xfire的webservice安全机制之加密(一)

xfire的webservice安全机制 在原来使用xfire和spring集成的基础上，需要加入下面的这些包 在集成到jboss的时候还出了一个问题，wss4j-1.5.0.jar这个包还死活找不到，不知道是什么原因，后来找了半天 发现jboss4.2这娃在这个路径上有些安全相关的jar吧，拷贝到这里后，jboss运行正常了 D:tooljboss-4.2serverdefaultdeployjbossws.sar 其他的包，都仍到WEB-INF/lib下面就可以了 commons-discovery-0.2.jar bcprov-jdk15-133.jar wss4j-1.5.0.jar xalan-2.7.0.jar 先说server端如何配置和加入程序： 1、server端提供出来的webservice先写个接口，可以直接继承自原来的WS接口UserServiceEnc.java: package com.megaeyes.ipcamera.service.webservice.iface; public interface UserServiceEnc extends UserService { } 2、写一个passwordHandler来校验用户名，PasswordHandler.java: package com.megaeyes.ipcamera.service.webservice.tools; import java.util.HashMap; import java.util.Map; import javax.security.auth.callback.Callback; import javax.security.auth.callback.CallbackHandler; import org.apache.ws.security.WSPasswordCallback; public class PasswordHandler implements CallbackHandler { private final Map passwords = new HashMap(); @SuppressWarnings("unchecked") public PasswordHandler() { ?? passwords.put("safedv","safedv"); ?? passwords.put("tianyi","tianyi"); } public void handle(Callback[] callbacks) { ?? WSPasswordCallback callback = (WSPasswordCallback) callbacks[0]; ?? String id = callback.getIdentifer(); ?? callback.setPassword((String) passwords.get(id)); } } 3、写一个WSS4JTokenHandler对加密内容的操作的handler，WSS4JTokenHandler.java: package com.megaeyes.ipcamera.service.webservice.tools; import java.security.cert.X509Certificate; import java.util.Vector; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; import org.apache.ws.security.WSConstants; import org.apache.ws.security.WSSecurityEngineResult; import org.apache.ws.security.WSUsernameTokenPrincipal; import org.apache.ws.security.handler.WSHandlerConstants; import org.apache.ws.security.handler.WSHandlerResult; import org.codehaus.xfire.MessageContext; import org.codehaus.xfire.handler.AbstractHandler; import sun.security.x509.X500Name; public class WSS4JTokenHandler extends AbstractHandler { private static final Log log = LogFactory.getLog(WSS4JTokenHandler.class); public void invoke(MessageContext context) throws Exception { ?? Vector result = (Vector) context.getProperty(WSHandlerConstants.RECV_RESULTS); ?? if (result == null) { ??? log.error("Client does not contain Security Header,need WSSJOutHandler"); ??? return; ?? } ?? for (int i = 0; i < result.size(); i++) { ??? WSHandlerResult res = (WSHandlerResult) result.get(i); ??? for (int j = 0; j < res.getResults().size(); j++) { ???? WSSecurityEngineResult secRes = (WSSecurityEngineResult) res.getResults().get(j); ???? int action = secRes.getAction(); ???? // USER TOKEN ???? if ((action & WSConstants.UT) > 0) { ????? WSUsernameTokenPrincipal principal = (WSUsernameTokenPrincipal) secRes ??????? .getPrincipal(); ????? // Set user property to user from UT to allow response encryption ????? context.setProperty(WSHandlerConstants.ENCRYPTION_USER,principal.getName()); ????? log.info("Client's Username: " + principal.getName() + " Client's Password: " ??????? + principal.getPassword() + "n"); ???? } ???? // SIGNATURE ???? if ((action & WSConstants.SIGN) > 0) { ????? @SuppressWarnings("unused") ????? X509Certificate cert = secRes.getCertificate(); ????? X500Name principal = (X500Name) secRes.getPrincipal(); ????? // Do something whith cert ????? log.info("Signature for : " + principal.getCommonName()); ???? } ??? } ?? } ?? log.info("WSS4JTokenHandler Done!"); } } 4、applicationContext-webservice.xml服务端专门配置文件里面加入： <bean name="userServiceEnc" parent="baseWebService"> <property name="serviceBean" ref="UserServiceImpl" /> <property name="serviceClass" ?? value="com.megaeyes.ipcamera.service.webservice.iface.UserServiceEnc" /> <property name="inHandlers"> ?? <list> ??? <ref bean="domInHandler" /> ??? <ref bean="wss4jInHandlerEnc" /> ??? <ref bean="validateUserTokenHandler" /> ?? </list> </property> </bean> <bean id="domInHandler" class="org.codehaus.xfire.util.dom.DOMInHandler"/> <bean id="wss4jInHandlerEnc" class="org.codehaus.xfire.security.wss4j.WSS4JInHandler"> <property name="properties"> ?? <props> ??? <prop key="action">Encrypt</prop> ??? <prop key="decryptionPropFile"> ???? insecurity_enc.properties ??? </prop> ??? <prop key="passwordCallbackClass"> ???? com.megaeyes.ipcamera.service.webservice.tools.PasswordHandler ??? </prop> ?? </props> </property> </bean> <bean id="validateUserTokenHandler" ?? class="com.megaeyes.ipcamera.service.webservice.tools.WSS4JTokenHandler"/> 4、在SRPING的配置文件里面的那个properties，放置到classpath下面就可以了insecurity_enc.properties： #调用的类 org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin org.apache.ws.security.crypto.merlin.keystore.type=jks #加密的密匙的打开密码 org.apache.ws.security.crypto.merlin.keystore.password=ipcamera #私匙的名字 org.apache.ws.security.crypto.merlin.file=safedv_private.jks 5、在服务端的classpath里面要放置自己的私匙。关于这几个私匙的生成。后续会讲。以上5步服务端的配置就结束了。