Spring+XFire+WSS4J的基本配置

http://www.blogjava.net/security/archive/2006/08/08/xfire_wss4j.html
Java代码
1. 鉴于很多系统需要实施WS-Security的标准,我们在SpringSide中提供了XFire+WSS4J的Demo,本文介绍SpringSide中Spring+XFire+WSS4J的基本配置 
2.  
3. [WebService Server端配置] 
4. 第一,创建一个基本的BookService 
5. public interface BookService { 
6.     /** *//**
7.      * 按书名模糊查询图书
8.      */ 
9.     List findBooksByName(String name); 
10.  
11.     /** *//**
12.      * 查找目录下的所有图书
13.      *
14.      * @param categoryId 如果category为null或“all”, 列出所有图书。
15.      */ 
16.     List findBooksByCategory(String categoryId); 
17.  
18.     /** *//**
19.      * 列出所有分类.
20.      *
21.      * @return List<Category>,或是null。
22.      */ 
23.     List getAllCategorys(); 
24. } 
25. 第二,接口扩展,即Extend基本的BookService,在XFire中,不同的WSS4J策略需要针对不同的ServiceClass,否则<inHandlers>里面的定义会Overlap。 public interface BookServiceWSS4JEnc  extends BookService { 
26.  
27. } 
28. public interface BookServiceWSS4JSign  extends BookService { 
29.  
30. } 
31. 第三,配置Spring的ApplicationContext文件 
32.     <!--BookService 基类--> 
33.     <bean id="baseWebService" class="org.codehaus.xfire.spring.remoting.XFireExporter" abstract="true"> 
34.         <property name="serviceFactory" ref="xfire.serviceFactory"/> 
35.         <property name="xfire" ref="xfire"/> 
36.     </bean> 
37.  
38.     <bean class="org.springframework.web.servlet.handler.SimpleUrlHandlerMapping"> 
39.         <property name="mappings"> 
40.             <value> 
41.                 /BookService=bookService 
42.                 /BookServiceWSS4J=bookServiceWSS4J 
43.                 /BookServiceWSS4JEnc=bookServiceWSS4JEnc 
44.                 /BookServiceWSS4JSign=bookServiceWSS4JSign 
45.             </value> 
46.         </property> 
47.     </bean> 
48.  
49.    <!--(1)BookWebService 不需要认证--> 
50.     <bean id="bookService" class="org.codehaus.xfire.spring.remoting.XFireExporter"> 
51.         <property name="serviceFactory" ref="xfire.serviceFactory"/> 
52.         <property name="xfire" ref="xfire"/> 
53.         <property name="serviceBean" ref="bookManager"/> 
54.         <property name="serviceClass" value="org.springside.bookstore.plugins.xfire.service.BookService"/> 
55.     </bean> 
56.  
57.     <!--  (3)BookWebService 使用 WSS4J验证--> 
58.     <bean id="bookServiceWSS4J" class="org.codehaus.xfire.spring.remoting.XFireExporter"> 
59.         <property name="serviceBean" ref="bookManager"/> 
60.         <property name="serviceClass" value="org.springside.bookstore.plugins.xfire.service.BookServiceWSS4J"/> 
61.         <property name="inHandlers"> 
62.             <list> 
63.                 <ref bean="domInHandler"/> 
64.                 <ref bean="wss4jInHandler"/> 
65.                 <ref bean="validateUserTokenHandler"/> 
66.             </list> 
67.         </property> 
68.     </bean> 
69.  
70.     <bean id="domInHandler" class="org.codehaus.xfire.util.dom.DOMInHandler"/> 
71.  
72.     <bean id="wss4jInHandler" class="org.codehaus.xfire.security.wss4j.WSS4JInHandler"> 
73.         <property name="properties"> 
74.             <props> 
75.                 <prop key="action">UsernameToken</prop> 
76.                 <prop key="passwordCallbackClass">org.springside.bookstore.plugins.xfire.wss4j.PasswordHandler</prop> 
77.             </props> 
78.         </property> 
79.     </bean> 
80.  
81.     <bean id="validateUserTokenHandler" class="org.springside.bookstore.plugins.xfire.wss4j.WSS4JTokenHandler"/> 
82.      
83.     <!--  (4)BookWebService 使用 WSS4J验证 Encrypt模式--> 
84.     <bean id="bookServiceWSS4JEnc" class="org.codehaus.xfire.spring.remoting.XFireExporter"> 
85.         <property name="serviceBean" ref="bookManager"/> 
86.         <property name="serviceClass" value="org.springside.bookstore.plugins.xfire.service.BookServiceWSS4JEnc"/> 
87.         <property name="inHandlers"> 
88.             <list> 
89.                 <ref bean="domInHandler"/> 
90.                 <ref bean="wss4jInHandlerEnc"/> 
91.                 <ref bean="validateUserTokenHandler"/> 
92.             </list> 
93.         </property> 
94.     </bean> 
95.          
