原文链接:
http://gocom.primeton.com/modules/newbb/item57151_57151.htm
在SCA规范中提供了关于安全的一套FrameWork(SCA_Policy_Framework),对服务调用过程中的数据传递进行了约束。下面针对其中的WebService Policy,结合自己的实践,对其实现方式进行详解。
在Policy FrameWork中,定义安全分为两部分:Intent和PolicySet。Intent以抽象的方式定义Policy,仅声明存在这样的约束,对于具体的内容而不指定。PolicySet定义的策略的详细实现方式,与Intent相结合,提供了Intent的详细策略定义。
Intent的指定方式:
<intent name="Intent名称" constrains="使用约束"/>
eg:
<intent name="RequiredTransaction" constrains="sca:binding"/>
PolicySet的指定方式:
<policySet name="Policyset名称" provides="实现的Intent" appliesTo="约束" >
Policy的具体定义
</policySet>
eg:
<policySet name="RequiredTransactionPolicy" provides="RequiredTransaction" appliesTo="sca:binding.sca">
<transactionPolicy action="REQUIRES_NEW" />
</policySet>
针对WebService,规范中定义了三个固定的Intent,分别为:authentication,integrity,confidentiality。
authentication根据用户提供的用户名和口令对传递的数据进行校验,integrity根据传递的证书(X509V3)来校验数据,confidentiality对传递的数据进行加密,解析并根据数据的散列值判断传递的数据是否被修改。
下面对三种分别说明(以axis2为例,在axis2中采用rampart来完成安全的验证):
(注:因WS 安全牵扯到的内容比较多,请大家自行复习,相关内容有:axis2,rampart,ws policy,sca policy,ws spec等)
1、authentication
对于Server端,需要根据传入的SOAP Header数据判断用户名和口令是否正确,这通过指定相应的CallbackHandler 来实现。
Policy定义:
parameter name="InflowSecurity">
<action>
<items>UsernameToken</items>
<passwordCallbackClass>helloworld.ServerPWCBHandler</passwordCallbackClass>
</action>
</parameter>
CallbackHandler 实现代码,在此判断用户名和口令的正确性:
public class ServerPWCBHandler implements CallbackHandler {
public void handle(Callback[] callbacks)
throws IOException,UnsupportedCallbackException {
for (int i = 0; i < callbacks.length; i++) {
WSPasswordCallback pwcb = (WSPasswordCallback)callbacks[i];
if ( pwcb.getUsage() == WSPasswordCallback.USERNAME_TOKEN ) {
if ( pwcb.getIdentifer().equals("wangfeng") && pwcb.getPassword().equals("Passwd") ){
return;
} else {
throw new UnsupportedCallbackException(pwcb,
"Authentication Failed : UserId - Password mismatch");
}
}
}
}
}
对于Client端,需要对输出的数据添加用户名和口令,用户名在Policy定义文件中指定,口令也是通过CallbackHandler 来进行设定的。
Policy定义:
<parameter name="OutflowSecurity">
<action>
<items>UsernameToken</items>
<user>wangfeng</user>
<passwordCallbackClass>helloworld.ClientPWCBHandler</passwordCallbackClass>" +
<passwordType>PasswordText</passwordType>
</action>
</parameter>
在Policy中定义了passwordType为PasswordText,则说明口令是以明文方式进行传递的。
CallbackHandler 实现代码,在其中设置调用用户的口令:
public class ClientPWCBHandler implements CallbackHandler {
public void handle(Callback[] callbacks)
throws IOException,UnsupportedCallbackException {
for (int i = 0; i < callbacks.length; i++) {
WSPasswordCallback pwcb = (WSPasswordCallback)callbacks[i];
System.out.println("User Id = " + pwcb.getIdentifer());
pwcb.setPassword("Passwd");
}
}
}
当执行方法getGreetings,并传递字符器World时,传递的SOAP如下:
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
<wsse:Security xmlns:wsse=http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
soapenv:mustUnderstand="1">
<wsse:UsernameToken
xmlns:wsu=http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
wsu:Id="UsernameToken-13482579">
<wsse:Username>wangfeng</wsse:Username>
<wsse:Password
Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">
Passwd</wsse:Password>
</wsse:UsernameToken>
</wsse:Security>
</soapenv:Header>
