如何编写带有WSSJInInterceptor的安全性的WS-SecurityPolicy条目?

时间:2020-12-10 08:51:28

I have a secured web service where I used the WSSJInInterceptor approach:

我有一个安全的web服务,我使用WSSJInInterceptor方法:

<jaxws:endpoint id="NAME_REMOVED"
    implementorClass="NAME_REMOVED"
    implementor="#NAME_REMOVED" address="/NAME_REMOVED">

    <jaxws:inInterceptors>
        <ref bean="logInBound" />
        <ref bean="wsAuthenticationInterceptor" />
    </jaxws:inInterceptors>
    <jaxws:outInterceptors>
        <ref bean="logOutBound" />
        <ref bean="outbound-security" />
    </jaxws:outInterceptors>

</jaxws:endpoint>


<!-- WSS4JInInterceptor for decrypting inbound SOAP -->
 <bean id="wsAuthenticationInterceptor" class="NAME_REMOVED.WSAuthenticationInInterceptor">
    <constructor-arg index="0">
        <map key-type="java.lang.String" value-type="java.lang.Object">
            <entry key="action" value="Timestamp Signature Encrypt" />
            <entry key="signaturePropFile" value="server-crypto.properties" />
            <entry key="decryptionPropFile" value="server-crypto.properties" />
            <entry key="passwordCallbackClass" value="NAME_REMOVED.ServerPasswordCallback" />
        </map>
    </constructor-arg>
</bean>

<!-- WSS4JOutInterceptor for signing and encrypting outbound SOAP -->
<bean id="outbound-security" class="org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor">
    <constructor-arg>
        <map>
            <entry key="action" value="Timestamp Signature Encrypt" />
            <entry key="user" value="server" />
            <entry key="signaturePropFile" value="server-crypto.properties" />
            <entry key="encryptionPropFile" value="server-crypto.properties" />
            <entry key="encryptionUser" value="useReqSigCert" />
            <entry key="passwordCallbackClass" value="NAME_REMOVED.ServerPasswordCallback" />
            <entry key="signatureParts"
                value="{Element}{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd}Timestamp;{Element}{http://schemas.xmlsoap.org/soap/envelope/}Body" />
            <entry key="encryptionParts"
                value="{Content}{http://schemas.xmlsoap.org/soap/envelope/}Body" />
            <entry key="encryptionSymAlgorithm" value="http://www.w3.org/2001/04/xmlenc#tripledes-cbc" />
        </map>
    </constructor-arg>
</bean>

However, I realized it only afterwards that this approach does not put any SecurityPolicy information into the WSDL. It is important that the client knows what security measures apply, so I would like to manually add a @Policy annotation to the endpoint. Can somebody point me into the right direction for writing a SecurityPolicy that corresponds to the configuration above?

然而,我后来才意识到,这种方法并没有将任何安全策略信息放入WSDL中。重要的是,客户端知道应用什么安全措施,所以我想手动添加一个@Policy注释到端点。是否有人可以将我指向正确的方向,以便编写与上面的配置相对应的SecurityPolicy ?

Thank you!

谢谢你!

UPDATE: As I haven't got a reply to this question, I suppose that few people use this WSSJInterceptor approach. For those who do not, here is an example SOAP request which was generated using this configuration:

更新:由于我还没有回答这个问题,我想很少有人使用WSSJInterceptor方法。对于那些不这样做的人,下面是使用这种配置生成的SOAP请求示例:

<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Header>
    <wsse:Security
    xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
    xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
    soap:mustUnderstand="1">
    <xenc:EncryptedKey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
        Id="EK-B9E9615202664FEC1B14006659902977">
        <xenc:EncryptionMethod
            Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p" />
        <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
            <wsse:SecurityTokenReference>
                <ds:X509Data>
                    <ds:X509IssuerSerial>
                        <ds:X509IssuerName>1.2.840.113549.1.9.1=#1611746573746361407465737463612e636f6d,CN=Test
                            CA,OU=Test CA,O=Test CA,L=Wien,ST=Wien,C=AT
                        </ds:X509IssuerName>
                        <ds:X509SerialNumber>10734339032782376985</ds:X509SerialNumber>
                    </ds:X509IssuerSerial>
                </ds:X509Data>
            </wsse:SecurityTokenReference>
        </ds:KeyInfo>
        <xenc:CipherData>
            <xenc:CipherValue>B5Aj663c9Sp+nkyi3BlVHbeeyj+dJLVBmhQhmyi2/HlbUbvI00kfs5Ce26dyE/dP0lJOcOt2LhqmU5ggeuh/YfJHwDSPwkiKdO5Eu8UgunLc/YIBXoj0w7/pQtNyzENbt5hlMgVrDri2abOOgv1iII1+9cMosov0+L7zk2tetCs=
            </xenc:CipherValue>
        </xenc:CipherData>
        <xenc:ReferenceList>
            <xenc:DataReference URI="#ED-B9E9615202664FEC1B14006659903108" />
            <xenc:DataReference URI="#ED-B9E9615202664FEC1B14006659903459" />
        </xenc:ReferenceList>
    </xenc:EncryptedKey>
    <wsse:BinarySecurityToken
        EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"
        ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"
        wsu:Id="X509-B9E9615202664FEC1B14006659901732">MIIDRDCCAq2gAwIBAgIEbBKg+TANBgkqhkiG9w0BAQUFADCBgzELMAkGA1UEBhMCQVQxDTALBgNVBAgMBFdpZW4xDTALBgNVBAcMBFdpZW4xEDAOBgNVBAoMB1Rlc3QgQ0ExEDAOBgNVBAsMB1Rlc3QgQ0ExEDAOBgNVBAMMB1Rlc3QgQ0ExIDAeBgkqhkiG9w0BCQEWEXRlc3RjYUB0ZXN0Y2EuY29tMB4XDTE0MDUyMDE0MjQxOFoXDTIzMDUzMDIyMDAwMFowYDELMAkGA1UEBhMCYWExDDAKBgNVBAgTA2FhYTEMMAoGA1UEBxMDYWFhMQwwCgYDVQQKEwNhYWExDDAKBgNVBAsTA2FhYTEZMBcGA1UEAwwQdGVzdF91c2VyX3RpZ3JpczCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJ6CinbHxp4hQ5Hw1Kt0QAQCTLVOBSwYsGfZKYRIj6kwDR2vZFa9uhLp7IE+q8nbyuPMidAMnFUW5GjCZ1MTDnrMswvfowbxHb5SNE7R1QGCKxJhS5B+C3QMWLz11/YZ2ky7dGBjJdqOM0KCXDi6JvG6OcHokSRk+Io6jRVWXGOIBaiEd+ScaQJRDj7OOiZ0F+9lQAymMZ6LKVZjxB5uBxEh78YRG+w9fGBG1+ocZLGYE/qungcK5EWQm+RkG69popNzQ+u4M4qBBeoQ0LmLqyO2+1If7W95qkpsy+aLi/2o0Jtt4sO3lHPPrYgukakFqZZErSDyxdi1+ZE/j56Sl7MCAwEAAaNjMGEwEgYDVR0TAQH/BAgwBgEB/wIBADAdBgNVHQ4EFgQU6sJp945yr6HOFN9cKvgxd7UkeEkwHwYDVR0jBBgwFoAUwADKArmClT0eV56ZtBgFHrnqi/kwCwYDVR0PBAQDAgGGMA0GCSqGSIb3DQEBBQUAA4GBAAiGTiOHpwGE/0Xjcjzhfoa1w0Qnum/rlAIlT/B1skUw7/KYDksUENYDKGdXOppDYJBbG0pD34nDw5jqqQDsDPjJbJjszO/UHnJf7r64RjOZ9nVtN7vPipd0+MoX4rFzCotdfxjU6IsxHHxGPMZtsGL6tmcZxtkEQiKocEBhwEv7
