Axis2+Rampart Web 服务签名和加密
我对一个网络服务与其客户端之间的安全性有疑问。 我使用 Axis2 和 Rampart 自下而上构建我的 Web 服务,然后从生成的 wsdl 创建客户端。 我向您展示我的代码和具体问题。
Client.java
package de.security.tutorial;
import java.io.InputStream;
import java.rmi.RemoteException;
import javax.xml.stream.XMLStreamException;
import org.apache.axiom.om.impl.builder.StAXOMBuilder;
import org.apache.axis2.client.Options;
import org.apache.axis2.client.ServiceClient;
import org.apache.axis2.context.ConfigurationContext;
import org.apache.axis2.context.ConfigurationContextFactory;
import org.apache.neethi.Policy;
import org.apache.neethi.PolicyEngine;
import org.apache.rampart.RampartMessageData;
import de.security.tutorial.ServerStub.GetWelcomeResponse;
public class Client {
/**
* Load policy file from classpath.
*/
private static Policy loadPolicy(String name) throws XMLStreamException {
ClassLoader loader = new ClassLoader() {};
InputStream resource = loader.getResourceAsStream(name);
StAXOMBuilder builder = new StAXOMBuilder(resource);
return PolicyEngine.getPolicy(builder.getDocumentElement());
}
public static void main(String[] arg) throws RemoteException{
String url = "http://localhost:8080/axis2/services/Server";
try {
// get Modulrepository
ConfigurationContext ctx = ConfigurationContextFactory.createConfigurationContextFromFileSystem("WebContent/WEB-INF/", null);
// create new Stub
ServerStub stub = new ServerStub(ctx, url);
// configure and engage Rampart
ServiceClient client = stub._getServiceClient();
Options options = client.getOptions();
Policy policy = loadPolicy("policy.xml");
// client.getAxisService().getPolicySubject().attachPolicy(policy);
options.setProperty(RampartMessageData.KEY_RAMPART_POLICY, policy);
options.setUserName("libuser");
options.setPassword("books");
client.setOptions( options );
client.engageModule( "addressing" );
client.engageModule( "rampart" );
stub._setServiceClient( client );
// send request
GetWelcomeResponse response = stub.getWelcome();
// print response to console
if(response.local_returnTracker){
String string = response.get_return();
System.out.println(string);
}
} catch(Exception e) {
System.out.println("Exception: " + e.getMessage());
}
}
}
PasswordCallbackHandler.java
package de.security.tutorial;
import org.apache.ws.security.WSPasswordCallback;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import java.io.IOException;
/**
* Simple password callback handler. This just checks if the password for the private key
* is being requested, and if so sets that value.
*/
public class PWCBHandler implements CallbackHandler
{
public void handle(Callback[] callbacks) throws IOException {
for (int i = 0; i < callbacks.length; i++) {
WSPasswordCallback pwcb = (WSPasswordCallback)callbacks[i];
String id = pwcb.getIdentifer();
int usage = pwcb.getUsage();
if (usage == WSPasswordCallback.DECRYPT || usage == WSPasswordCallback.SIGNATURE) {
// used to retrieve password for private key
if ("clientkey".equals(id)) {
pwcb.setPassword("clientpass");
}
}
}
}
}
policy.xml
<?xml version="1.0" encoding="UTF-8"?>
<wsp:Policy wsu:Id="SigEncr"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
<wsp:ExactlyOne>
<wsp:All>
<sp:AsymmetricBinding
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:InitiatorToken>
<wsp:Policy>
<sp:X509Token
sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:RequireThumbprintReference />
<sp:WssX509V1Token10 />
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:InitiatorToken>
<sp:RecipientToken>
<wsp:Policy>
<sp:X509Token
sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never">
<wsp:Policy>
<sp:RequireThumbprintReference />
<sp:WssX509V3Token10 />
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:RecipientToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:TripleDesRsa15 />
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Strict />
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp />
<sp:OnlySignEntireHeadersAndBody />
</wsp:Policy>
</sp:AsymmetricBinding>
<sp:Wss10 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:MustSupportRefKeyIdentifier />
<sp:MustSupportRefIssuerSerial />
</wsp:Policy>
</sp:Wss10>
<sp:SignedParts
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<sp:Body />