<soapenv:Body>
<ns:getGreetings xmlns:ns="http://helloworld">
<ns3:name xmlns:ns3="http://helloworld" xmlns:ns2="http://helloworld/" xmlns:xs=http://www.w3.org/2001/XMLSchema
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">World</ns3:name>
</ns:getGreetings>
</soapenv:Body>
</soapenv:Envelope>
从传递的SOAP Head可以看到,在Header中包含了传递的用户名和口令供Server端进行校验。
2、integrity
在Server端,需要指定integrity对应的具体的WebService Policy,需要指定证书的加密算法,证书中的别名以用证书的保存口令,证书位置等与证书有关的信息,在传递的过程中通过证书的验证来保证调用的正确性。
<wsp:Policy wsu:Id="SignOnly"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
<wsp:ExactlyOne>
<wsp:All>
<sp:AsymmetricBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:InitiatorToken>
<wsp:Policy>
<sp:X509Token
sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:WssX509V3Token10/>
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:InitiatorToken>
<sp:RecipientToken>
<wsp:Policy>
<sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never">
<wsp:Policy>
<sp:WssX509V3Token10/>
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:RecipientToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:TripleDesRsa15/> <!-- 说明证书采用RSA加密 -->
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Strict/>
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp/>
<sp:OnlySignEntireHeadersAndBody/>
</wsp:Policy>
</sp:AsymmetricBinding>
<sp:Wss10 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:MustSupportRefKeyIdentifier/>
<sp:MustSupportRefIssuerSerial/>
</wsp:Policy>
</sp:Wss10>
<sp:SignedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<sp:Body/>
</sp:SignedParts>
<ramp:RampartConfig xmlns:ramp="http://ws.apache.org/rampart/policy">
<ramp:user>wangfeng</ramp:user>
<ramp:encryptionUser>wangfeng</ramp:encryptionUser>
<ramp:passwordCallbackClass>helloworld.ServerPWCBHandler</ramp:passwordCallbackClass>
<ramp:signatureCrypto>
<ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin">
<ramp:property name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property>
<ramp:property name="org.apache.ws.security.crypto.merlin.file">key.jks</ramp:property>
<ramp:property name="org.apache.ws.security.crypto.merlin.keystore.password">passwd</ramp:property>
</ramp:crypto>
</ramp:signatureCrypto>
</ramp:RampartConfig>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
在Policy的后面部分,通过对rampart的配置来指定证书的信息。
对以上配置如不清楚,请参照WebService Policy的规范及Rampart实现的相关文档。
在CallbackHandler中需要指定相应的用户名口令,以完成对证书的校验。
public class ServerPWCBHandler implements CallbackHandler { public void handle(Callback[] callbacks)
throws IOException,UnsupportedCallbackException {
for (int i = 0; i < callbacks.length; i++) {
WSPasswordCallback pwcb = (WSPasswordCallback)callbacks[i];
if ( pwcb.getUsage() == WSPasswordCallback.SIGNATURE ) {
pwcb.setPassword("Passwd");
}
}
}
}
在client端,同样也要指定相应的Policy和CallbackHandler,在此可与Server端的指定保持一致就可以了。
证书可以用Java工具keytool来进行生成。
对于上述示例,传递的SOAP和返回的SOAP如下:
发送SOAP:
<?xml version="1.0" encoding="UTF-8"?>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
<wsse:Security
xmlns:wsse=http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
soapenv:mustUnderstand="1">
<wsu:Timestamp
xmlns:wsu=http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
