2.4 WEBSPHERE IICE WEB SERVICE SOAP消息安全實現細節
A. 配置
WebSphere IICE Web Services安全機制的配置工作是由客戶端和服務器端兩部分組成的。就如下面的配置文件實例說描述的一樣,SOAP消息會在它被發送到目標服務器之前分別被不同的句柄簽名和加密。相對應的,它也會在服務器端被驗證和解密。
列表2:AXIS客戶端配置文件示例
<globalConfiguration>
????? <requestFlow>????
????? <handler
?? type="java:com.venetica.vbr.webservices.handler.X509SignHandler"/>
????? <handler
?? type="java:com.venetica.vbr.webservices.handler.EncryptHandler"/>?????
?? </requestFlow>??
?? <responseFlow>
??? <handler
?type="java:com.venetica.vbr.webservices.handler.X509SignHandler"/>
??? <handler
?type="java:com.venetica.vbr.webservices.handler.DecryptHandler"/>
?? </responseFlow>??
?</globalConfiguration>
|
服務器端的配置文件和客戶端的配置文件非常相像。
B. 簽名和加密/解密過程:
SOAP消息的簽名和加密/解密過程如圖2所示:
圖2:SOAP消息的簽名和加密/解密過程
列表3: XML簽名示例代碼
public Message signSOAPEnvelope(SOAPEnvelope unsignedEnvelope) throws Exception
?? {? // WSSignEnvelope signs a SOAP envelope according to the
????? // WS Specification (X509 profile) and adds the signature data
????? // to the envelope.
????? WSSignEnvelope signer = new WSSignEnvelope();
????? String alias = "username";
????? String password = "password";
????? signer.setUserInfo(alias, password);
????? Document doc = unsignedEnvelope.getAsDocument();????
????? Document signedDoc = signer.build(doc, crypto);
????? // Convert the signed document into a SOAP message.
????? Message signedSOAPMsg =???????? (org.apache.axis.Message)AxisUtil.toSOAPMessage(signedDoc);
????? return signedSOAPMsg;
?? }
|
列表3顯示了XML簽名的過程:首先得到SOAP信封,接下來是獲得用戶證書信息、產生簽名對象,然后是用此簽名對象對信封進行簽名,最后是從被簽名的信封中產生新的SOAP消息。
列表4:XML加密示例代碼
public Message encryptSOAPEnvelope(
????? SOAPEnvelope unsignedEnvelope, Message axisMessage)
????? throws Exception
?? {
????? WSEncryptBody encrypt = new WSEncryptBody();
????? // build the encrypted SOAP part
????? Document doc = unsignedEnvelope.getAsDocument();
????? Document encryptedDoc = encrypt.build(doc, crypto);
????? // Convert the document into a SOAP message
????? Message encryptedMsg =
???????? (Message)AxisUtil.toSOAPMessage(encryptedDoc);
????? // Retrieve the desired SOAP part
????? String soapPart = encryptedMsg.getSOAPPartAsString();
????? ((SOAPPart)axisMessage.getSOAPPart()). setCurrentMessage(soapPart, SOAPPart.FORM_STRING);
????? encryptedDoc =axisMessage.getSOAPEnvelope().getAsDocument();
????? // Convert the document into a SOAP message
????? Message encryptedSOAPMsg = Message)AxisUtil.toSOAPMessage(encryptedDoc);
????? return encryptedSOAPMsg;
?? }
|