I have a secured web service where I used the WSSJInInterceptor approach:
我有一个安全的web服务,我使用WSSJInInterceptor方法:
<jaxws:endpoint id="NAME_REMOVED"
implementorClass="NAME_REMOVED"
implementor="#NAME_REMOVED" address="/NAME_REMOVED">
<jaxws:inInterceptors>
<ref bean="logInBound" />
<ref bean="wsAuthenticationInterceptor" />
</jaxws:inInterceptors>
<jaxws:outInterceptors>
<ref bean="logOutBound" />
<ref bean="outbound-security" />
</jaxws:outInterceptors>
</jaxws:endpoint>
<!-- WSS4JInInterceptor for decrypting inbound SOAP -->
<bean id="wsAuthenticationInterceptor" class="NAME_REMOVED.WSAuthenticationInInterceptor">
<constructor-arg index="0">
<map key-type="java.lang.String" value-type="java.lang.Object">
<entry key="action" value="Timestamp Signature Encrypt" />
<entry key="signaturePropFile" value="server-crypto.properties" />
<entry key="decryptionPropFile" value="server-crypto.properties" />
<entry key="passwordCallbackClass" value="NAME_REMOVED.ServerPasswordCallback" />
</map>
</constructor-arg>
</bean>
<!-- WSS4JOutInterceptor for signing and encrypting outbound SOAP -->
<bean id="outbound-security" class="org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor">
<constructor-arg>
<map>
<entry key="action" value="Timestamp Signature Encrypt" />
<entry key="user" value="server" />
<entry key="signaturePropFile" value="server-crypto.properties" />
<entry key="encryptionPropFile" value="server-crypto.properties" />
<entry key="encryptionUser" value="useReqSigCert" />
<entry key="passwordCallbackClass" value="NAME_REMOVED.ServerPasswordCallback" />
<entry key="signatureParts"
value="{Element}{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd}Timestamp;{Element}{http://schemas.xmlsoap.org/soap/envelope/}Body" />
<entry key="encryptionParts"
value="{Content}{http://schemas.xmlsoap.org/soap/envelope/}Body" />
<entry key="encryptionSymAlgorithm" value="http://www.w3.org/2001/04/xmlenc#tripledes-cbc" />
</map>
</constructor-arg>
</bean>
However, I realized it only afterwards that this approach does not put any SecurityPolicy information into the WSDL. It is important that the client knows what security measures apply, so I would like to manually add a @Policy annotation to the endpoint. Can somebody point me into the right direction for writing a SecurityPolicy that corresponds to the configuration above?
然而,我后来才意识到,这种方法并没有将任何安全策略信息放入WSDL中。重要的是,客户端知道应用什么安全措施,所以我想手动添加一个@Policy注释到端点。是否有人可以将我指向正确的方向,以便编写与上面的配置相对应的SecurityPolicy ?
Thank you!
谢谢你!