wsu:Id="Timestamp-9550256">
<wsu:Created>2008-08-28T03:04:45.734Z</wsu:Created>
<wsu:Expires>2008-08-28T03:09:45.734Z</wsu:Expires>
</wsu:Timestamp>
<wsse:BinarySecurityToken
xmlns:wsu=http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
EncodingType=http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
ValueType=http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3
wsu:Id="CertId-1436578">MIICSjCCAbMCBEePj2cwDQYJKoZIhvcNAQEEBQAwbDEQMA4GA1UEBhMHVW5rbm93bjEQMA4GA1UECBMHVW
5rbm93bjEQMA4GA1UEBxMHVW5rbm93bjEQMA4GA1UEChMHVW5rbm93bjEQMA4GA1UECxMHVW5rbm93bjEQMA4GA1UEAxMHVW5rbm
93bjAeFw0wODAxMTcxNzI0NTVaFw0xODEyMzAxNzI0NTVaMGwxEDAOBgNVBAYTB1Vua25vd24xEDAOBgNVBAgTB1Vua25vd24xEDAOBgN
VBAcTB1Vua25vd24xEDAOBgNVBAoTB1Vua25vd24xEDAOBgNVBAsTB1Vua25vd24xEDAOBgNVBAMTB1Vua25vd24wgZ8wDQYJKoZIhvcN
AQEBBQADgY0AMIGJAoGBAIsUK0NiI6DnMP/3XBKeSUJ1F15uJ2IcmJVDq3BVd/EHDVU9IEq+g95mpX99mAXQVVwV98PDxEKdQ0C+KNa
ku9XndBCu9IURUYtQk7Rgl0vMN+hEHvzPvMJ2NT/61/y22cAiLZF9k4fQxcxF6IX8EMWk439RBQZ2og7ZV2UUHxrzAgMBAAEwDQYJKoZIh
vcNAQEEBQADgYEAe55/HZRUFG3QjpbiTCgwoWZKsYzfYJSnQrO8rewGdFKf4SwhOGbmf3s9iKO6xdLz+5hnrZ3ySv28g1GwsUt4GMUHYi/jn
7p+Vmot10h1/yL/p06IEiTzkj1Dluq4tJW2KPCagQZqoJ5SEcoimnvkjD5ZoFqGwyJ0DoDk3BP907c=</wsse:BinarySecurityToken>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="Signature-3790865">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#Id-10013687">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>xf0YRx+TekKz/7e8pRVpQekBPVQ=</ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#Timestamp-9550256">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>mo2eoha6ygEvERYuxcxhhdadLD8=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
cMyhvlnQAJ1RvlrdSTC6pic5JRr6nWX0D2DlPBQ+FVHMNrLwMfp35Rxj2NZiMF+HCo4g3LUvEeTk
hTAfIrTE48uVpvc7VyqgZPqxvX5f1Ks3XmAXqgGlNMVCZqOK4mSqdrLATOeuGWFzkuOzsajqkL//
/SXBiMuq6A96dshj0UU=
</ds:SignatureValue>
<ds:KeyInfo Id="KeyId-9089012">
<wsse:SecurityTokenReference
xmlns:wsu=http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
wsu:Id="STRId-30729370">
<wsse:Reference URI="#CertId-1436578"
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
</wsse:Security>
</soapenv:Header>
<soapenv:Body xmlns:wsu=http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
wsu:Id="Id-10013687">
<_ns_:getGreetings xmlns:_ns_="http://helloworld">
<ns3:name xmlns:ns3=http://helloworld
xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:ns2=http://helloworld/
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">World</ns3:name>
</_ns_:getGreetings>
</soapenv:Body>
</soapenv:Envelope>
返回SOAP:
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
<wsse:Security xmlns:wsse=http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
soapenv:mustUnderstand="1">
<wsu:Timestamp xmlns:wsu=http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
wsu:Id="Timestamp-12372212">
<wsu:Created>2008-08-28T03:04:47.187Z</wsu:Created>
<wsu:Expires>2008-08-28T03:09:47.187Z</wsu:Expires>