96.     <bean id="wss4jInHandlerEnc" class="org.codehaus.xfire.security.wss4j.WSS4JInHandler"> 
97.         <property name="properties"> 
98.           <props> 
99.             <prop key="action">Encrypt</prop> 
100.             <prop key="decryptionPropFile">org/springside/bookstore/plugins/xfire/wss4j/insecurity_enc.properties</prop> 
101.             <prop key="passwordCallbackClass">org.springside.bookstore.plugins.xfire.wss4j.PasswordHandler</prop> 
102.           </props> 
103.         </property> 
104.     </bean> 
105.      
106.     <!--  (5)BookWebService 使用 WSS4J验证 Signature模式--> 
107.     <bean id="bookServiceWSS4JSign" class="org.codehaus.xfire.spring.remoting.XFireExporter"> 
108.         <property name="serviceBean" ref="bookManager"/> 
109.         <property name="serviceClass" value="org.springside.bookstore.plugins.xfire.service.BookServiceWSS4JSign"/> 
110.         <property name="inHandlers"> 
111.             <list> 
112.                 <ref bean="domInHandler"/> 
113.                 <ref bean="wss4jInHandlerSign"/> 
114.                 <ref bean="validateUserTokenHandler"/> 
115.             </list> 
116.         </property> 
117.     </bean> 
118.      
119.     <bean id="wss4jInHandlerSign" class="org.codehaus.xfire.security.wss4j.WSS4JInHandler"> 
120.         <property name="properties"> 
121.           <props> 
122.             <prop key="action">Signature</prop> 
123.             <prop key="signaturePropFile">org/springside/bookstore/plugins/xfire/wss4j/insecurity_sign.properties</prop> 
124.             <prop key="passwordCallbackClass">org.springside.bookstore.plugins.xfire.wss4j.PasswordHandler</prop> 
125.           </props> 
126.         </property> 
127.     </bean> 
128.      
129. </beans> 
130.  
131. 第四,配置insecurity_enc.properties和insecurity_sign.properties两个密钥库配置文件 
132. insecurity_enc.properties: 
133. org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin 
134. org.apache.ws.security.crypto.merlin.keystore.type=jks 
135. org.apache.ws.security.crypto.merlin.keystore.password=SpringSide 
136. org.apache.ws.security.crypto.merlin.alias.password=SpringSide 
137. org.apache.ws.security.crypto.merlin.keystore.alias=david 
138. org.apache.ws.security.crypto.merlin.file=org/springside/bookstore/plugins/xfire/wss4j/springside_private.jks 
139. outsecurity_sign.properties: 
140. org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin 
141. org.apache.ws.security.crypto.merlin.keystore.type=jks 
142. org.apache.ws.security.crypto.merlin.keystore.password=SpringSide 
143. org.apache.ws.security.crypto.merlin.keystore.alias=david 
144. org.apache.ws.security.crypto.merlin.file=org/springside/bookstore/plugins/xfire/wss4j/springside_public.jks 
145. 第五,使用SecureX生成了两个keystore文件 
146. springside_private.jks 
147. 别名名称: david 
148. 创建日期: 2006-8-6 
149. 输入类型:KeyEntry 
150. 认证链长度: 1 
151. 认证 [1]: 
152. Owner: CN=david, OU=SpringSide, O=org, L=gz, ST=gd, C=cn 
153. 发照者: CN=david, OU=SpringSide, O=org, L=gz, ST=gd, C=cn 
154. 序号: 44d4cdcd 
155. 有效期间: Sun Aug 06 00:56:45 CST 2006 至: Mon Aug 06 00:56:45 CST 2007 
156. 认证指纹: 
157.          MD5:  CF:97:13:0C:70:D0:4D:B6:B4:27:0F:1A:0B:CF:D9:F2 
158.          SHA1: 8E:8E:E8:BC:64:39:C8:43:E4:F7:1B:3B:CE:48:1D:6B:A0:2B:58:B5 
159. springside_public.jks 
160. 别名名称: david 
161. 创建日期: 2006-8-6 
162. 输入类型: trustedCertEntry 
163.  
164. Owner: CN=david, OU=SpringSide, O=org, L=gz, ST=gd, C=cn 
165. 发照者: CN=david, OU=SpringSide, O=org, L=gz, ST=gd, C=cn 
166. 序号: 44d4cdcd 
167. 有效期间: Sun Aug 06 00:56:45 CST 2006 至: Mon Aug 06 00:56:45 CST 2007 
168. 认证指纹: 
169.          MD5:  CF:97:13:0C:70:D0:4D:B6:B4:27:0F:1A:0B:CF:D9:F2 
170.          SHA1: 8E:8E:E8:BC:64:39:C8:43:E4:F7:1B:3B:CE:48:1D:6B:A0:2B:58:B5 
171. 第五,新版本SpringSide需要 
172. http://www.bouncycastle.org/download/bcprov-jdk15-133.jar 
173. 并且要配置java.security 
174. 另外,还要使用jdk加密增强策略 
175. http://www.blogjava.net/openssl/archive/2006/03/08/34381.html 
176.  