UPDATE: As I haven't got a reply to this question, I suppose that few people use this WSSJInterceptor approach. For those who do not, here is an example SOAP request which was generated using this configuration:
更新:由于我还没有回答这个问题,我想很少有人使用WSSJInterceptor方法。对于那些不这样做的人,下面是使用这种配置生成的SOAP请求示例:
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Header>
<wsse:Security
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
soap:mustUnderstand="1">
<xenc:EncryptedKey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
Id="EK-B9E9615202664FEC1B14006659902977">
<xenc:EncryptionMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p" />
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<wsse:SecurityTokenReference>
<ds:X509Data>
<ds:X509IssuerSerial>
<ds:X509IssuerName>1.2.840.113549.1.9.1=#1611746573746361407465737463612e636f6d,CN=Test
CA,OU=Test CA,O=Test CA,L=Wien,ST=Wien,C=AT
</ds:X509IssuerName>
<ds:X509SerialNumber>10734339032782376985</ds:X509SerialNumber>
</ds:X509IssuerSerial>
</ds:X509Data>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
<xenc:CipherData>
<xenc:CipherValue>B5Aj663c9Sp+nkyi3BlVHbeeyj+dJLVBmhQhmyi2/HlbUbvI00kfs5Ce26dyE/dP0lJOcOt2LhqmU5ggeuh/YfJHwDSPwkiKdO5Eu8UgunLc/YIBXoj0w7/pQtNyzENbt5hlMgVrDri2abOOgv1iII1+9cMosov0+L7zk2tetCs=
</xenc:CipherValue>
</xenc:CipherData>
<xenc:ReferenceList>
<xenc:DataReference URI="#ED-B9E9615202664FEC1B14006659903108" />
<xenc:DataReference URI="#ED-B9E9615202664FEC1B14006659903459" />
</xenc:ReferenceList>
</xenc:EncryptedKey>
<wsse:BinarySecurityToken
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"
wsu:Id="X509-B9E9615202664FEC1B14006659901732">MIIDRDCCAq2gAwIBAgIEbBKg+TANBgkqhkiG9w0BAQUFADCBgzELMAkGA1UEBhMCQVQxDTALBgNVBAgMBFdpZW4xDTALBgNVBAcMBFdpZW4xEDAOBgNVBAoMB1Rlc3QgQ0ExEDAOBgNVBAsMB1Rlc3QgQ0ExEDAOBgNVBAMMB1Rlc3QgQ0ExIDAeBgkqhkiG9w0BCQEWEXRlc3RjYUB0ZXN0Y2EuY29tMB4XDTE0MDUyMDE0MjQxOFoXDTIzMDUzMDIyMDAwMFowYDELMAkGA1UEBhMCYWExDDAKBgNVBAgTA2FhYTEMMAoGA1UEBxMDYWFhMQwwCgYDVQQKEwNhYWExDDAKBgNVBAsTA2FhYTEZMBcGA1UEAwwQdGVzdF91c2VyX3RpZ3JpczCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJ6CinbHxp4hQ5Hw1Kt0QAQCTLVOBSwYsGfZKYRIj6kwDR2vZFa9uhLp7IE+q8nbyuPMidAMnFUW5GjCZ1MTDnrMswvfowbxHb5SNE7R1QGCKxJhS5B+C3QMWLz11/YZ2ky7dGBjJdqOM0KCXDi6JvG6OcHokSRk+Io6jRVWXGOIBaiEd+ScaQJRDj7OOiZ0F+9lQAymMZ6LKVZjxB5uBxEh78YRG+w9fGBG1+ocZLGYE/qungcK5EWQm+RkG69popNzQ+u4M4qBBeoQ0LmLqyO2+1If7W95qkpsy+aLi/2o0Jtt4sO3lHPPrYgukakFqZZErSDyxdi1+ZE/j56Sl7MCAwEAAaNjMGEwEgYDVR0TAQH/BAgwBgEB/wIBADAdBgNVHQ4EFgQU6sJp945yr6HOFN9cKvgxd7UkeEkwHwYDVR0jBBgwFoAUwADKArmClT0eV56ZtBgFHrnqi/kwCwYDVR0PBAQDAgGGMA0GCSqGSIb3DQEBBQUAA4GBAAiGTiOHpwGE/0Xjcjzhfoa1w0Qnum/rlAIlT/B1skUw7/KYDksUENYDKGdXOppDYJBbG0pD34nDw5jqqQDsDPjJbJjszO/UHnJf7r64RjOZ9nVtN7vPipd0+MoX4rFzCotdfxjU6IsxHHxGPMZtsGL6tmcZxtkEQiKocEBhwEv7