</wsu:Timestamp>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="Signature-9805729">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#Id-2954177">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>AvpChhWzYb6Hl8Xuc8WnZKsClpA=</ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#Timestamp-12372212">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>Qtj/n4wiHPzih8rcyvLwnek7TcE=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
Omtf8ktomHmBzvYrnJy0thbyOE1exvjXIsHVDhcQtt4zXXKXCU4EmF4ipHDrSrjsIN5uwb0pWvvf
z7oebDx6k2IBin1/O5+Sj48VhUkIJXRr6ehrZlvhRAfv/KZrdf7dfpXUGl3caQ1i4gqV2KVc06QG
QHK/iCqJSiK2JMOXR1g=
</ds:SignatureValue>
<ds:KeyInfo Id="KeyId-33486858">
<wsse:SecurityTokenReference
xmlns:wsu=http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
wsu:Id="STRId-5142872">
<wsse:KeyIdentifier
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#
Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#
X509SubjectKeyIdentifier">7n1V7BAAn28161h3Jn7JZkY1HfA=</wsse:KeyIdentifier>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
</wsse:Security>
</soapenv:Header>
<soapenv:Body xmlns:wsu=http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
wsu:Id="Id-2954177">
<_ns_:getGreetingsResponse xmlns:_ns_="http://helloworld">
<ns3:getGreetingsReturn xmlns:ns3="http://helloworld" xmlns:xs=http://www.w3.org/2001/XMLSchema
xmlns:ns2="http://helloworld/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">
Hello World</ns3:getGreetingsReturn>
</_ns_:getGreetingsResponse>
</soapenv:Body>
</soapenv:Envelope>
从传递的SOAP我们可以看到SOAP Head的内容根据传递的证书进行了加密处理。
3、confidentiality
对于输入,输出数据根据指定的算法进行加密,解密处理,并根据证书的内容进行校验,完成合法性判断。
Server端指定输入输出数据的加密方式,通过InflowSecurity指定输入数据的处理方式,通过OutflowSecurity指定输出数据的处理方式。
如:
<parameter name="InflowSecurity">
<action>
<items>Timestamp Signature Encrypt</items>
<passwordCallbackClass>helloworld.ServerPWCBHandler</passwordCallbackClass>
<signaturePropFile>security.properties</signaturePropFile>
</action>
</parameter>
<parameter name="OutflowSecurity">
<action>
<items>Timestamp Signature Encrypt</items>
<user>wangfeng</user>
<encryptionUser>wangfeng</encryptionUser>
<passwordCallbackClass>helloworld.ServerPWCBHandler</passwordCallbackClass>
<signaturePropFile>security.properties</signaturePropFile>
<signatureKeyIdentifier>DirectReference</signatureKeyIdentifier>
<encryptionKeyIdentifier>SKIKeyIdentifier</encryptionKeyIdentifier>
<!-- 公钥证书 SKIKeyIdentifier或者IssuerSerial -->
</action>
</parameter>
属性encryptionKeyIdentifier指定了证书的方式,有两种: SKIKeyIdentifier或者IssuerSerial ,通常的SKIKeyIdentifier。
在CallbackHandler 中指定证书的口令。
public class ServerPWCBHandler implements CallbackHandler {
public void handle(Callback[] callbacks) throws IOException,
UnsupportedCallbackException {
for (int i = 0; i < callbacks.length; i++) {
WSPasswordCallback pwcb = (WSPasswordCallback)callbacks[i];
pwcb.setPassword("Passwd");
}
}
}
在配置文件security.properties中指定相应的证书及相关的信息,在axis中指定rampart的相应信息。
org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin
org.apache.ws.security.crypto.merlin.keystore.type=jks
org.apache.ws.security.crypto.merlin.keystore.password=Passwd
org.apache.ws.security.crypto.merlin.file=key.jks
在Client端,需要指定与Server相对应的处理方式,Server端的InflowSecurity对应Client的的OutflowSecurity,Server端的OutflowSecurity对应Client端的InflowSecurity,相应的配置如下:
<parameter name="InflowSecurity">
<action>
<items>Timestamp Signature Encrypt</items>
