对SCA中WS Policy的理解


原文链接: http://gocom.primeton.com/modules/newbb/item57151_57151.htm
在SCA规范中提供了关于安全的一套FrameWork(SCA_Policy_Framework),对服务调用过程中的数据传递进行了约束。下面针对其中的WebService Policy,结合自己的实践,对其实现方式进行详解。

在Policy FrameWork中,定义安全分为两部分:Intent和PolicySet。Intent以抽象的方式定义Policy,仅声明存在这样的约束,对于具体的内容而不指定。PolicySet定义的策略的详细实现方式,与Intent相结合,提供了Intent的详细策略定义。

Intent的指定方式:

<intent name="Intent名称" constrains="使用约束"/>
eg:
<intent name="RequiredTransaction" constrains="sca:binding"/>
PolicySet的指定方式:

<policySet name="Policyset名称" provides="实现的Intent" appliesTo="约束" >
         Policy的具体定义
    </policySet>
eg:
<policySet name="RequiredTransactionPolicy" provides="RequiredTransaction" appliesTo="sca:binding.sca">
         <transactionPolicy action="REQUIRES_NEW" />
    </policySet>
针对WebService,规范中定义了三个固定的Intent,分别为:authentication,integrity,confidentiality。

authentication根据用户提供的用户名和口令对传递的数据进行校验,integrity根据传递的证书(X509V3)来校验数据,confidentiality对传递的数据进行加密,解析并根据数据的散列值判断传递的数据是否被修改。

下面对三种分别说明(以axis2为例,在axis2中采用rampart来完成安全的验证):

(注:因WS 安全牵扯到的内容比较多,请大家自行复习,相关内容有:axis2,rampart,ws policy,sca policy,ws spec等)

1、authentication

对于Server端,需要根据传入的SOAP Header数据判断用户名和口令是否正确,这通过指定相应的CallbackHandler 来实现。

Policy定义:

parameter name="InflowSecurity">
    <action>
         <items>UsernameToken</items>
         <passwordCallbackClass>helloworld.ServerPWCBHandler</passwordCallbackClass>
     </action>
    </parameter>
CallbackHandler 实现代码,在此判断用户名和口令的正确性:

public class ServerPWCBHandler implements CallbackHandler {  
public void handle(Callback[] callbacks)
throws IOException,UnsupportedCallbackException {
     for (int i = 0; i < callbacks.length; i++) {
            WSPasswordCallback pwcb = (WSPasswordCallback)callbacks[i];
            if ( pwcb.getUsage() == WSPasswordCallback.USERNAME_TOKEN ) {
                if ( pwcb.getIdentifer().equals("wangfeng") && pwcb.getPassword().equals("Passwd") ){
                   return;
                } else {
                    throw new UnsupportedCallbackException(pwcb,
"Authentication Failed : UserId - Password mismatch");
                }
            }              
}
    }
}
对于Client端,需要对输出的数据添加用户名和口令,用户名在Policy定义文件中指定,口令也是通过CallbackHandler 来进行设定的。

Policy定义:

<parameter name="OutflowSecurity">
    <action>
             <items>UsernameToken</items>
             <user>wangfeng</user>
             <passwordCallbackClass>helloworld.ClientPWCBHandler</passwordCallbackClass>" +
             <passwordType>PasswordText</passwordType>
        </action>
     </parameter>
在Policy中定义了passwordType为PasswordText,则说明口令是以明文方式进行传递的。
CallbackHandler 实现代码,在其中设置调用用户的口令:

public class ClientPWCBHandler implements CallbackHandler {   
public void handle(Callback[] callbacks)
throws IOException,UnsupportedCallbackException {
        for (int i = 0; i < callbacks.length; i++) {
            WSPasswordCallback pwcb = (WSPasswordCallback)callbacks[i];
            System.out.println("User Id = " + pwcb.getIdentifer());
            pwcb.setPassword("Passwd");
        }
    }
}
当执行方法getGreetings,并传递字符器World时,传递的SOAP如下:
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
  <wsse:Security xmlns:wsse=http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
soapenv:mustUnderstand="1">
   <wsse:UsernameToken
xmlns:wsu=http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
wsu:Id="UsernameToken-13482579">
    <wsse:Username>wangfeng</wsse:Username>
    <wsse:Password
Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">
Passwd</wsse:Password>
   </wsse:UsernameToken>
  </wsse:Security>
</soapenv:Header>
<soapenv:Body>
  <ns:getGreetings xmlns:ns="http://helloworld">
   <ns3:name xmlns:ns3="http://helloworld" xmlns:ns2="http://helloworld/" xmlns:xs=http://www.w3.org/2001/XMLSchema
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">World</ns3:name>
  </ns:getGreetings>
</soapenv:Body>
</soapenv:Envelope>
从传递的SOAP Head可以看到,在Header中包含了传递的用户名和口令供Server端进行校验。

