Spring+XFire+WSS4J的基本配置

Java代码 
1. 鉴于很多系统需要实施WS-Security的标准，我们在SpringSide中提供了XFire+WSS4J的Demo，本文介绍SpringSide中Spring+XFire+WSS4J的基本配置  
2.   
3. [WebService Server端配置]  
4. 第一，创建一个基本的BookService  
5. public interface BookService {  
6.     /** *//** 
7.      * 按书名模糊查询图书 
8.      */  
9.     List findBooksByName(String name);  
10.   
11.     /** *//** 
12.      * 查找目录下的所有图书 
13.      * 
14.      * @param categoryId 如果category为null或“all”， 列出所有图书。 
15.      */  
16.     List findBooksByCategory(String categoryId);  
17.   
18.     /** *//** 
19.      * 列出所有分类. 
20.      * 
21.      * @return List<Category>，或是null。 
22.      */  
23.     List getAllCategorys();  
24. }  
25. 第二，接口扩展，即Extend基本的BookService，在XFire中，不同的WSS4J策略需要针对不同的ServiceClass，否则<inHandlers>里面的定义会Overlap。 public interface BookServiceWSS4JEnc  extends BookService {  
26.   
27. }  
28. public interface BookServiceWSS4JSign  extends BookService {  
29.   
30. }  
31. 第三，配置Spring的ApplicationContext文件  
32.     <!--BookService 基类-->  
33.     <bean id="baseWebService" class="org.codehaus.xfire.spring.remoting.XFireExporter" abstract="true">  
34.         <property name="serviceFactory" ref="xfire.serviceFactory"/>  
35.         <property name="xfire" ref="xfire"/>  
36.     </bean>  
37.   
38.     <bean class="org.springframework.web.servlet.handler.SimpleUrlHandlerMapping">  
39.         <property name="mappings">  
40.             <value>  
41.                 /BookService=bookService  
42.                 /BookServiceWSS4J=bookServiceWSS4J  
43.                 /BookServiceWSS4JEnc=bookServiceWSS4JEnc  
44.                 /BookServiceWSS4JSign=bookServiceWSS4JSign  
45.             </value>  
46.         </property>  
47.     </bean>  
48.   
49.    <!--(1)BookWebService 不需要认证-->  
50.     <bean id="bookService" class="org.codehaus.xfire.spring.remoting.XFireExporter">  
51.         <property name="serviceFactory" ref="xfire.serviceFactory"/>  
52.         <property name="xfire" ref="xfire"/>  
53.         <property name="serviceBean" ref="bookManager"/>  
54.         <property name="serviceClass" value="org.springside.bookstore.plugins.xfire.service.BookService"/>  
55.     </bean>  
56.   
57.     <!--  (3)BookWebService 使用 WSS4J验证-->  
58.     <bean id="bookServiceWSS4J" class="org.codehaus.xfire.spring.remoting.XFireExporter">  
59.         <property name="serviceBean" ref="bookManager"/>  
60.         <property name="serviceClass" value="org.springside.bookstore.plugins.xfire.service.BookServiceWSS4J"/>  
61.         <property name="inHandlers">  
62.             <list>  
63.                 <ref bean="domInHandler"/>  
64.                 <ref bean="wss4jInHandler"/>  
65.                 <ref bean="validateUserTokenHandler"/>  
66.             </list>  
67.         </property>  
68.     </bean>  
69.   
70.     <bean id="domInHandler" class="org.codehaus.xfire.util.dom.DOMInHandler"/>  
71.   
72.     <bean id="wss4jInHandler" class="org.codehaus.xfire.security.wss4j.WSS4JInHandler">  
73.         <property name="properties">  
74.             <props>  
75.                 <prop key="action">UsernameToken</prop>  
76.                 <prop key="passwordCallbackClass">org.springside.bookstore.plugins.xfire.wss4j.PasswordHandler</prop>  
77.             </props>  
78.         </property>  
79.     </bean>  
80.   
81.     <bean id="validateUserTokenHandler" class="org.springside.bookstore.plugins.xfire.wss4j.WSS4JTokenHandler"/>  
82.       
83.     <!--  (4)BookWebService 使用 WSS4J验证 Encrypt模式-->  
84.     <bean id="bookServiceWSS4JEnc" class="org.codehaus.xfire.spring.remoting.XFireExporter">  
85.         <property name="serviceBean" ref="bookManager"/>  
86.         <property name="serviceClass" value="org.springside.bookstore.plugins.xfire.service.BookServiceWSS4JEnc"/>  
87.         <property name="inHandlers">  
88.             <list>  
89.                 <ref bean="domInHandler"/>  
90.                 <ref bean="wss4jInHandlerEnc"/>  
91.                 <ref bean="validateUserTokenHandler"/>  
92.             </list>  
93.         </property>  
94.     </bean>  
95.           