<passwordCallbackClass>helloworld.ClientPWCBHandler</passwordCallbackClass>
<signaturePropFile>security.properties</signaturePropFile>
</action>
</parameter>
<parameter name="OutflowSecurity">
<action>
<items>Timestamp Signature Encrypt</items>
<user>wangfeng</user>
<encryptionUser>wangfeng</encryptionUser>
<passwordCallbackClass>helloworld.ClientPWCBHandler</passwordCallbackClass>
<signaturePropFile>security.properties</signaturePropFile>
<signatureKeyIdentifier>DirectReference</signatureKeyIdentifier>
<encryptionKeyIdentifier>SKIKeyIdentifier</encryptionKeyIdentifier>
</action>
</parameter>
传输的SOAP如下:
发送SOAP
<?xml version="1.0" encoding="UTF-8"?>
<soapenv:Envelope
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
<soapenv:Header>
<wsse:Security xmlns:wsse=http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
soapenv:mustUnderstand="1">
<xenc:EncryptedKey Id="EncKeyId-12890052">
<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<wsse:SecurityTokenReference>
<wsse:KeyIdentifier
EncodingType=http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#
X509SubjectKeyIdentifier">MDMfMNMO10+i/kdPBYb9rJop9Eg=</wsse:KeyIdentifier>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
<xenc:CipherData>
<xenc:CipherValue>oeFjdDJeIpm55UretATfaiiXK+mbmNtracz4rIsSfboNXO04HYFRAH9u7jYLg4d49mqm4LZEHQS2pw
XYI/SJi4B2x1PNjIlMOv8iuRpHe3RXgFQiVoWNYxgyK9q/GAdzIKzah5VSOUy0ez2hqVpctAJqayZ1iNhJqNk9XBHNGpc=
</xenc:CipherValue>
</xenc:CipherData>
<xenc:ReferenceList>
<xenc:DataReference URI="#EncDataId-15868406"/>
</xenc:ReferenceList>
</xenc:EncryptedKey>
<wsse:BinarySecurityToken
xmlns:wsu=http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
EncodingType=http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
ValueType=http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3
wsu:Id="CertId-2120440">MIICVjCCAb8CBEddgt8wDQYJKoZIhvcNAQEEBQAwcjEQMA4GA1UEBhMHVW5rbm93bjEQMA4GA
1UECBMHVW5rbm93bjEQMA4GA1UEBxMHVW5rbm93bjEQMA4GA1UEChMHVW5rbm93bjEQMA4GA1UECxMHVW5rbm93bjEWM
BQGA1UEAxMNVHVzY2FueVdzVXNlcjAeFw0wNzEyMTAxODE4MDdaFw0wOTAxMTMxODE4MDdaMHIxEDAOBgNVBAYTB1Vua25vd2
4xEDAOBgNVBAgTB1Vua25vd24xEDAOBgNVBAcTB1Vua25vd24xEDAOBgNVBAoTB1Vua25vd24xEDAOBgNVBAsTB1Vua25vd24x
FjAUBgNVBAMTDVR1c2NhbnlXc1VzZXIwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMT6zc0gqdlNVXNfLBqc7TiegqDcLyvjT3M
mpU7dAIpsDB1+3oWDU+0tTHBKu/KYap9Zwp+/xrqtCVNNg4eDWqW88Z51lhJwq5Dn9zadnBfPEPB5c6gZVTd8ouZFd/ZCGpiktx4
54iA2TAnuLLJt306SFqC5XKD5SDUZvmtMpQeRAgMBAAEwDQYJKoZIhvcNAQEEBQADgYEAB72+v2ajRs1Oy7D6D4lDoXN90ZuMC3
CjZm6M871eu9Kk74AFc/dMfBoj5b5H4367DZrMz47/yFcU8N5QFq6inx+8RU0XDwuGYTIbXv7es9BcqG2/um86V10N30Ep2HfTm
6Ag3zkpfvk8/K/YUBZ8WJWLbGxbZDpRzzEEpxfOCY8=</wsse:BinarySecurityToken>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="Signature-32653965">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#id-15868406">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>8IdqFtLVMouLQ8WijhNUPMH+xx4=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
t6PSuLaynhSsuXRBlbO5dqKXScHKCgeheLvriD9aD9nIOeQM+grMIXJQh9sKvSdnDIVh+Fh7NpiQ
AY/TzLCxb01+W2lbZ8XzGAsIty8geHmz1I0YKr05mp9halywVR0ACsKLzcF/ToMpeO5dISFb6ZMx
b8XXFo33rCy6HxANuek=