</wsse:BinarySecurityToken>
<xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
Id="ED-B9E9615202664FEC1B14006659903108" Type="http://www.w3.org/2001/04/xmlenc#Element">
<xenc:EncryptionMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc" />
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<wsse:SecurityTokenReference
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd"
wsse11:TokenType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey">
<wsse:Reference URI="#EK-B9E9615202664FEC1B14006659902977" />
</wsse:SecurityTokenReference>
</ds:KeyInfo>
<xenc:CipherData>
<xenc:CipherValue>syhXx1cPSGDAB43xWqpgwW9hPXVETwn8k6jC6kEf4al7zbQNOWfq2RMLP3DkRlhcZgC9SY933RCBZJh1P4BIgVTg63O2CUApcOzsYf8ZccSGyDcaRTy8mJai3T1dvbx9QhTkSdo57cJQeam4TaRHdsd4/Q8xMseS52EykcDdt5x+uJlprVH6ILrijTnu5Vt+JJEjMjE+N6P1q4MoEZDWVCTe5fQMCMU0B8/VBV6SMHC1riIrugeUpUVMzDq34yU3jwwCqVGGp8ZuLgMlWvaE3zSzOr40ZOaPHpR/X5IeN52NhKPVTXEoJ76ncFpjKy0iL+KB/Cf856khLONSqJiVTf7daxj22grHBIOtNFYqRL8MZm0c+R3DRcj/yKoU3WqCMHk0zqGgqCInFwHym4lg2LyXBqbJd6hFoVcu/SUjOWTxMDOoqBZ4YPYOO7TtckOvChHDWOCd0Jlqepg8Ofi6JaqqE4XybxvIkdLcJOjn3fS8EP3LB075GIVjWdO+svELjWRTbHbruUBs553wH47Pl7sj1S1MU9nf1tbs6tK4ZlNXwkcZjTw4yRjzZP5WCV/zbXBC12VdBuCMSM+wQjKujplxnjxi+ll63p3EOQVUi/hODA1P9I/JtV17YznKKanzCt3FC289szFCuhPnV39kCj3r8YAVuunMVAZDKFsji4r1TlXTDTczlrWRaPBouoZYHs8JKpa5vmzPbhXy3Hs890mvMGZcZYHAZd7L0XydCZcyBNHs3LHeAd9XLQD6Nn0kG1wKDfE12Ff1l98J5Yl5yNiey8y2iFVEDlXyvEvKQRjg3elmWTU/qEfy1seTszBs8eDbuoKJuAT6+zEYOy+XqcwqZaS0XvfD5ySJDfapCIj6g3CvlvuzYxejqgMZ84Ns2sR0oy/afJrJkeBJ+bfYBlHhW+Cp+yL0C+tmAgBgL2lQPYmmic0hrfdYwXVWGz2pp+t5GCJ1lVzMuU8HFdfugKd20W2jE7UjzhlQZTzaelJMWvg0WmcfmxjX2lHSncJ9DWU9NmEZQRxtOxpB//yAdIF8xTRdawXl2XlwiEDkH8D6b+kd1akOmKhDofaBOJxO6XGgotTosbNhoAVQYv1YrwQfWRI7GS0H/AbPF0ddQqwnvCANfsp9UQslkBE6cVQVaKIuTEouJTBhjIRXVhECBQ0pzkP+VI7JEBmZGTEvOdQyTtv/UgXlnX18pnVIQIRBGIAHXVTaMNyaI056D/Xw1JtUihqt3euzJSXUnW65U13ZnZylrgn5oElZVfNuqvyR38xoy1duQhicW8NAQX8qKLv2uIoTbwXXjxeLeWgfSWYqnWf7LsFnoHMiXl0vEeFLyJ8P2ho9s9w18B5T3Rb1rAs8HAGYah0kRK7VDujQioGUC5IvYSB7bNB6GYBPPwrdFeI38jVRbfzGAOHuPp7LjgvBg6gmciRKZwe6NobhyE1Dl2D+w1H8GH/UsNBtazJ1tYxFBPUTJIEiCLHBGD7T+4Z0iKNqF8t04awvKJleeClifF4EH0MI/d9bscL8yF0ODsEMmDCmwGlp2raH5Gr9g/mA9RmS2EgLCfR1U+X2eHq+HkXdh3ai2ig+K91n3WfbC8U+x16f1FykY92I21QzYAMA9ZSnfdliEZckHSVAkfH3HXIJ3Cxu+Dl2O59wG+FLsk4wMY3iRGAaxFOa3UYPAcHL5isMQpcZBfc1rduhYdGor2FfFbu0fTEr5EZdsMi7SqUZOp6UkSE10G7TyzSwgfe/jB4w6ZPeJChSGrGq93h7YBK5ZxdjX+8lyBtqquRWWlA9JDw+2CaMOFgrO5QpyI60s9s0l/F68zDnfs3aJEZnMU9SvjMpI0koCORf5T4hOjpxhxqxs2KGGVVNB4//VkL7H92X8mQWi+T/tNbIr7nnTMEfvaNrGHXsC2r+YlwocG80N/niu2Tdq1XFfpm9BQI+v9ruKm+uNb8yQ7T/UMRAyRQJVSpDSX8Y0vR7aqgCROXXoHtaQr3iJA8qfMs1bi0+qxsPcsNyaDq8LlyBZuBLhc+beKt6rIbnU0fQKbFjypvl3BZjA0Lo8tT60gv84Qog0QL86P2cel1wOmWOwegOIDzCZahxjBSiJKU9acVDmJLKxn8rceJas2zlMDcS1GaHtR/xnm15Icb/i2OU7wS7QnqwqnvAXLxx2BQtOe566Yzrb+OguLLo0MzGT59yt4/3jw8bYH113G5PoXc1gccW01F5Y3suOqCd+qmGjOk9Cb6XyD4YAstuFhWb7Qx+6aKjFZrKSMxKhfH40p35/aPrmLHNWx6ZJk+/XGEU1RZi9fCxQKLNQVN132M9S13dOpR4R+vj6+tZaze2BIrnEFw6816ovijoPSGsPGJluQ1ujA0YYXaRSc4WH1GwlXIQFZH/l0+/LHN2KZz7D43a79gf7P0FCRkhz8ibEK5CToWP6iHu4Mh37v6KnnQ+cwHjLNHFuKdRjqx+6uvI/m47wRJXVhUweRRn+TZUDEEa6uulWj6T36rwDWq3MWnzIAny1Uvr3DuJTDaesSYqkEmZE0NYy96aM3lJGqGnTGzmaqwQD92PVARDSf5j6xqhqxWkL016KwikTzIzm7q4n017lKpJf1a3htWtWKrnU767nDyDq9Mvd3xBoiYBzFfFd4GuefpQ4Jm6IMrTrv1I+L8c06WhxL9cbnre5tWcH3gJkUZOWhn3swBWvTTneD6wO0h63y9OEDAcMOaR97c9y7ifXDR6E8ydDlksuDc4x2RxrPjtvREUDly2xZH/n+roPDakcnkjfFz7SpYYDdbsHdhiAu5Zt68xiNUosuLJcRW0KyUi
</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedData>
<wsu:Timestamp wsu:Id="TS-B9E9615202664FEC1B14006659901631">
<wsu:Created>2014-05-21T09:53:10.162Z</wsu:Created>
<wsu:Expires>2014-05-21T09:58:10.162Z</wsu:Expires>
</wsu:Timestamp>
</wsse:Security>
</soap:Header>
<soap:Body
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
wsu:Id="id-B9E9615202664FEC1B14006659901845">
<xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
Id="ED-B9E9615202664FEC1B14006659903459" Type="http://www.w3.org/2001/04/xmlenc#Content">
<xenc:EncryptionMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc" />
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<wsse:SecurityTokenReference
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd"
wsse11:TokenType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey">
<wsse:Reference URI="#EK-B9E9615202664FEC1B14006659902977" />
</wsse:SecurityTokenReference>
</ds:KeyInfo>
<xenc:CipherData>
OMITTED
</xenc:CipherData>
</xenc:EncryptedData>
</soap:Body>
I would be very grateful if somebody could either write me the SecurityPolicy for this configuration or suggest me good and comprehensive documentation on WS-Security and WS-SecurityPolicy which helps me write it myself.
如果有人能给我写这个配置的安全策略,或者向我推荐关于WS-Security和WS-SecurityPolicy的完整文档,我将非常感激,这将帮助我自己编写。
Thank you!
谢谢你!