96.     <bean id="wss4jInHandlerEnc" class="org.codehaus.xfire.security.wss4j.WSS4JInHandler">  
97.         <property name="properties">  
98.           <props>  
99.             <prop key="action">Encrypt</prop>  
100.             <prop key="decryptionPropFile">org/springside/bookstore/plugins/xfire/wss4j/insecurity_enc.properties</prop>  
101.             <prop key="passwordCallbackClass">org.springside.bookstore.plugins.xfire.wss4j.PasswordHandler</prop>  
102.           </props>  
103.         </property>  
104.     </bean>  
105.       
106.     <!--  (5)BookWebService 使用 WSS4J验证 Signature模式-->  
107.     <bean id="bookServiceWSS4JSign" class="org.codehaus.xfire.spring.remoting.XFireExporter">  
108.         <property name="serviceBean" ref="bookManager"/>  
109.         <property name="serviceClass" value="org.springside.bookstore.plugins.xfire.service.BookServiceWSS4JSign"/>  
110.         <property name="inHandlers">  
111.             <list>  
112.                 <ref bean="domInHandler"/>  
113.                 <ref bean="wss4jInHandlerSign"/>  
114.                 <ref bean="validateUserTokenHandler"/>  
115.             </list>  
116.         </property>  
117.     </bean>  
118.       
119.     <bean id="wss4jInHandlerSign" class="org.codehaus.xfire.security.wss4j.WSS4JInHandler">  
120.         <property name="properties">  
121.           <props>  
122.             <prop key="action">Signature</prop>  
123.             <prop key="signaturePropFile">org/springside/bookstore/plugins/xfire/wss4j/insecurity_sign.properties</prop>  
124.             <prop key="passwordCallbackClass">org.springside.bookstore.plugins.xfire.wss4j.PasswordHandler</prop>  
125.           </props>  
126.         </property>  
127.     </bean>  
128.       
129. </beans>  
130.   
131. 第四，配置insecurity_enc.properties和insecurity_sign.properties两个密钥库配置文件  
132. insecurity_enc.properties：  
133. org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin  
134. org.apache.ws.security.crypto.merlin.keystore.type=jks  
135. org.apache.ws.security.crypto.merlin.keystore.password=SpringSide  
136. org.apache.ws.security.crypto.merlin.alias.password=SpringSide  
137. org.apache.ws.security.crypto.merlin.keystore.alias=david  
138. org.apache.ws.security.crypto.merlin.file=org/springside/bookstore/plugins/xfire/wss4j/springside_private.jks  
139. outsecurity_sign.properties：  
140. org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin  
141. org.apache.ws.security.crypto.merlin.keystore.type=jks  
142. org.apache.ws.security.crypto.merlin.keystore.password=SpringSide  
143. org.apache.ws.security.crypto.merlin.keystore.alias=david  
144. org.apache.ws.security.crypto.merlin.file=org/springside/bookstore/plugins/xfire/wss4j/springside_public.jks  
145. 第五，使用SecureX生成了两个keystore文件  
146. springside_private.jks  
147. 别名名称： david  
148. 创建日期： 2006-8-6  
149. 输入类型：KeyEntry  
150. 认证链长度： 1  
151. 认证 [1]:  
152. Owner: CN=david, OU=SpringSide, O=org, L=gz, ST=gd, C=cn  
153. 发照者： CN=david, OU=SpringSide, O=org, L=gz, ST=gd, C=cn  
154. 序号： 44d4cdcd  
155. 有效期间： Sun Aug 06 00:56:45 CST 2006 至： Mon Aug 06 00:56:45 CST 2007  
156. 认证指纹：  
157.          MD5：  CF:97:13:0C:70:D0:4D:B6:B4:27:0F:1A:0B:CF:D9:F2  
158.          SHA1： 8E:8E:E8:BC:64:39:C8:43:E4:F7:1B:3B:CE:48:1D:6B:A0:2B:58:B5  
159. springside_public.jks  
160. 别名名称： david  
161. 创建日期： 2006-8-6  
162. 输入类型： trustedCertEntry  
163.   
164. Owner: CN=david, OU=SpringSide, O=org, L=gz, ST=gd, C=cn  
165. 发照者： CN=david, OU=SpringSide, O=org, L=gz, ST=gd, C=cn  
166. 序号： 44d4cdcd  
167. 有效期间： Sun Aug 06 00:56:45 CST 2006 至： Mon Aug 06 00:56:45 CST 2007  
168. 认证指纹：  
169.          MD5：  CF:97:13:0C:70:D0:4D:B6:B4:27:0F:1A:0B:CF:D9:F2  
170.          SHA1： 8E:8E:E8:BC:64:39:C8:43:E4:F7:1B:3B:CE:48:1D:6B:A0:2B:58:B5  
171. 第五，新版本SpringSide需要  
172. http://www.bouncycastle.org/download/bcprov-jdk15-133.jar  
173. 并且要配置java.security  
174. 另外,还要使用jdk加密增强策略  
175. http://www.blogjava.net/openssl/archive/2006/03/08/34381.html  
176.   