</ds:SignatureValue>
<ds:KeyInfo Id="KeyId-26533782">
<wsse:SecurityTokenReference
xmlns:wsu=http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd wsu:Id="STRId-602878">
<wsse:Reference URI="#CertId-2120440"
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
<wsu:Timestamp xmlns:wsu=http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
wsu:Id="Timestamp-4368107">
<wsu:Created>2008-10-22T05:16:04.953Z</wsu:Created>
<wsu:Expires>2008-10-22T05:21:04.953Z</wsu:Expires>
</wsu:Timestamp>
</wsse:Security>
</soapenv:Header>
<soapenv:Body xmlns:wsu=http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
wsu:Id="id-15868406">
<xenc:EncryptedData Id="EncDataId-15868406" Type="http://www.w3.org/2001/04/xmlenc#Content">
<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<wsse:SecurityTokenReference
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<wsse:Reference URI="#EncKeyId-12890052"/>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
<xenc:CipherData>
<xenc:CipherValue>oslygTCQMQx1IcFIe62I8adMBM1n7AcU/J9h+lzJfIatelbzOFeqMi9KpNMglJQnIdmCtZRIxleq
pZ3ZYSH70zewqCcCw/PfiIFcXSF0WGYEynyEPC/5W8mNWAk7XSR7bZ+o1qUTh0JywQ8OE5agHVYC
4UXjHVzdritVTrv+1t0J+z3RSygcUVGJ5yblUwFXrCTTDIB90XZVhGJZuwa1wp/3/iJNCEZ1fJ6n
DvMPDzIMjAKBplwuaHlXkwlUJzsQGz1IpKFpXqOd+AVg9mjQoNaZjsxb/ceG93XdoQvNFkQzGzdF
XOqr4ThCg383ilaDjyytQQPc+d3ynZGqmYhaNP9RnP8H0SPX3NtZEiEVu/I8Sws8baN4BCuAEJrB
MeDF4Xmbg6+oywuRt0pwvmkKtj7KDlb9n6wzWoHSZevWKhuxNTBCmyBcy6joGIvW8A1CVMWonQ52
6GJCaLJb1Gvq9iUtACPCk2AYDp9jvmvNt60=</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedData>
</soapenv:Body>
</soapenv:Envelope>
接收SOAP
<?xml version="1.0" encoding="UTF-8"?>
<soapenv:Envelope xmlns:soapenv=http://schemas.xmlsoap.org/soap/envelope/
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
<soapenv:Header>
<wsse:Security
xmlns:wsse=http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
soapenv:mustUnderstand="1">
<xenc:EncryptedKey Id="EncKeyId-26127350">
<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<wsse:SecurityTokenReference>
<wsse:KeyIdentifier
EncodingType=http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#
X509SubjectKeyIdentifier">MDMfMNMO10+i/kdPBYb9rJop9Eg=</wsse:KeyIdentifier>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
<xenc:CipherData>
<xenc:CipherValue>W14JvuGArIZoJNQKmlnK+q9CjPUI64wAesye0zu6Vcxwqgbm3tpYUn02AbFrdr3C50GTydDyKp0TIhxxwVp+
18cOydXTH6pixUO5DKE+G3HEYr2Jn5Dc4Y6D/PTh61aH6LfF5BVbQTUviEiRkAve8MVAuBikukaJbkd41+fg4Fw=</xenc:CipherValue>
</xenc:CipherData>
<xenc:ReferenceList>
<xenc:DataReference URI="#EncDataId-15736146"/>
</xenc:ReferenceList>
</xenc:EncryptedKey>
<wsse:BinarySecurityToken
xmlns:wsu=http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
EncodingType=http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
ValueType=http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3
wsu:Id="CertId-2120440">MIICVjCCAb8CBEddgt8wDQYJKoZIhvcNAQEEBQAwcjEQMA4GA1UEBhMHVW5rbm93bjEQMA4GA1UECBMH
VW5rbm93bjEQMA4GA1UEBxMHVW5rbm93bjEQMA4GA1UEChMHVW5rbm93bjEQMA4GA1UECxMHVW5rbm93bjEWMBQGA1UEAxMNV
VzY2FueVdzVXNlcjAeFw0wNzEyMTAxODE4MDdaFw0wOTAxMTMxODE4MDdaMHIxEDAOBgNVBAYTB1Vua25vd24xEDAOBgNVBAgT
