通过Rampart将SOAP信息安全传输(按apache的user guide翻译，希望大家补充)

通过Rampart将SOAP信息安全传输(按apache的user guide翻译，希望大家补充)

 

通过Rampart将SOAP信息安全传输

 

AXIS2拥有一个基于apache wss4j提供ws-security的模块，叫Rampart。这篇文档提供了运行和配置Rampart模块的信息。

 

介绍：

       当rampart模块在系统指定的安全阶段插入了处理器之后，它是全局起作用的。这些处理器可以使用ws-securitypolicy[2]和rempart指定的策略来配置。Rampart-1.0使用两个axis2参数来配置，这种配置方法到了1.1还在使用。

Rampart1.1：http://www.apache.org/dyn/closer.cgi/ws/rampart/1_1

首先，需要将下面的语句插入到axis2.xml文件中

<module ref=”rampart”/>

 

当axis2配置到服务器如tomcat时，可以使用web的管理接口。

在服务器，为每个服务提供安全是可能的。配置参数需要在service.xml文件中设定。

 在客户端配置参数需要在client’s axis2 repository的axis2.xml中设置。

 

Rampart-1.1 配置

       Rampart指定的声明

       Rampart使用标准的ws-securitypolicy[2]声明，也能定义自己的声明。

       Rampart指定的声明xsd文档：http://ws.apache.org/axis2/modules/rampart/1_1/sec-conf/rampart-config.xsd

       Ramp：rampartconfig必须作为顶层声明有效，如http://ws.apache.org/axis2/modules/rampart/1_1/sec-conf/sample-policy.xml

 

服务端配置

       需要在services.xml文件中增加policy元素来配置服务。一个可用的service.xml：

http://ws.apache.org/axis2/modules/rampart/1_1/sec-conf/sample-services.xml

客户端配置

       在客户端，需要创建一个policy对象，将其载入options.创建policy对象能使用policy.xml文件，如下：

//Creating the object

       StAXOMBuilder builder = new StAXOMBuilder(pathToPolicyfile);

        Policy clientPolicy = PolicyEngine.getPolicy(builder.getDocumentElement());

        //setting the object

        Options options = new Options();

        options.setProperty(RampartMessageData.KEY_RAMPART_POLICY, clientPolicy);

 

rampart-1.0配置

rampart模块使用两个参数：outflowsecurity和inflowsecurity

OutflowSecurity参数：

这个参数是用来配置outflow安全处理器的。Outflow处理器能在一个outflow（one can provde configuration for each of these invocations）中调用多次.”action”描述了一种这样的配置。因此”outflowsecurity”参数能包含多个’action’元素。’action’元素的schema：http://ws.apache.org/axis2/modules/rampart/1_1/sec-conf/out-action.xsd

给outflow配置增加一个时间戳，http://ws.apache.org/axis2/modules/rampart/1_1/security-module.html#ex1是给信息签字和加密的例子，http://ws.apache.org/axis2/modules/rampart/1_1/security-module.html#ex1 演示了如何通过连锁outflow处理器将信息签名两次（使用两个‘action’元素）

下面是outflowsecurity 参数能放在’action’元素里面的元素描述

Parameter	Description	Example
items	Security actions for the inflow	Add a Timestamp, Sign the SOAP body and Encrypt the SOAP body <items> Timestamp Signature Encrypt</items>
user	The user's name	Set alias of the key to be used to sign <user> bob</user>
passwordCallbackClass	Callback class used to provide the password required to create the UsernameToken or to sign the message	<passwordCallbackClass> org.apache.axis2.security.PWCallback</passwordCallbackClass>
signaturePropFile	property file used to get the signature parameters such as crypto provider, keystore and its password	Set example.properties file as the signature property file <signaturePropFile> example.properties</signaturePropFile>
signatureKeyIdentifier	Key identifier to be used in referring the key in the signature	Use the serial number of the certificate <signatureKeyIdentifier> IssuerSerial</signatureKeyIdentifier>
encryptionKeyIdentifier	Key identifier to be used in referring the key in encryption	Use the serial number of the certificate <encryptionKeyIdentifier>IssuerSerial</encryptionKeyIdentifier>
encryptionUser	The user's name for encryption.	<encryptionUser> alice </encryptionUser>
encryptionSymAlgorithm	Symmetric algorithm to be used for encryption	Use AES-128 <encryptionSymAlgorithm> http://www.w3.org/2001/04/xmlenc#aes128-cbc</encryptionSymAlgorithm>
encryptionKeyTransportAlgorithm	Key encryption algorithm	Use RSA-OAEP <parameter name="encryptionSymAlgorithm"> http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p</parameter>
signatureParts	Sign multiple parts in the SOAP message	Sign Foo and Bar elements qualified by "http://app.ns/ns" <signatureParts> {Element}{http://app.ns/ns}Foo;{Element}{http://app.ns/ns}Bar </signatureParts>
optimizeParts	MTOM Optimize the elements specified by the XPath query	Optimize the CipherValue <optimizeParts> //xenc:EncryptedData/xenc:CipherData/xenc:CipherValue </optimizeParts>

 

InflowSecurity 参数

       这个参数是来配置inflow 安全处理器的。’action’也被使用来对配置元素进行封装。http://ws.apache.org/axis2/modules/rampart/1_1/security-module.html#ex3 展示了配置说明，校验签名和验证时间戳。

Parameter	Description	Example
items	Security actions for the inflow	first the incoming message should be decrypted and then the signatures should be verified and should be checked for the availability of the Timestamp <items> Timestamp Signature Encrypt</items>
passwordCallbackClass	Callback class used to obtain password for decryption and UsernameToken verification	<passwordCallbackClass> org.apache.axis2.security.PWCallback</passwordCallbackClass>
signaturePropFile	Property file used for signature verification	<signaturePropFile> sig.properties</signaturePropFile>
decryptionPropFile	Property file used for decryption	<decryptionPropFile> dec.properties</decryptionPropFile>

 

 

请注意’.properties’文件在properties中被使用，如outsignaturepropfile 和在wss4j项目中用到的属性文件是一样的。下面展示了如何在属性文件中定义属性。

    org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin

        org.apache.ws.security.crypto.merlin.keystore.type=pkcs12

        org.apache.ws.security.crypto.merlin.keystore.password=security

        org.apache.ws.security.crypto.merlin.keystore.alias= 16c 73ab6-b892 -458f -abf5 -2f 875f 74882e

        org.apache.ws.security.crypto.merlin.alias.password=security

        org.apache.ws.security.crypto.merlin.file=keys/x509.PFX.MSFT

 

org.apache.ws.security.crypto.provider defines the implementation of the org.apache.ws.security.components.crypto.Crypto interface to provide the crypto information required by WSS4J. The other properties defined are the configuration properties used by the implementation class (org.apache.ws.security.components.crypto.Merlin).