对SCA中WS Policy的理解

2、integrity
在Server端,需要指定integrity对应的具体的WebService Policy,需要指定证书的加密算法,证书中的别名以用证书的保存口令,证书位置等与证书有关的信息,在传递的过程中通过证书的验证来保证调用的正确性。

<wsp:Policy wsu:Id="SignOnly"
   xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
   xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
  <wsp:ExactlyOne>
   <wsp:All>
    <sp:AsymmetricBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
     <wsp:Policy>
      <sp:InitiatorToken>
       <wsp:Policy>
        <sp:X509Token
sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
         <wsp:Policy>
          <sp:WssX509V3Token10/>
         </wsp:Policy>
        </sp:X509Token>
       </wsp:Policy>
      </sp:InitiatorToken>
      <sp:RecipientToken>
       <wsp:Policy>
        <sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never">
         <wsp:Policy>
          <sp:WssX509V3Token10/>
         </wsp:Policy>
        </sp:X509Token>
       </wsp:Policy>
      </sp:RecipientToken>
      <sp:AlgorithmSuite>
       <wsp:Policy>
        <sp:TripleDesRsa15/>   <!-- 说明证书采用RSA加密 -->
       </wsp:Policy>
      </sp:AlgorithmSuite>
      <sp:Layout>
       <wsp:Policy>
        <sp:Strict/>
       </wsp:Policy>
      </sp:Layout>
      <sp:IncludeTimestamp/>
      <sp:OnlySignEntireHeadersAndBody/>
     </wsp:Policy>
    </sp:AsymmetricBinding>
    <sp:Wss10 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
     <wsp:Policy>
      <sp:MustSupportRefKeyIdentifier/>
      <sp:MustSupportRefIssuerSerial/>
     </wsp:Policy>
    </sp:Wss10>
    <sp:SignedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
     <sp:Body/>
    </sp:SignedParts>

    <ramp:RampartConfig xmlns:ramp="http://ws.apache.org/rampart/policy">
     <ramp:user>wangfeng</ramp:user>
     <ramp:encryptionUser>wangfeng</ramp:encryptionUser>
     <ramp:passwordCallbackClass>helloworld.ServerPWCBHandler</ramp:passwordCallbackClass>
    
     <ramp:signatureCrypto>
      <ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin">
       <ramp:property name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property>
       <ramp:property name="org.apache.ws.security.crypto.merlin.file">key.jks</ramp:property>
       <ramp:property name="org.apache.ws.security.crypto.merlin.keystore.password">passwd</ramp:property>
      </ramp:crypto>
     </ramp:signatureCrypto>
    </ramp:RampartConfig>

   </wsp:All>
  </wsp:ExactlyOne>
</wsp:Policy>
在Policy的后面部分,通过对rampart的配置来指定证书的信息。

对以上配置如不清楚,请参照WebService Policy的规范及Rampart实现的相关文档。

在CallbackHandler中需要指定相应的用户名口令,以完成对证书的校验。

public class ServerPWCBHandler implements CallbackHandler {     public void handle(Callback[] callbacks)
throws IOException,UnsupportedCallbackException {
     for (int i = 0; i < callbacks.length; i++) {
            WSPasswordCallback pwcb = (WSPasswordCallback)callbacks[i];
          
            if ( pwcb.getUsage() == WSPasswordCallback.SIGNATURE ) {
                pwcb.setPassword("Passwd");
            }
        }
    }
}
在client端,同样也要指定相应的Policy和CallbackHandler,在此可与Server端的指定保持一致就可以了。
证书可以用Java工具keytool来进行生成。
对于上述示例,传递的SOAP和返回的SOAP如下:
发送SOAP:

<?xml version="1.0" encoding="UTF-8"?>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
  <wsse:Security
xmlns:wsse=http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
soapenv:mustUnderstand="1">
   <wsu:Timestamp
xmlns:wsu=http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
wsu:Id="Timestamp-9550256">
    <wsu:Created>2008-08-28T03:04:45.734Z</wsu:Created>
    <wsu:Expires>2008-08-28T03:09:45.734Z</wsu:Expires>
   </wsu:Timestamp>
   <wsse:BinarySecurityToken
xmlns:wsu=http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
EncodingType=http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
ValueType=http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3
wsu:Id="CertId-1436578">MIICSjCCAbMCBEePj2cwDQYJKoZIhvcNAQEEBQAwbDEQMA4GA1UEBhMHVW5rbm93bjEQMA4GA1UECBMHVW
5rbm93bjEQMA4GA1UEBxMHVW5rbm93bjEQMA4GA1UEChMHVW5rbm93bjEQMA4GA1UECxMHVW5rbm93bjEQMA4GA1UEAxMHVW5rbm
93bjAeFw0wODAxMTcxNzI0NTVaFw0xODEyMzAxNzI0NTVaMGwxEDAOBgNVBAYTB1Vua25vd24xEDAOBgNVBAgTB1Vua25vd24xEDAOBgN
VBAcTB1Vua25vd24xEDAOBgNVBAoTB1Vua25vd24xEDAOBgNVBAsTB1Vua25vd24xEDAOBgNVBAMTB1Vua25vd24wgZ8wDQYJKoZIhvcN
AQEBBQADgY0AMIGJAoGBAIsUK0NiI6DnMP/3XBKeSUJ1F15uJ2IcmJVDq3BVd/EHDVU9IEq+g95mpX99mAXQVVwV98PDxEKdQ0C+KNa
ku9XndBCu9IURUYtQk7Rgl0vMN+hEHvzPvMJ2NT/61/y22cAiLZF9k4fQxcxF6IX8EMWk439RBQZ2og7ZV2UUHxrzAgMBAAEwDQYJKoZIh
vcNAQEEBQADgYEAe55/HZRUFG3QjpbiTCgwoWZKsYzfYJSnQrO8rewGdFKf4SwhOGbmf3s9iKO6xdLz+5hnrZ3ySv28g1GwsUt4GMUHYi/jn
7p+Vmot10h1/yL/p06IEiTzkj1Dluq4tJW2KPCagQZqoJ5SEcoimnvkjD5ZoFqGwyJ0DoDk3BP907c=</wsse:BinarySecurityToken>
   <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="Signature-3790865">
    <ds:SignedInfo>
     <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
     <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
     <ds:Reference URI="#Id-10013687">
      <ds:Transforms>
       <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
      </ds:Transforms>
      <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
      <ds:DigestValue>xf0YRx+TekKz/7e8pRVpQekBPVQ=</ds:DigestValue>
     </ds:Reference>
     <ds:Reference URI="#Timestamp-9550256">
      <ds:Transforms>
       <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
      </ds:Transforms>
      <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
      <ds:DigestValue>mo2eoha6ygEvERYuxcxhhdadLD8=</ds:DigestValue>
     </ds:Reference>
    </ds:SignedInfo>
    <ds:SignatureValue>
cMyhvlnQAJ1RvlrdSTC6pic5JRr6nWX0D2DlPBQ+FVHMNrLwMfp35Rxj2NZiMF+HCo4g3LUvEeTk
hTAfIrTE48uVpvc7VyqgZPqxvX5f1Ks3XmAXqgGlNMVCZqOK4mSqdrLATOeuGWFzkuOzsajqkL//
/SXBiMuq6A96dshj0UU=
</ds:SignatureValue>
    <ds:KeyInfo Id="KeyId-9089012">
     <wsse:SecurityTokenReference
xmlns:wsu=http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
wsu:Id="STRId-30729370">
      <wsse:Reference URI="#CertId-1436578"
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
     </wsse:SecurityTokenReference>
    </ds:KeyInfo>
   </ds:Signature>
  </wsse:Security>
</soapenv:Header>
<soapenv:Body xmlns:wsu=http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
wsu:Id="Id-10013687">
  <_ns_:getGreetings xmlns:_ns_="http://helloworld">
   <ns3:name xmlns:ns3=http://helloworld
xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:ns2=http://helloworld/
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">World</ns3:name>
  </_ns_:getGreetings>
</soapenv:Body>
</soapenv:Envelope> 
返回SOAP:

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
  <wsse:Security xmlns:wsse=http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
soapenv:mustUnderstand="1">
   <wsu:Timestamp xmlns:wsu=http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
wsu:Id="Timestamp-12372212">
    <wsu:Created>2008-08-28T03:04:47.187Z</wsu:Created>
    <wsu:Expires>2008-08-28T03:09:47.187Z</wsu:Expires>
   </wsu:Timestamp>
   <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="Signature-9805729">
    <ds:SignedInfo>
     <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
     <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
     <ds:Reference URI="#Id-2954177">
      <ds:Transforms>
       <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
      </ds:Transforms>
      <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
      <ds:DigestValue>AvpChhWzYb6Hl8Xuc8WnZKsClpA=</ds:DigestValue>
     </ds:Reference>
     <ds:Reference URI="#Timestamp-12372212">
      <ds:Transforms>
       <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
      </ds:Transforms>
      <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
      <ds:DigestValue>Qtj/n4wiHPzih8rcyvLwnek7TcE=</ds:DigestValue>
     </ds:Reference>
    </ds:SignedInfo>
    <ds:SignatureValue>
Omtf8ktomHmBzvYrnJy0thbyOE1exvjXIsHVDhcQtt4zXXKXCU4EmF4ipHDrSrjsIN5uwb0pWvvf
z7oebDx6k2IBin1/O5+Sj48VhUkIJXRr6ehrZlvhRAfv/KZrdf7dfpXUGl3caQ1i4gqV2KVc06QG
QHK/iCqJSiK2JMOXR1g=
</ds:SignatureValue>
    <ds:KeyInfo Id="KeyId-33486858">
     <wsse:SecurityTokenReference
xmlns:wsu=http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
wsu:Id="STRId-5142872">
      <wsse:KeyIdentifier
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#
Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#
X509SubjectKeyIdentifier">7n1V7BAAn28161h3Jn7JZkY1HfA=</wsse:KeyIdentifier>
     </wsse:SecurityTokenReference>
    </ds:KeyInfo>
   </ds:Signature>
  </wsse:Security>
</soapenv:Header>
<soapenv:Body xmlns:wsu=http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
wsu:Id="Id-2954177">
  <_ns_:getGreetingsResponse xmlns:_ns_="http://helloworld">
   <ns3:getGreetingsReturn xmlns:ns3="http://helloworld" xmlns:xs=http://www.w3.org/2001/XMLSchema
xmlns:ns2="http://helloworld/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">
Hello World</ns3:getGreetingsReturn>
  </_ns_:getGreetingsResponse>
</soapenv:Body>
</soapenv:Envelope>
从传递的SOAP我们可以看到SOAP Head的内容根据传递的证书进行了加密处理。

3、confidentiality
对于输入,输出数据根据指定的算法进行加密,解密处理,并根据证书的内容进行校验,完成合法性判断。
Server端指定输入输出数据的加密方式,通过InflowSecurity指定输入数据的处理方式,通过OutflowSecurity指定输出数据的处理方式。

如:

<parameter name="InflowSecurity">
        <action>
          <items>Timestamp Signature Encrypt</items>
          <passwordCallbackClass>helloworld.ServerPWCBHandler</passwordCallbackClass>
          <signaturePropFile>security.properties</signaturePropFile>
        </action>
     </parameter>
   <parameter name="OutflowSecurity">
        <action>
          <items>Timestamp Signature Encrypt</items>
          <user>wangfeng</user>
          <encryptionUser>wangfeng</encryptionUser>
          <passwordCallbackClass>helloworld.ServerPWCBHandler</passwordCallbackClass>
          <signaturePropFile>security.properties</signaturePropFile>
         <signatureKeyIdentifier>DirectReference</signatureKeyIdentifier>
         <encryptionKeyIdentifier>SKIKeyIdentifier</encryptionKeyIdentifier>
<!-- 公钥证书 SKIKeyIdentifier或者IssuerSerial -->
       </action>
     </parameter>
属性encryptionKeyIdentifier指定了证书的方式,有两种: SKIKeyIdentifier或者IssuerSerial ,通常的SKIKeyIdentifier。