B1Vua25vd24xEDAOBgNVBAcTB1Vua25vd24xEDAOBgNVBAoTB1Vua25vd24xEDAOBgNVBAsTB1Vua25vd24xFjAUBgNVBAMTDVR
1c2NhbnlXc1VzZXIwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMT6zc0gqdlNVXNfLBqc7TiegqDcLyvjT3MmpU7dAIpsDB1+3o
WDU+0tTHBKu/KYap9Zwp+/xrqtCVNNg4eDWqW88Z51lhJwq5Dn9zadnBfPEPB5c6gZVTd8ouZFd/ZCGpiktx454iA2TAnuLLJt306SF
qC5XKD5SDUZvmtMpQeRAgMBAAEwDQYJKoZIhvcNAQEEBQADgYEAB72+v2ajRs1Oy7D6D4lDoXN90ZuMC3CjZm6M871eu9Kk7
4AFc/dMfBoj5b5H4367DZrMz47/yFcU8N5QFq6inx+8RU0XDwuGYTIbXv7es9BcqG2/um86V10N30Ep2HfTm6Ag3zkpfvk8/K/YUB
Z8WJWLbGxbZDpRzzEEpxfOCY8=</wsse:BinarySecurityToken>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="Signature-9531264">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#id-15736146">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>r3GJPoQlKifjL2t+/7yq9z4FdKA=</ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#SigConf-26469">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>gRWUodHEbu+3iQzPyX4/S3YiDvU=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
eW11PF0/cMT0Nn2oR8huk6Dcvn3Rl+DA5y+VvPLm7VaA7AVnSeTh1O99aeTBv2gZlJ/6/+q0RIfC
fTDGCIWYELICdFanzvMphP9uJo94t+y/Y5+8ejFcmfHHTSDxGJNL5ruZbNa79uxs/sCGmfB9qiBb
D+2vKoP9/PeUOQYCy4E=
</ds:SignatureValue>
<ds:KeyInfo Id="KeyId-2419450">
<wsse:SecurityTokenReference
xmlns:wsu=http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd wsu:Id="STRId-29292935">
<wsse:Reference URI="#CertId-2120440"
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
<wsu:Timestamp xmlns:wsu=http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
wsu:Id="Timestamp-6109888">
<wsu:Created>2008-10-22T05:16:09.062Z</wsu:Created>
<wsu:Expires>2008-10-22T05:21:09.062Z</wsu:Expires>
</wsu:Timestamp>
<wsse11:SignatureConfirmation xmlns:wsse11=http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" Value="t6PSuLaynhSsuXR
BlbO5dqKXScHKCgeheLvriD9aD9nIOeQM+grMIXJQh9sKvSdnDIVh+Fh7NpiQAY/TzLCxb01+W2lbZ8XzGAsIty8geHmz1I0YKr05
mp9halywVR0ACsKLzcF/ToMpeO5dISFb6ZMxb8XXFo33rCy6HxANuek=" wsu:Id="SigConf-26469"/>
</wsse:Security>
</soapenv:Header>
<soapenv:Body xmlns:wsu=http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
wsu:Id="id-15736146">
<xenc:EncryptedData Id="EncDataId-15736146" Type="http://www.w3.org/2001/04/xmlenc#Content">
<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<wsse:SecurityTokenReference
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<wsse:Reference URI="#EncKeyId-26127350"/>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
<xenc:CipherData>
<xenc:CipherValue>+SiSCzCdloFxPc3+Sb6HveZSLlkP6gGceTSNfaEKVR6YGb/mbkupz3I0exu+duxvVWApmNuWNzeB
vkEB/uMInp1+3SqC94tqizLx0vtiWuthF9S0hdYUqFWDYe4WadLhjcinjv5XcfK1XvQnD2KxB9Bn
jpg1qprFc8LSzB3NtoiLetSDcl7aRfv7GQ9kTfc+He8dY1cSteWoZ/0D5Ix6W4lK+exUbqpIEpWK
sUwzznKFMhgFPMhpUwJFyLPoJzt+zrjp0ERh4PBIuNQKwObdlJjfcWMoMbJ20fuK5m6+z1X6sL3N
tbB2ly6HYHzz/itfwoP7C0VLQGaY0SJbfBTrFLz3n2DNEZmEF0zRMPchxd//7kfD4MM0mdWWs0sE
9ecAWklC0xrb0PRFz5CbuNZvHi1CUs8EE1i0FAIY7XharUoXVW+AOIst4h90TBBRrryi</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedData>
</soapenv:Body>
</soapenv:Envelope>
从传递的数据可以看到,对于传输的Body数据同样采用了加密的方式进行传递了。
综上,authentication定义了简单的校验方式,integrity提供了传输的完整性校验,confidentiality定义了数据的最严格校验,包括对数据体的加密处理。