTION_USER,WSHandlerConstants.PW_CALLBACK_CLASS,WSHandlerConstants.SIG_PROP_FILE,WSHandlerConstants.ENC_PROP_FILE,将这些属性放入map中,传入WSS4JOutInterceptor中。
对于客户端出站来说,签名需要客户端私钥(Client_Sign.properties)进行签名,加密需要服务端公钥(Client_Encrypt.properties)进行加密,属性中WSHandlerConstants.SIG_PROP_FILE为签名配置文件,WSHandlerConstants.ENC_PROP_FILE为加密配置文件。
入站则相反,验签需要服务端公钥(Client_Encrypt.properties),解密需要客户端私钥(Client_Sign.properties)。
服务器端与客户端相反,意思和客户端相同。