    </wsse:BinarySecurityToken>
    <xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
        Id="ED-B9E9615202664FEC1B14006659903108" Type="http://www.w3.org/2001/04/xmlenc#Element">
        <xenc:EncryptionMethod
            Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc" />
        <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
            <wsse:SecurityTokenReference
                xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
                xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd"
                wsse11:TokenType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey">
                <wsse:Reference URI="#EK-B9E9615202664FEC1B14006659902977" />
            </wsse:SecurityTokenReference>
        </ds:KeyInfo>
        <xenc:CipherData>
            <xenc:CipherValue>syhXx1cPSGDAB43xWqpgwW9hPXVETwn8k6jC6kEf4al7zbQNOWfq2RMLP3DkRlhcZgC9SY933RCBZJh1P4BIgVTg63O2CUApcOzsYf8ZccSGyDcaRTy8mJai3T1dvbx9QhTkSdo57cJQeam4TaRHdsd4/Q8xMseS52EykcDdt5x+uJlprVH6ILrijTnu5Vt+JJEjMjE+N6P1q4MoEZDWVCTe5fQMCMU0B8/VBV6SMHC1riIrugeUpUVMzDq34yU3jwwCqVGGp8ZuLgMlWvaE3zSzOr40ZOaPHpR/X5IeN52NhKPVTXEoJ76ncFpjKy0iL+KB/Cf856khLONSqJiVTf7daxj22grHBIOtNFYqRL8MZm0c+R3DRcj/yKoU3WqCMHk0zqGgqCInFwHym4lg2LyXBqbJd6hFoVcu/SUjOWTxMDOoqBZ4YPYOO7TtckOvChHDWOCd0Jlqepg8Ofi6JaqqE4XybxvIkdLcJOjn3fS8EP3LB075GIVjWdO+svELjWRTbHbruUBs553wH47Pl7sj1S1MU9nf1tbs6tK4ZlNXwkcZjTw4yRjzZP5WCV/zbXBC12VdBuCMSM+wQjKujplxnjxi+ll63p3EOQVUi/hODA1P9I/JtV17YznKKanzCt3FC289szFCuhPnV39kCj3r8YAVuunMVAZDKFsji4r1TlXTDTczlrWRaPBouoZYHs8JKpa5vmzPbhXy3Hs890mvMGZcZYHAZd7L0XydCZcyBNHs3LHeAd9XLQD6Nn0kG1wKDfE12Ff1l98J5Yl5yNiey8y2iFVEDlXyvEvKQRjg3elmWTU/qEfy1seTszBs8eDbuoKJuAT6+zEYOy+XqcwqZaS0XvfD5ySJDfapCIj6g3CvlvuzYxejqgMZ84Ns2sR0oy/afJrJkeBJ+bfYBlHhW+Cp+yL0C+tmAgBgL2lQPYmmic0hrfdYwXVWGz2pp+t5GCJ1lVzMuU8HFdfugKd20W2jE7UjzhlQZTzaelJMWvg0WmcfmxjX2lHSncJ9DWU9NmEZQRxtOxpB//yAdIF8xTRdawXl2XlwiEDkH8D6b+kd1akOmKhDofaBOJxO6XGgotTosbNhoAVQYv1YrwQfWRI7GS0H/AbPF0ddQqwnvCANfsp9UQslkBE6cVQVaKIuTEouJTBhjIRXVhECBQ0pzkP+VI7JEBmZGTEvOdQyTtv/UgXlnX18pnVIQIRBGIAHXVTaMNyaI056D/Xw1JtUihqt3euzJSXUnW65U13ZnZylrgn5oElZVfNuqvyR38xoy1duQhicW8NAQX8qKLv2uIoTbwXXjxeLeWgfSWYqnWf7LsFnoHMiXl0vEeFLyJ8P2ho9s9w18B5T3Rb1rAs8HAGYah0kRK7VDujQioGUC5IvYSB7bNB6GYBPPwrdFeI38jVRbfzGAOHuPp7LjgvBg6gmciRKZwe6NobhyE1Dl2D+w1H8GH/UsNBtazJ1tYxFBPUTJIEiCLHBGD7T+4Z0iKNqF8t04awvKJleeClifF4EH0MI/d9bscL8yF0ODsEMmDCmwGlp2raH5Gr9g/mA9RmS2EgLCfR1U+X2eHq+HkXdh3ai2ig+K91n3WfbC8U+x16f1FykY92I21QzYAMA9ZSnfdliEZckHSVAkfH3HXIJ3Cxu+Dl2O59wG+FLsk4wMY3iRGAaxFOa3UYPAcHL5isMQpcZBfc1rduhYdGor2FfFbu0fTEr5EZdsMi7SqUZOp6UkSE10G7TyzSwgfe/jB4w6ZPeJChSGrGq93h7YBK5ZxdjX+8lyBtqquRWWlA9JDw+2CaMOFgrO5QpyI60s9s0l/F68zDnfs3aJEZnMU9SvjMpI0koCORf5T4hOjpxhxqxs2KGGVVNB4//VkL7H92X8mQWi+T/tNbIr7nnTMEfvaNrGHXsC2r+YlwocG80N/niu2Tdq1XFfpm9BQI+v9ruKm+uNb8yQ7T/UMRAyRQJVSpDSX8Y0vR7aqgCROXXoHtaQr3iJA8qfMs1bi0+qxsPcsNyaDq8LlyBZuBLhc+beKt6rIbnU0fQKbFjypvl3BZjA0Lo8tT60gv84Qog0QL86P2cel1wOmWOwegOIDzCZahxjBSiJKU9acVDmJLKxn8rceJas2zlMDcS1GaHtR/xnm15Icb/i2OU7wS7QnqwqnvAXLxx2BQtOe566Yzrb+OguLLo0MzGT59yt4/3jw8bYH113G5PoXc1gccW01F5Y3suOqCd+qmGjOk9Cb6XyD4YAstuFhWb7Qx+6aKjFZrKSMxKhfH40p35/aPrmLHNWx6ZJk+/XGEU1RZi9fCxQKLNQVN132M9S13dOpR4R+vj6+tZaze2BIrnEFw6816ovijoPSGsPGJluQ1ujA0YYXaRSc4WH1GwlXIQFZH/l0+/LHN2KZz7D43a79gf7P0FCRkhz8ibEK5CToWP6iHu4Mh37v6KnnQ+cwHjLNHFuKdRjqx+6uvI/m47wRJXVhUweRRn+TZUDEEa6uulWj6T36rwDWq3MWnzIAny1Uvr3DuJTDaesSYqkEmZE0NYy96aM3lJGqGnTGzmaqwQD92PVARDSf5j6xqhqxWkL016KwikTzIzm7q4n017lKpJf1a3htWtWKrnU767nDyDq9Mvd3xBoiYBzFfFd4GuefpQ4Jm6IMrTrv1I+L8c06WhxL9cbnre5tWcH3gJkUZOWhn3swBWvTTneD6wO0h63y9OEDAcMOaR97c9y7ifXDR6E8ydDlksuDc4x2RxrPjtvREUDly2xZH/n+roPDakcnkjfFz7SpYYDdbsHdhiAu5Zt68xiNUosuLJcRW0KyUi
            </xenc:CipherValue>
        </xenc:CipherData>
    </xenc:EncryptedData>
    <wsu:Timestamp wsu:Id="TS-B9E9615202664FEC1B14006659901631">
        <wsu:Created>2014-05-21T09:53:10.162Z</wsu:Created>
        <wsu:Expires>2014-05-21T09:58:10.162Z</wsu:Expires>
    </wsu:Timestamp>
</wsse:Security>
</soap:Header>
<soap:Body
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
wsu:Id="id-B9E9615202664FEC1B14006659901845">
<xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
    Id="ED-B9E9615202664FEC1B14006659903459" Type="http://www.w3.org/2001/04/xmlenc#Content">
    <xenc:EncryptionMethod
        Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc" />
    <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <wsse:SecurityTokenReference
            xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
            xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd"
            wsse11:TokenType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey">
            <wsse:Reference URI="#EK-B9E9615202664FEC1B14006659902977" />
        </wsse:SecurityTokenReference>
        </ds:KeyInfo>
        <xenc:CipherData>
           OMITTED
        </xenc:CipherData>
    </xenc:EncryptedData>
</soap:Body>