在CallbackHandler 中指定证书的口令。

public class ServerPWCBHandler implements CallbackHandler {

    public void handle(Callback[] callbacks) throws IOException,
            UnsupportedCallbackException {
     for (int i = 0; i < callbacks.length; i++) {
            WSPasswordCallback pwcb = (WSPasswordCallback)callbacks[i];
            pwcb.setPassword("Passwd");
        }
    }

}
在配置文件security.properties中指定相应的证书及相关的信息,在axis中指定rampart的相应信息。

org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin
org.apache.ws.security.crypto.merlin.keystore.type=jks
org.apache.ws.security.crypto.merlin.keystore.password=Passwd
org.apache.ws.security.crypto.merlin.file=key.jks
在Client端,需要指定与Server相对应的处理方式,Server端的InflowSecurity对应Client的的OutflowSecurity,Server端的OutflowSecurity对应Client端的InflowSecurity,相应的配置如下:

<parameter name="InflowSecurity">
        <action>
          <items>Timestamp Signature Encrypt</items>
          <passwordCallbackClass>helloworld.ClientPWCBHandler</passwordCallbackClass>
          <signaturePropFile>security.properties</signaturePropFile>
        </action>
     </parameter>
   <parameter name="OutflowSecurity">
        <action>
          <items>Timestamp Signature Encrypt</items>
          <user>wangfeng</user>
          <encryptionUser>wangfeng</encryptionUser>
          <passwordCallbackClass>helloworld.ClientPWCBHandler</passwordCallbackClass>
          <signaturePropFile>security.properties</signaturePropFile>
         <signatureKeyIdentifier>DirectReference</signatureKeyIdentifier>
         <encryptionKeyIdentifier>SKIKeyIdentifier</encryptionKeyIdentifier>
       </action>
     </parameter>
传输的SOAP如下:
发送SOAP

