通過Rampart將SOAP信息安全傳輸
AXIS2擁有一個(gè)基于apache wss4j提供ws-security的模塊,叫Rampart。這篇文檔提供了運(yùn)行和配置Rampart模塊的信息。
介紹:
當(dāng)rampart模塊在系統(tǒng)指定的安全階段插入了處理器之后,它是全局起作用的。這些處理器可以使用ws-securitypolicy[2]和rempart指定的策略來配置。Rampart-1.0使用兩個(gè)axis2參數(shù)來配置,這種配置方法到了1.1還在使用。
Rampart1.1:http://www.apache.org/dyn/closer.cgi/ws/rampart/1_1
首先,需要將下面的語句插入到axis2.xml文件中
<module ref=”rampart”/>
當(dāng)axis2配置到服務(wù)器如tomcat時(shí),可以使用web的管理接口。
在服務(wù)器,為每個(gè)服務(wù)提供安全是可能的。配置參數(shù)需要在service.xml文件中設(shè)定。
在客戶端配置參數(shù)需要在client’s axis2 repository的axis2.xml中設(shè)置。
Rampart-1.1 配置
Rampart指定的聲明
Rampart使用標(biāo)準(zhǔn)的ws-securitypolicy[2]聲明,也能定義自己的聲明。
Rampart指定的聲明xsd文檔:http://ws.apache.org/axis2/modules/rampart/1_1/sec-conf/rampart-config.xsd
Ramp:rampartconfig必須作為頂層聲明有效,如http://ws.apache.org/axis2/modules/rampart/1_1/sec-conf/sample-policy.xml
服務(wù)端配置
需要在services.xml文件中增加policy元素來配置服務(wù)。一個(gè)可用的service.xml:
http://ws.apache.org/axis2/modules/rampart/1_1/sec-conf/sample-services.xml
客戶端配置
在客戶端,需要?jiǎng)?chuàng)建一個(gè)policy對(duì)象,將其載入options.創(chuàng)建policy對(duì)象能使用policy.xml文件,如下:
//Creating the object
StAXOMBuilder builder = new StAXOMBuilder(pathToPolicyfile);
Policy clientPolicy = PolicyEngine.getPolicy(builder.getDocumentElement());
//setting the object
Options options = new Options();
options.setProperty(RampartMessageData.KEY_RAMPART_POLICY, clientPolicy);
rampart-1.0配置
rampart模塊使用兩個(gè)參數(shù):outflowsecurity和inflowsecurity
OutflowSecurity參數(shù):
這個(gè)參數(shù)是用來配置outflow安全處理器的。Outflow處理器能在一個(gè)outflow(one can provde configuration for each of these invocations)中調(diào)用多次.”action”描述了一種這樣的配置。因此”outflowsecurity”參數(shù)能包含多個(gè)’action’元素。’action’元素的schema:http://ws.apache.org/axis2/modules/rampart/1_1/sec-conf/out-action.xsd
給outflow配置增加一個(gè)時(shí)間戳,http://ws.apache.org/axis2/modules/rampart/1_1/security-module.html#ex1是給信息簽字和加密的例子,http://ws.apache.org/axis2/modules/rampart/1_1/security-module.html#ex1 演示了如何通過連鎖outflow處理器將信息簽名兩次(使用兩個(gè)‘action’元素)
下面是outflowsecurity 參數(shù)能放在’action’元素里面的元素描述
|
Parameter
|
Description
|
Example
|
|
items
|
Security actions for the inflow
|
Add a Timestamp, Sign the SOAP body and Encrypt the SOAP body
<items> Timestamp Signature Encrypt</items>
|
|
user
|
The user's name
|
Set alias of the key to be used to sign
<user> bob</user>
|
|
passwordCallbackClass
|
Callback class used to provide the password required to create the UsernameToken or to sign the message
|
<passwordCallbackClass> org.apache.axis2.security.PWCallback</passwordCallbackClass>
|
|
signaturePropFile
|
property file used to get the signature parameters such as crypto provider, keystore and its password
|
Set example.properties file as the signature property file
<signaturePropFile> example.properties</signaturePropFile>
|
|
signatureKeyIdentifier
|
Key identifier to be used in referring the key in the signature
|
Use the serial number of the certificate
<signatureKeyIdentifier> IssuerSerial</signatureKeyIdentifier>
|
|
encryptionKeyIdentifier
|
Key identifier to be used in referring the key in encryption
|
Use the serial number of the certificate
<encryptionKeyIdentifier>IssuerSerial</encryptionKeyIdentifier>
|
|
encryptionUser
|
The user's name for encryption.
|
<encryptionUser>alice</encryptionUser>
|
|
encryptionSymAlgorithm
|
Symmetric algorithm to be used for encryption
|
Use AES-128
<encryptionSymAlgorithm> http://www.w3.org/2001/04/xmlenc#aes128-cbc</encryptionSymAlgorithm>
|
|
encryptionKeyTransportAlgorithm
|
Key encryption algorithm
|
Use RSA-OAEP
<parameter name="encryptionSymAlgorithm"> http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p</parameter>
|
|
signatureParts
|
Sign multiple parts in the SOAP message
|
Sign Foo and Bar elements qualified by "http://app.ns/ns"
<signatureParts> {Element}{http://app.ns/ns}Foo;{Element}{http://app.ns/ns}Bar </signatureParts>
|
|
optimizeParts
|
MTOM Optimize the elements specified by the XPath query
|
Optimize the CipherValue
<optimizeParts> //xenc:EncryptedData/xenc:CipherData/xenc:CipherValue </optimizeParts>
|
InflowSecurity 參數(shù)
這個(gè)參數(shù)是來配置inflow 安全處理器的。’action’也被使用來對(duì)配置元素進(jìn)行封裝。http://ws.apache.org/axis2/modules/rampart/1_1/security-module.html#ex3 展示了配置說明,校驗(yàn)簽名和驗(yàn)證時(shí)間戳。
|
Parameter
|
Description
|
Example
|
|
items
|
Security actions for the inflow
|
first the incoming message should be decrypted and then the signatures should be verified and should be checked for the availability of the Timestamp
<items> Timestamp Signature Encrypt</items>
|
|
passwordCallbackClass
|
Callback class used to obtain password for decryption and UsernameToken verification
|
<passwordCallbackClass> org.apache.axis2.security.PWCallback</passwordCallbackClass>
|
|
signaturePropFile
|
Property file used for signature verification
|
<signaturePropFile> sig.properties</signaturePropFile>
|
|
decryptionPropFile
|
Property file used for decryption
|
<decryptionPropFile> dec.properties</decryptionPropFile>
|
請(qǐng)注意’.properties’文件在properties中被使用,如outsignaturepropfile 和在wss4j項(xiàng)目中用到的屬性文件是一樣的。下面展示了如何在屬性文件中定義屬性。
org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin
org.apache.ws.security.crypto.merlin.keystore.type=pkcs12
org.apache.ws.security.crypto.merlin.keystore.password=security
org.apache.ws.security.crypto.merlin.keystore.alias=16c73ab6-b892-458f-abf5-2f875f74882e
org.apache.ws.security.crypto.merlin.alias.password=security
org.apache.ws.security.crypto.merlin.file=keys/x509.PFX.MSFT
org.apache.ws.security.crypto.provider defines the implementation of the org.apache.ws.security.components.crypto.Crypto interface to provide the crypto information required by WSS4J. The other properties defined are the configuration properties used by the implementation class (org.apache.ws.security.components.crypto.Merlin).