I would be very grateful if somebody could either write me the SecurityPolicy for this configuration or suggest me good and comprehensive documentation on WS-Security and WS-SecurityPolicy which helps me write it myself.

如果有人能给我写这个配置的安全策略,或者向我推荐关于WS-Security和WS-SecurityPolicy的完整文档,我将非常感激,这将帮助我自己编写。

Thank you!

谢谢你!

1 个解决方案

#1


3  

There are two approach for developing web services,wsdl-first and java-first. In case of java-first endpoint development, Apache CXF comes with org.apache.cxf.annotations.Policy and org.apache.cxf.annotations.Policies annotations to be used for attaching policy fragments to the wsdl generated at deploy time.

开发web服务有两种方法,wsdl-first和java-first。在java-first端点开发的情况下,Apache CXF附带了org.apache.cxf.annotation。政策和org.apache.cxf.annotations。策略注释用于将策略片段附加到部署时生成的wsdl。

Here is an example of a code-first endpoint including @Policy annotation:

下面是一个代码优先端点的示例,包括@Policy注释:

import javax.jws.WebService;
import org.apache.cxf.annotations.Policy;

@WebService(portName = "MyServicePort",
            serviceName = "MyService",
            name = "MyServiceIface",
            targetNamespace = "http://www.test.com/example/foo")
@Policy(placement = Policy.Placement.BINDING, uri = "JavaFirstPolicy.xml")
public class MyServiceImpl {
   public String sayHello() {
      return "Hello World!";
   }
}

The referenced descriptor is to be added to the deployment and will include the policy to be attached; the attachment position in the contracts is defined through the placement attribute. Here is a descriptor example:

被引用的描述符将被添加到部署中,并将包含要附加的策略;合同中的附件位置是通过放置属性来定义的。这里有一个描述符示例:

<?xml version="1.0" encoding="UTF-8" ?>
<wsp:Policy wsu:Id="MyPolicy" xmlns:wsp="http://www.w3.org/ns/ws-policy"
    xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
    <wsp:ExactlyOne>
        <wsp:All>
            <sp:SupportingTokens xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
                <wsp:Policy>
                    <sp:UsernameToken sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
                        <wsp:Policy>
                            <sp:WssUsernameToken10/>
                        </wsp:Policy>
                    </sp:UsernameToken>
                </wsp:Policy>
            </sp:SupportingTokens>
        </wsp:All>
    </wsp:ExactlyOne>
</wsp:Policy>

You can also refer the http://cxf.apache.org/docs/annotations.html for more information about @Policy annotation.

您还可以参考http://cxf.apache.org/docs/annotations.html获取更多关于@Policy注释的信息。

#1


3  

There are two approach for developing web services,wsdl-first and java-first. In case of java-first endpoint development, Apache CXF comes with org.apache.cxf.annotations.Policy and org.apache.cxf.annotations.Policies annotations to be used for attaching policy fragments to the wsdl generated at deploy time.

开发web服务有两种方法,wsdl-first和java-first。在java-first端点开发的情况下,Apache CXF附带了org.apache.cxf.annotation。政策和org.apache.cxf.annotations。策略注释用于将策略片段附加到部署时生成的wsdl。

Here is an example of a code-first endpoint including @Policy annotation:

下面是一个代码优先端点的示例,包括@Policy注释:

import javax.jws.WebService;
import org.apache.cxf.annotations.Policy;

@WebService(portName = "MyServicePort",
            serviceName = "MyService",
            name = "MyServiceIface",
            targetNamespace = "http://www.test.com/example/foo")
@Policy(placement = Policy.Placement.BINDING, uri = "JavaFirstPolicy.xml")
public class MyServiceImpl {
   public String sayHello() {
      return "Hello World!";
   }
}

The referenced descriptor is to be added to the deployment and will include the policy to be attached; the attachment position in the contracts is defined through the placement attribute. Here is a descriptor example:

被引用的描述符将被添加到部署中,并将包含要附加的策略;合同中的附件位置是通过放置属性来定义的。这里有一个描述符示例:

<?xml version="1.0" encoding="UTF-8" ?>
<wsp:Policy wsu:Id="MyPolicy" xmlns:wsp="http://www.w3.org/ns/ws-policy"
    xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
    <wsp:ExactlyOne>
        <wsp:All>
            <sp:SupportingTokens xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
                <wsp:Policy>
                    <sp:UsernameToken sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
                        <wsp:Policy>
                            <sp:WssUsernameToken10/>
                        </wsp:Policy>
                    </sp:UsernameToken>
                </wsp:Policy>
            </sp:SupportingTokens>
        </wsp:All>
    </wsp:ExactlyOne>
</wsp:Policy>

You can also refer the http://cxf.apache.org/docs/annotations.html for more information about @Policy annotation.

您还可以参考http://cxf.apache.org/docs/annotations.html获取更多关于@Policy注释的信息。