<?xml version="1.0" encoding="UTF-8"?>
<soapenv:Envelope
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
<soapenv:Header>
  <wsse:Security xmlns:wsse=http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
soapenv:mustUnderstand="1">
   <xenc:EncryptedKey Id="EncKeyId-12890052">
    <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>
    <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
     <wsse:SecurityTokenReference>
      <wsse:KeyIdentifier
EncodingType=http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#
X509SubjectKeyIdentifier">MDMfMNMO10+i/kdPBYb9rJop9Eg=</wsse:KeyIdentifier>
     </wsse:SecurityTokenReference>
    </ds:KeyInfo>
    <xenc:CipherData>
     <xenc:CipherValue>oeFjdDJeIpm55UretATfaiiXK+mbmNtracz4rIsSfboNXO04HYFRAH9u7jYLg4d49mqm4LZEHQS2pw
XYI/SJi4B2x1PNjIlMOv8iuRpHe3RXgFQiVoWNYxgyK9q/GAdzIKzah5VSOUy0ez2hqVpctAJqayZ1iNhJqNk9XBHNGpc=
</xenc:CipherValue>
    </xenc:CipherData>
    <xenc:ReferenceList>
     <xenc:DataReference URI="#EncDataId-15868406"/>
    </xenc:ReferenceList>
   </xenc:EncryptedKey>
   <wsse:BinarySecurityToken
xmlns:wsu=http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
EncodingType=http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
ValueType=http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3
wsu:Id="CertId-2120440">MIICVjCCAb8CBEddgt8wDQYJKoZIhvcNAQEEBQAwcjEQMA4GA1UEBhMHVW5rbm93bjEQMA4GA
1UECBMHVW5rbm93bjEQMA4GA1UEBxMHVW5rbm93bjEQMA4GA1UEChMHVW5rbm93bjEQMA4GA1UECxMHVW5rbm93bjEWM
BQGA1UEAxMNVHVzY2FueVdzVXNlcjAeFw0wNzEyMTAxODE4MDdaFw0wOTAxMTMxODE4MDdaMHIxEDAOBgNVBAYTB1Vua25vd2
4xEDAOBgNVBAgTB1Vua25vd24xEDAOBgNVBAcTB1Vua25vd24xEDAOBgNVBAoTB1Vua25vd24xEDAOBgNVBAsTB1Vua25vd24x
FjAUBgNVBAMTDVR1c2NhbnlXc1VzZXIwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMT6zc0gqdlNVXNfLBqc7TiegqDcLyvjT3M
mpU7dAIpsDB1+3oWDU+0tTHBKu/KYap9Zwp+/xrqtCVNNg4eDWqW88Z51lhJwq5Dn9zadnBfPEPB5c6gZVTd8ouZFd/ZCGpiktx4
54iA2TAnuLLJt306SFqC5XKD5SDUZvmtMpQeRAgMBAAEwDQYJKoZIhvcNAQEEBQADgYEAB72+v2ajRs1Oy7D6D4lDoXN90ZuMC3
CjZm6M871eu9Kk74AFc/dMfBoj5b5H4367DZrMz47/yFcU8N5QFq6inx+8RU0XDwuGYTIbXv7es9BcqG2/um86V10N30Ep2HfTm
6Ag3zkpfvk8/K/YUBZ8WJWLbGxbZDpRzzEEpxfOCY8=</wsse:BinarySecurityToken>
   <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="Signature-32653965">
    <ds:SignedInfo>
     <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
     <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
     <ds:Reference URI="#id-15868406">
      <ds:Transforms>
       <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
      </ds:Transforms>
      <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
      <ds:DigestValue>8IdqFtLVMouLQ8WijhNUPMH+xx4=</ds:DigestValue>
     </ds:Reference>
    </ds:SignedInfo>
    <ds:SignatureValue>
t6PSuLaynhSsuXRBlbO5dqKXScHKCgeheLvriD9aD9nIOeQM+grMIXJQh9sKvSdnDIVh+Fh7NpiQ
AY/TzLCxb01+W2lbZ8XzGAsIty8geHmz1I0YKr05mp9halywVR0ACsKLzcF/ToMpeO5dISFb6ZMx
b8XXFo33rCy6HxANuek=
</ds:SignatureValue>
    <ds:KeyInfo Id="KeyId-26533782">
     <wsse:SecurityTokenReference
xmlns:wsu=http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd wsu:Id="STRId-602878">
      <wsse:Reference URI="#CertId-2120440"
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
     </wsse:SecurityTokenReference>
    </ds:KeyInfo>
   </ds:Signature>
   <wsu:Timestamp xmlns:wsu=http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
wsu:Id="Timestamp-4368107">
    <wsu:Created>2008-10-22T05:16:04.953Z</wsu:Created>
    <wsu:Expires>2008-10-22T05:21:04.953Z</wsu:Expires>
   </wsu:Timestamp>
  </wsse:Security>
</soapenv:Header>
<soapenv:Body xmlns:wsu=http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
wsu:Id="id-15868406">
  <xenc:EncryptedData Id="EncDataId-15868406" Type="http://www.w3.org/2001/04/xmlenc#Content">
   <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
   <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
    <wsse:SecurityTokenReference
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
     <wsse:Reference URI="#EncKeyId-12890052"/>
    </wsse:SecurityTokenReference>
   </ds:KeyInfo>
   <xenc:CipherData>
    <xenc:CipherValue>oslygTCQMQx1IcFIe62I8adMBM1n7AcU/J9h+lzJfIatelbzOFeqMi9KpNMglJQnIdmCtZRIxleq
pZ3ZYSH70zewqCcCw/PfiIFcXSF0WGYEynyEPC/5W8mNWAk7XSR7bZ+o1qUTh0JywQ8OE5agHVYC
4UXjHVzdritVTrv+1t0J+z3RSygcUVGJ5yblUwFXrCTTDIB90XZVhGJZuwa1wp/3/iJNCEZ1fJ6n
DvMPDzIMjAKBplwuaHlXkwlUJzsQGz1IpKFpXqOd+AVg9mjQoNaZjsxb/ceG93XdoQvNFkQzGzdF
XOqr4ThCg383ilaDjyytQQPc+d3ynZGqmYhaNP9RnP8H0SPX3NtZEiEVu/I8Sws8baN4BCuAEJrB
MeDF4Xmbg6+oywuRt0pwvmkKtj7KDlb9n6wzWoHSZevWKhuxNTBCmyBcy6joGIvW8A1CVMWonQ52
6GJCaLJb1Gvq9iUtACPCk2AYDp9jvmvNt60=</xenc:CipherValue>
   </xenc:CipherData>
  </xenc:EncryptedData>
</soapenv:Body>
</soapenv:Envelope>
接收SOAP