</sp:SignedParts>
<sp:EncryptedParts
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<sp:Body />
</sp:EncryptedParts>
<ramp:RampartConfig xmlns:ramp="http://ws.apache.org/rampart/policy">
<ramp:user>clientkey</ramp:user>
<ramp:encryptionUser>serverkey</ramp:encryptionUser>
<ramp:passwordCallbackClass>de.security.tutorial.PWCBHandler
</ramp:passwordCallbackClass>
<ramp:signatureCypto>
<ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin">
<ramp:property
name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property>
<ramp:property name="org.apache.ws.security.crypto.merlin.file">D:/keystore/client.keystore
</ramp:property>
<ramp:property
name="org.apache.ws.security.crypto.merlin.keystore.password">nosecret</ramp:property>
</ramp:crypto>
</ramp:signatureCypto>
<ramp:encryptionCypto>
<ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin">
<ramp:property
name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property>
<ramp:property name="org.apache.ws.security.crypto.merlin.file">D:/keystore/client.keystore
</ramp:property>
<ramp:property
name="org.apache.ws.security.crypto.merlin.keystore.password">nosecret</ramp:property>
</ramp:crypto>
</ramp:encryptionCypto>
</ramp:RampartConfig>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
好的。我有一个名为“Server”的 WebService,其中有一个函数“getWelcome”,它返回一个简单的字符串。重要的只是安全性。
问题: 如果我执行我的客户端,他会返回一个 NullPointerException 并且他没有与服务连接。此行抛出异常:
GetWelcomeResponse response = stub.getWelcome();
但是如果我禁用 Rampart 模块,那么我会连接到该服务,但他错过了安全标头。问题是这一行:
client.engageModule( "rampart" );
有人能帮助我吗?
i have a problem with the security between one webservice and his client.
I use Axis2 and Rampart to build bottom up my webservice and than create the client from the generated wsdl.
I show you my code and the concrete problem.
Client.java
package de.security.tutorial;
import java.io.InputStream;
import java.rmi.RemoteException;
import javax.xml.stream.XMLStreamException;
import org.apache.axiom.om.impl.builder.StAXOMBuilder;
import org.apache.axis2.client.Options;
import org.apache.axis2.client.ServiceClient;
import org.apache.axis2.context.ConfigurationContext;
import org.apache.axis2.context.ConfigurationContextFactory;
import org.apache.neethi.Policy;
import org.apache.neethi.PolicyEngine;
import org.apache.rampart.RampartMessageData;
import de.security.tutorial.ServerStub.GetWelcomeResponse;
public class Client {
/**
* Load policy file from classpath.
*/
private static Policy loadPolicy(String name) throws XMLStreamException {
ClassLoader loader = new ClassLoader() {};
InputStream resource = loader.getResourceAsStream(name);
StAXOMBuilder builder = new StAXOMBuilder(resource);
return PolicyEngine.getPolicy(builder.getDocumentElement());
}
public static void main(String[] arg) throws RemoteException{
String url = "http://localhost:8080/axis2/services/Server";
try {
// get Modulrepository
ConfigurationContext ctx = ConfigurationContextFactory.createConfigurationContextFromFileSystem("WebContent/WEB-INF/", null);
// create new Stub
ServerStub stub = new ServerStub(ctx, url);
// configure and engage Rampart
ServiceClient client = stub._getServiceClient();
Options options = client.getOptions();
Policy policy = loadPolicy("policy.xml");
// client.getAxisService().getPolicySubject().attachPolicy(policy);
options.setProperty(RampartMessageData.KEY_RAMPART_POLICY, policy);
options.setUserName("libuser");
options.setPassword("books");
client.setOptions( options );
client.engageModule( "addressing" );
client.engageModule( "rampart" );
stub._setServiceClient( client );
// send request
GetWelcomeResponse response = stub.getWelcome();
// print response to console
if(response.local_returnTracker){
String string = response.get_return();
System.out.println(string);
}
} catch(Exception e) {
System.out.println("Exception: " + e.getMessage());
}
}
}
PasswordCallbackHandler.java
package de.security.tutorial;
import org.apache.ws.security.WSPasswordCallback;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import java.io.IOException;
/**
* Simple password callback handler. This just checks if the password for the private key
* is being requested, and if so sets that value.
