通過Rampart將SOAP信息安全傳輸
AXIS2擁有一個基于apache wss4j提供ws-security的模塊,叫Rampart。這篇文檔提供了運行和配置Rampart模塊的信息。
介紹:
當rampart模塊在系統指定的安全階段插入了處理器之后,它是全局起作用的。這些處理器可以使用ws-securitypolicy[2]和rempart指定的策略來配置。Rampart-1.0使用兩個axis2參數來配置,這種配置方法到了1.1還在使用。
Rampart1.1:http://www.apache.org/dyn/closer.cgi/ws/rampart/1_1
首先,需要將下面的語句插入到axis2.xml文件中
<module ref=”rampart”/>
當axis2配置到服務器如tomcat時,可以使用web的管理接口。
在服務器,為每個服務提供安全是可能的。配置參數需要在service.xml文件中設定。
在客戶端配置參數需要在client’s axis2 repository的axis2.xml中設置。
Rampart-1.1 配置
Rampart指定的聲明
Rampart使用標準的ws-securitypolicy[2]聲明,也能定義自己的聲明。
Rampart指定的聲明xsd文檔:http://ws.apache.org/axis2/modules/rampart/1_1/sec-conf/rampart-config.xsd
Ramp:rampartconfig必須作為頂層聲明有效,如http://ws.apache.org/axis2/modules/rampart/1_1/sec-conf/sample-policy.xml
服務端配置
需要在services.xml文件中增加policy元素來配置服務。一個可用的service.xml:
http://ws.apache.org/axis2/modules/rampart/1_1/sec-conf/sample-services.xml
客戶端配置
在客戶端,需要創建一個policy對象,將其載入options.創建policy對象能使用policy.xml文件,如下:
//Creating the object
StAXOMBuilder builder = new StAXOMBuilder(pathToPolicyfile);
Policy clientPolicy = PolicyEngine.getPolicy(builder.getDocumentElement());
//setting the object
Options options = new Options();
options.setProperty(RampartMessageData.KEY_RAMPART_POLICY, clientPolicy);
rampart-1.0配置
rampart模塊使用兩個參數:outflowsecurity和inflowsecurity
OutflowSecurity參數:
這個參數是用來配置outflow安全處理器的。Outflow處理器能在一個outflow(one can provde configuration for each of these invocations)中調用多次.”action”描述了一種這樣的配置。因此”outflowsecurity”參數能包含多個’action’元素。’action’元素的schema:http://ws.apache.org/axis2/modules/rampart/1_1/sec-conf/out-action.xsd
給outflow配置增加一個時間戳,http://ws.apache.org/axis2/modules/rampart/1_1/security-module.html#ex1是給信息簽字和加密的例子,http://ws.apache.org/axis2/modules/rampart/1_1/security-module.html#ex1 演示了如何通過連鎖outflow處理器將信息簽名兩次(使用兩個‘action’元素)
下面是outflowsecurity 參數能放在’action’元素里面的元素描述
|
Parameter
|
Description
|
Example
|
|
items
|
Security actions for the inflow
|
Add a Timestamp, Sign the SOAP body and Encrypt the SOAP body
<items> Timestamp Signature Encrypt</items>
|
|
user
|
The user's name
|
Set alias of the key to be used to sign
<user> bob</user>
|
|
passwordCallbackClass
|
Callback class used to provide the password required to create the UsernameToken or to sign the message
|
<passwordCallbackClass> org.apache.axis2.security.PWCallback</passwordCallbackClass>
|
|
signaturePropFile
|
property file used to get the signature parameters such as crypto provider, keystore and its password
|
Set example.properties file as the signature property file
<signaturePropFile> example.properties</signaturePropFile>
|
|
signatureKeyIdentifier
|
Key identifier to be used in referring the key in the signature
|
Use the serial number of the certificate
<signatureKeyIdentifier> IssuerSerial</signatureKeyIdentifier>
|
|
encryptionKeyIdentifier
|
Key identifier to be used in referring the key in encryption
|
Use the serial number of the certificate
<encryptionKeyIdentifier>IssuerSerial</encryptionKeyIdentifier>
|
|
encryptionUser
|
The user's name for encryption.
|
<encryptionUser>alice</encryptionUser>
|
|
encryptionSymAlgorithm
|
Symmetric algorithm to be used for encryption
|
Use AES-128
<encryptionSymAlgorithm> http://www.w3.org/2001/04/xmlenc#aes128-cbc</encryptionSymAlgorithm>
|
|
encryptionKeyTransportAlgorithm
|
Key encryption algorithm
|
Use RSA-OAEP
<parameter name="encryptionSymAlgorithm"> http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p</parameter>
|
|
signatureParts
|
Sign multiple parts in the SOAP message
|
Sign Foo and Bar elements qualified by "http://app.ns/ns"
<signatureParts> {Element}{http://app.ns/ns}Foo;{Element}{http://app.ns/ns}Bar </signatureParts>
|
|
optimizeParts
|
MTOM Optimize the elements specified by the XPath query
|
Optimize the CipherValue
<optimizeParts> //xenc:EncryptedData/xenc:CipherData/xenc:CipherValue </optimizeParts>
|
InflowSecurity 參數
這個參數是來配置inflow 安全處理器的。’action’也被使用來對配置元素進行封裝。http://ws.apache.org/axis2/modules/rampart/1_1/security-module.html#ex3 展示了配置說明,校驗簽名和驗證時間戳。
|
Parameter
|
Description
|
Example
|
|
items
|
Security actions for the inflow
|
first the incoming message should be decrypted and then the signatures should be verified and should be checked for the availability of the Timestamp
<items> Timestamp Signature Encrypt</items>
|
|
passwordCallbackClass
|
Callback class used to obtain password for decryption and UsernameToken verification
|
<passwordCallbackClass> org.apache.axis2.security.PWCallback</passwordCallbackClass>
|
|
signaturePropFile
|
Property file used for signature verification
|
<signaturePropFile> sig.properties</signaturePropFile>
|
|
decryptionPropFile
|
Property file used for decryption
|
<decryptionPropFile> dec.properties</decryptionPropFile>
|
請注意’.properties’文件在properties中被使用,如outsignaturepropfile 和在wss4j項目中用到的屬性文件是一樣的。下面展示了如何在屬性文件中定義屬性。
org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin
org.apache.ws.security.crypto.merlin.keystore.type=pkcs12
org.apache.ws.security.crypto.merlin.keystore.password=security
org.apache.ws.security.crypto.merlin.keystore.alias=16c73ab6-b892-458f-abf5-2f875f74882e
org.apache.ws.security.crypto.merlin.alias.password=security
org.apache.ws.security.crypto.merlin.file=keys/x509.PFX.MSFT
org.apache.ws.security.crypto.provider defines the implementation of the org.apache.ws.security.components.crypto.Crypto interface to provide the crypto information required by WSS4J. The other properties defined are the configuration properties used by the implementation class (org.apache.ws.security.components.crypto.Merlin).