<?xml version="1.0" encoding="UTF-8"?>
<soapenv:Envelope xmlns:soapenv=http://schemas.xmlsoap.org/soap/envelope/
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
<soapenv:Header>
  <wsse:Security
xmlns:wsse=http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
soapenv:mustUnderstand="1">
   <xenc:EncryptedKey Id="EncKeyId-26127350">
    <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>
    <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
     <wsse:SecurityTokenReference>
      <wsse:KeyIdentifier
EncodingType=http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#
X509SubjectKeyIdentifier">MDMfMNMO10+i/kdPBYb9rJop9Eg=</wsse:KeyIdentifier>
     </wsse:SecurityTokenReference>
    </ds:KeyInfo>
    <xenc:CipherData>
     <xenc:CipherValue>W14JvuGArIZoJNQKmlnK+q9CjPUI64wAesye0zu6Vcxwqgbm3tpYUn02AbFrdr3C50GTydDyKp0TIhxxwVp+
18cOydXTH6pixUO5DKE+G3HEYr2Jn5Dc4Y6D/PTh61aH6LfF5BVbQTUviEiRkAve8MVAuBikukaJbkd41+fg4Fw=</xenc:CipherValue>
    </xenc:CipherData>
    <xenc:ReferenceList>
     <xenc:DataReference URI="#EncDataId-15736146"/>
    </xenc:ReferenceList>
   </xenc:EncryptedKey>
   <wsse:BinarySecurityToken
xmlns:wsu=http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
EncodingType=http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
ValueType=http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3
wsu:Id="CertId-2120440">MIICVjCCAb8CBEddgt8wDQYJKoZIhvcNAQEEBQAwcjEQMA4GA1UEBhMHVW5rbm93bjEQMA4GA1UECBMH
VW5rbm93bjEQMA4GA1UEBxMHVW5rbm93bjEQMA4GA1UEChMHVW5rbm93bjEQMA4GA1UECxMHVW5rbm93bjEWMBQGA1UEAxMNV
VzY2FueVdzVXNlcjAeFw0wNzEyMTAxODE4MDdaFw0wOTAxMTMxODE4MDdaMHIxEDAOBgNVBAYTB1Vua25vd24xEDAOBgNVBAgT
B1Vua25vd24xEDAOBgNVBAcTB1Vua25vd24xEDAOBgNVBAoTB1Vua25vd24xEDAOBgNVBAsTB1Vua25vd24xFjAUBgNVBAMTDVR
1c2NhbnlXc1VzZXIwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMT6zc0gqdlNVXNfLBqc7TiegqDcLyvjT3MmpU7dAIpsDB1+3o
WDU+0tTHBKu/KYap9Zwp+/xrqtCVNNg4eDWqW88Z51lhJwq5Dn9zadnBfPEPB5c6gZVTd8ouZFd/ZCGpiktx454iA2TAnuLLJt306SF
qC5XKD5SDUZvmtMpQeRAgMBAAEwDQYJKoZIhvcNAQEEBQADgYEAB72+v2ajRs1Oy7D6D4lDoXN90ZuMC3CjZm6M871eu9Kk7
4AFc/dMfBoj5b5H4367DZrMz47/yFcU8N5QFq6inx+8RU0XDwuGYTIbXv7es9BcqG2/um86V10N30Ep2HfTm6Ag3zkpfvk8/K/YUB
Z8WJWLbGxbZDpRzzEEpxfOCY8=</wsse:BinarySecurityToken>
   <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="Signature-9531264">
    <ds:SignedInfo>
     <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
     <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
     <ds:Reference URI="#id-15736146">
      <ds:Transforms>
       <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
      </ds:Transforms>
      <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
      <ds:DigestValue>r3GJPoQlKifjL2t+/7yq9z4FdKA=</ds:DigestValue>
     </ds:Reference>