1 个解决方案
#1
3
There are two approach for developing web services,wsdl-first and java-first. In case of java-first endpoint development, Apache CXF comes with org.apache.cxf.annotations.Policy and org.apache.cxf.annotations.Policies annotations to be used for attaching policy fragments to the wsdl generated at deploy time.
开发web服务有两种方法,wsdl-first和java-first。在java-first端点开发的情况下,Apache CXF附带了org.apache.cxf.annotation。政策和org.apache.cxf.annotations。策略注释用于将策略片段附加到部署时生成的wsdl。
Here is an example of a code-first endpoint including @Policy annotation:
下面是一个代码优先端点的示例,包括@Policy注释:
import javax.jws.WebService;
import org.apache.cxf.annotations.Policy;
@WebService(portName = "MyServicePort",
serviceName = "MyService",
name = "MyServiceIface",
targetNamespace = "http://www.test.com/example/foo")
@Policy(placement = Policy.Placement.BINDING, uri = "JavaFirstPolicy.xml")
public class MyServiceImpl {
public String sayHello() {
return "Hello World!";
}
}
The referenced descriptor is to be added to the deployment and will include the policy to be attached; the attachment position in the contracts is defined through the placement attribute. Here is a descriptor example:
被引用的描述符将被添加到部署中,并将包含要附加的策略;合同中的附件位置是通过放置属性来定义的。这里有一个描述符示例:
<?xml version="1.0" encoding="UTF-8" ?>
<wsp:Policy wsu:Id="MyPolicy" xmlns:wsp="http://www.w3.org/ns/ws-policy"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsp:ExactlyOne>
<wsp:All>
<sp:SupportingTokens xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:UsernameToken sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:WssUsernameToken10/>
</wsp:Policy>
</sp:UsernameToken>
</wsp:Policy>
</sp:SupportingTokens>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
You can also refer the http://cxf.apache.org/docs/annotations.html for more information about @Policy annotation.
您还可以参考http://cxf.apache.org/docs/annotations.html获取更多关于@Policy注释的信息。
#1
3
There are two approach for developing web services,wsdl-first and java-first. In case of java-first endpoint development, Apache CXF comes with org.apache.cxf.annotations.Policy and org.apache.cxf.annotations.Policies annotations to be used for attaching policy fragments to the wsdl generated at deploy time.
开发web服务有两种方法,wsdl-first和java-first。在java-first端点开发的情况下,Apache CXF附带了org.apache.cxf.annotation。政策和org.apache.cxf.annotations。策略注释用于将策略片段附加到部署时生成的wsdl。
Here is an example of a code-first endpoint including @Policy annotation:
下面是一个代码优先端点的示例,包括@Policy注释:
import javax.jws.WebService;
import org.apache.cxf.annotations.Policy;
@WebService(portName = "MyServicePort",
serviceName = "MyService",
name = "MyServiceIface",
targetNamespace = "http://www.test.com/example/foo")
@Policy(placement = Policy.Placement.BINDING, uri = "JavaFirstPolicy.xml")
public class MyServiceImpl {
public String sayHello() {
return "Hello World!";
}
}
The referenced descriptor is to be added to the deployment and will include the policy to be attached; the attachment position in the contracts is defined through the placement attribute. Here is a descriptor example:
被引用的描述符将被添加到部署中,并将包含要附加的策略;合同中的附件位置是通过放置属性来定义的。这里有一个描述符示例:
<?xml version="1.0" encoding="UTF-8" ?>
<wsp:Policy wsu:Id="MyPolicy" xmlns:wsp="http://www.w3.org/ns/ws-policy"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsp:ExactlyOne>
<wsp:All>
<sp:SupportingTokens xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:UsernameToken sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:WssUsernameToken10/>
</wsp:Policy>
</sp:UsernameToken>
</wsp:Policy>
</sp:SupportingTokens>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
You can also refer the http://cxf.apache.org/docs/annotations.html for more information about @Policy annotation.
您还可以参考http://cxf.apache.org/docs/annotations.html获取更多关于@Policy注释的信息。