177. 用户要使用WSS4J,需要配置Bouncycastle这个SecurityProvider,否则 
178. 运行Enc模式的XFire认证的时候,会抛出异常: 
179. org.apache.ws.security.WSSecurityException: An unsupported signature or encryption algorithm was used unsupported key 
180. 配合java.security也是非常简单: 
181. 在最后加入BouncycastleProvider。 
182. security.provider.1=sun.security.provider.Sun 
183. security.provider.2=com.sun.net.ssl.internal.ssl.Provider 
184. security.provider.3=com.sun.rsajca.Provider 
185. security.provider.4=com.sun.crypto.provider.SunJCE 
186. security.provider.5=sun.security.jgss.SunProvider 
187. security.provider.6=org.bouncycastle.jce.provider.BouncyCastleProvider 
188.  
189. [WebService Client端配置] 
190. 1,Encrypt模式的Client是在客户端用david的公钥加密Soap里面的usernameToken,然后发送到Web服务,Web服务用david的私钥来验证。这种模式需要客户端预先知道服务器端的公钥。 
191.  
192. 在Encrypt模式中,需要这样配置ClientHandler: 
193.         Service serviceModel = new ObjectServiceFactory().create(BookServiceWSS4JEnc.class); 
194.         XFireProxyFactory factory = new XFireProxyFactory(getXFire()); 
195.  
196.         BookService service = (BookService) factory.create(serviceModel, "xfire.local://BookServiceWSS4JEnc"); 
197.  
198.         Client client = ((XFireProxy) Proxy.getInvocationHandler(service)).getClient(); 
199.         //挂上WSS4JOutHandler,提供认证 
200.         client.addOutHandler(new DOMOutHandler()); 
201.         Properties properties = new Properties(); 
202.         configureOutProperties(properties); 
203.         client.addOutHandler(new WSS4JOutHandler(properties)); 
204.  
205.         List list = service.getAllCategorys(); configureOutProperties函数负责指定Client使用何种安全策略,没错,使用 outsecurity_enc.properties,这个properties是跟Server端的 insecurity_enc.properties一起使用的。 
206.     protected void configureOutProperties(Properties config) { 
207.         config.setProperty(WSHandlerConstants.ACTION, WSHandlerConstants.ENCRYPT); 
208.         config.setProperty(WSHandlerConstants.USER, "david"); 
209.         //config.setProperty(WSHandlerConstants.PW_CALLBACK_CLASS, PasswordHandler.class.getName()); 
210.         //Configuration of public key used to encrypt message goes to properties file. 
211.         config.setProperty(WSHandlerConstants.ENC_PROP_FILE, 
212.                                "org/springside/bookstore/plugins/xfire/outsecurity_enc.properties"); 
213.     } 
214.  
215. outsecurity_enc.properties: 
216. org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin 
217. org.apache.ws.security.crypto.merlin.keystore.type=jks 
218. org.apache.ws.security.crypto.merlin.keystore.password=SpringSide 
219. org.apache.ws.security.crypto.merlin.keystore.alias=david 
220. org.apache.ws.security.crypto.merlin.file=org/springside/bookstore/plugins/xfire/wss4j/springside_public.jks 
221.  
222. 2, Sign模式的Client同样也是很简单,这种模式是Client端用自己的私钥为usernameToken签名,服务器端用Client的公钥来验证签名,因此,服务器端需要预先知道客户端的公钥。 
223. 对应于Encrypt模式,这里的configureOutProperties需要这样来配置: 
224.     protected void configureOutProperties(Properties properties) { 
225.         properties.setProperty(WSHandlerConstants.ACTION,WSHandlerConstants.SIGNATURE); 
226.         // User in keystore 
227.         properties.setProperty(WSHandlerConstants.USER, "david"); 
228.         // This callback is used to specify password for given user for keystore 
229.         properties.setProperty(WSHandlerConstants.PW_CALLBACK_CLASS, PasswordHandler.class.getName()); 
230.         // Configuration for accessing private key in keystore 
231.         properties.setProperty(WSHandlerConstants.SIG_PROP_FILE,"org/springside/bookstore/plugins/xfire/outsecurity_sign.properties"); 
232.         properties.setProperty(WSHandlerConstants.SIG_KEY_ID,"IssuerSerial"); 
233.     } 
234.  
235.  
236. outsecurity_sign.properties: 
237. org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin 
238. org.apache.ws.security.crypto.merlin.keystore.type=jks 
239. org.apache.ws.security.crypto.merlin.keystore.password=SpringSide 
240. org.apache.ws.security.crypto.merlin.alias.password=SpringSide 
241. org.apache.ws.security.crypto.merlin.keystore.alias=david 
242. org.apache.ws.security.crypto.merlin.file=org/springside/bookstore/plugins/xfire/wss4j/springside_private.jks 

你可能感兴趣的:(apache,spring,webservice,Security,sun)