     <ds:Reference URI="#SigConf-26469">
      <ds:Transforms>
       <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
      </ds:Transforms>
      <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
      <ds:DigestValue>gRWUodHEbu+3iQzPyX4/S3YiDvU=</ds:DigestValue>
     </ds:Reference>
    </ds:SignedInfo>
    <ds:SignatureValue>
eW11PF0/cMT0Nn2oR8huk6Dcvn3Rl+DA5y+VvPLm7VaA7AVnSeTh1O99aeTBv2gZlJ/6/+q0RIfC
fTDGCIWYELICdFanzvMphP9uJo94t+y/Y5+8ejFcmfHHTSDxGJNL5ruZbNa79uxs/sCGmfB9qiBb
D+2vKoP9/PeUOQYCy4E=
</ds:SignatureValue>
    <ds:KeyInfo Id="KeyId-2419450">
     <wsse:SecurityTokenReference
xmlns:wsu=http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd wsu:Id="STRId-29292935">
      <wsse:Reference URI="#CertId-2120440"
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
     </wsse:SecurityTokenReference>
    </ds:KeyInfo>
   </ds:Signature>
   <wsu:Timestamp xmlns:wsu=http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
wsu:Id="Timestamp-6109888">
    <wsu:Created>2008-10-22T05:16:09.062Z</wsu:Created>
    <wsu:Expires>2008-10-22T05:21:09.062Z</wsu:Expires>
   </wsu:Timestamp>
   <wsse11:SignatureConfirmation xmlns:wsse11=http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" Value="t6PSuLaynhSsuXR
BlbO5dqKXScHKCgeheLvriD9aD9nIOeQM+grMIXJQh9sKvSdnDIVh+Fh7NpiQAY/TzLCxb01+W2lbZ8XzGAsIty8geHmz1I0YKr05
mp9halywVR0ACsKLzcF/ToMpeO5dISFb6ZMxb8XXFo33rCy6HxANuek=" wsu:Id="SigConf-26469"/>
  </wsse:Security>
</soapenv:Header>
<soapenv:Body xmlns:wsu=http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
wsu:Id="id-15736146">
  <xenc:EncryptedData Id="EncDataId-15736146" Type="http://www.w3.org/2001/04/xmlenc#Content">
   <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
   <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
    <wsse:SecurityTokenReference
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
     <wsse:Reference URI="#EncKeyId-26127350"/>
    </wsse:SecurityTokenReference>
   </ds:KeyInfo>
   <xenc:CipherData>
    <xenc:CipherValue>+SiSCzCdloFxPc3+Sb6HveZSLlkP6gGceTSNfaEKVR6YGb/mbkupz3I0exu+duxvVWApmNuWNzeB
vkEB/uMInp1+3SqC94tqizLx0vtiWuthF9S0hdYUqFWDYe4WadLhjcinjv5XcfK1XvQnD2KxB9Bn
jpg1qprFc8LSzB3NtoiLetSDcl7aRfv7GQ9kTfc+He8dY1cSteWoZ/0D5Ix6W4lK+exUbqpIEpWK
sUwzznKFMhgFPMhpUwJFyLPoJzt+zrjp0ERh4PBIuNQKwObdlJjfcWMoMbJ20fuK5m6+z1X6sL3N
tbB2ly6HYHzz/itfwoP7C0VLQGaY0SJbfBTrFLz3n2DNEZmEF0zRMPchxd//7kfD4MM0mdWWs0sE
9ecAWklC0xrb0PRFz5CbuNZvHi1CUs8EE1i0FAIY7XharUoXVW+AOIst4h90TBBRrryi</xenc:CipherValue>
   </xenc:CipherData>
  </xenc:EncryptedData>
</soapenv:Body>
</soapenv:Envelope>
从传递的数据可以看到,对于传输的Body数据同样采用了加密的方式进行传递了。

综上,authentication定义了简单的校验方式,integrity提供了传输的完整性校验,confidentiality定义了数据的最严格校验,包括对数据体的加密处理。

你可能感兴趣的:(webservice,Security,SOAP)