177. 用户要使用WSS4J，需要配置Bouncycastle这个SecurityProvider，否则  
178. 运行Enc模式的XFire认证的时候，会抛出异常：  
179. org.apache.ws.security.WSSecurityException: An unsupported signature or encryption algorithm was used unsupported key  
180. 配合java.security也是非常简单:  
181. 在最后加入BouncycastleProvider。  
182. security.provider.1=sun.security.provider.Sun  
183. security.provider.2=com.sun.net.ssl.internal.ssl.Provider  
184. security.provider.3=com.sun.rsajca.Provider  
185. security.provider.4=com.sun.crypto.provider.SunJCE  
186. security.provider.5=sun.security.jgss.SunProvider  
187. security.provider.6=org.bouncycastle.jce.provider.BouncyCastleProvider  
188.   
189. [WebService Client端配置]  
190. 1，Encrypt模式的Client是在客户端用david的公钥加密Soap里面的usernameToken，然后发送到Web服务，Web服务用david的私钥来验证。这种模式需要客户端预先知道服务器端的公钥。  
191.   
192. 在Encrypt模式中，需要这样配置ClientHandler：  
193.         Service serviceModel = new ObjectServiceFactory().create(BookServiceWSS4JEnc.class);  
194.         XFireProxyFactory factory = new XFireProxyFactory(getXFire());  
195.   
196.         BookService service = (BookService) factory.create(serviceModel, "xfire.local://BookServiceWSS4JEnc");  
197.   
198.         Client client = ((XFireProxy) Proxy.getInvocationHandler(service)).getClient();  
199.         //挂上WSS4JOutHandler，提供认证  
200.         client.addOutHandler(new DOMOutHandler());  
201.         Properties properties = new Properties();  
202.         configureOutProperties(properties);  
203.         client.addOutHandler(new WSS4JOutHandler(properties));  
204.   
205.         List list = service.getAllCategorys(); configureOutProperties函数负责指定Client使用何种安全策略，没错，使用 outsecurity_enc.properties，这个properties是跟Server端的 insecurity_enc.properties一起使用的。  
206.     protected void configureOutProperties(Properties config) {  
207.         config.setProperty(WSHandlerConstants.ACTION, WSHandlerConstants.ENCRYPT);  
208.         config.setProperty(WSHandlerConstants.USER, "david");  
209.         //config.setProperty(WSHandlerConstants.PW_CALLBACK_CLASS, PasswordHandler.class.getName());  
210.         //Configuration of public key used to encrypt message goes to properties file.  
211.         config.setProperty(WSHandlerConstants.ENC_PROP_FILE,  
212.                                "org/springside/bookstore/plugins/xfire/outsecurity_enc.properties");  
213.     }  
214.   
215. outsecurity_enc.properties：  
216. org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin  
217. org.apache.ws.security.crypto.merlin.keystore.type=jks  
218. org.apache.ws.security.crypto.merlin.keystore.password=SpringSide  
219. org.apache.ws.security.crypto.merlin.keystore.alias=david  
220. org.apache.ws.security.crypto.merlin.file=org/springside/bookstore/plugins/xfire/wss4j/springside_public.jks  
221.   
222. 2, Sign模式的Client同样也是很简单，这种模式是Client端用自己的私钥为usernameToken签名，服务器端用Client的公钥来验证签名，因此，服务器端需要预先知道客户端的公钥。  
223. 对应于Encrypt模式，这里的configureOutProperties需要这样来配置：  
224.     protected void configureOutProperties(Properties properties) {  
225.         properties.setProperty(WSHandlerConstants.ACTION,WSHandlerConstants.SIGNATURE);  
226.         // User in keystore  
227.         properties.setProperty(WSHandlerConstants.USER, "david");  
228.         // This callback is used to specify password for given user for keystore  
229.         properties.setProperty(WSHandlerConstants.PW_CALLBACK_CLASS, PasswordHandler.class.getName());  
230.         // Configuration for accessing private key in keystore  
231.         properties.setProperty(WSHandlerConstants.SIG_PROP_FILE,"org/springside/bookstore/plugins/xfire/outsecurity_sign.properties");  
232.         properties.setProperty(WSHandlerConstants.SIG_KEY_ID,"IssuerSerial");  
233.     }  
234.   
235.   
236. outsecurity_sign.properties：  
237. org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin  
238. org.apache.ws.security.crypto.merlin.keystore.type=jks  
239. org.apache.ws.security.crypto.merlin.keystore.password=SpringSide  
240. org.apache.ws.security.crypto.merlin.alias.password=SpringSide  
241. org.apache.ws.security.crypto.merlin.keystore.alias=david  
242. org.apache.ws.security.crypto.merlin.file=org/springside/bookstore/plugins/xfire/wss4j/springside_private.jks