*/
public class PWCBHandler implements CallbackHandler
{
public void handle(Callback[] callbacks) throws IOException {
for (int i = 0; i < callbacks.length; i++) {
WSPasswordCallback pwcb = (WSPasswordCallback)callbacks[i];
String id = pwcb.getIdentifer();
int usage = pwcb.getUsage();
if (usage == WSPasswordCallback.DECRYPT || usage == WSPasswordCallback.SIGNATURE) {
// used to retrieve password for private key
if ("clientkey".equals(id)) {
pwcb.setPassword("clientpass");
}
}
}
}
}
policy.xml
<?xml version="1.0" encoding="UTF-8"?>
<wsp:Policy wsu:Id="SigEncr"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
<wsp:ExactlyOne>
<wsp:All>
<sp:AsymmetricBinding
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:InitiatorToken>
<wsp:Policy>
<sp:X509Token
sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:RequireThumbprintReference />
<sp:WssX509V1Token10 />
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:InitiatorToken>
<sp:RecipientToken>
<wsp:Policy>
<sp:X509Token
sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never">
<wsp:Policy>
<sp:RequireThumbprintReference />
<sp:WssX509V3Token10 />
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:RecipientToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:TripleDesRsa15 />
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Strict />
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp />
<sp:OnlySignEntireHeadersAndBody />
</wsp:Policy>
</sp:AsymmetricBinding>
<sp:Wss10 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:MustSupportRefKeyIdentifier />
<sp:MustSupportRefIssuerSerial />
</wsp:Policy>
</sp:Wss10>
<sp:SignedParts
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<sp:Body />
</sp:SignedParts>
<sp:EncryptedParts
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<sp:Body />
</sp:EncryptedParts>
<ramp:RampartConfig xmlns:ramp="http://ws.apache.org/rampart/policy">
<ramp:user>clientkey</ramp:user>
<ramp:encryptionUser>serverkey</ramp:encryptionUser>
<ramp:passwordCallbackClass>de.security.tutorial.PWCBHandler
</ramp:passwordCallbackClass>
<ramp:signatureCypto>
<ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin">
<ramp:property
name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property>
<ramp:property name="org.apache.ws.security.crypto.merlin.file">D:/keystore/client.keystore
</ramp:property>
<ramp:property
name="org.apache.ws.security.crypto.merlin.keystore.password">nosecret</ramp:property>
</ramp:crypto>
</ramp:signatureCypto>
<ramp:encryptionCypto>
<ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin">
<ramp:property
name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property>
<ramp:property name="org.apache.ws.security.crypto.merlin.file">D:/keystore/client.keystore
</ramp:property>
<ramp:property
name="org.apache.ws.security.crypto.merlin.keystore.password">nosecret</ramp:property>
</ramp:crypto>
</ramp:encryptionCypto>
</ramp:RampartConfig>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
OK. I have a WebService called "Server" with one function "getWelcome" which returned a simple String. Importent is only the security.
The Problem:
If i execute my client, he returned one NullPointerException and he didn´t was connected with the service. This line throws the exception:
GetWelcomeResponse response = stub.getWelcome();
But if i disable the rampart modul, then i get a connection to the service but he miss the security header. The Problem is this line:
client.engageModule( "rampart" );
Can anybody help me?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
从下面的代码中我会说你需要包含注释掉的行并注释掉下面的其他 5 行。
From the code below i would say that you need to include the commented out line and comment out the other 5 below that.