安全 Java Web 服务 [英] Secure Java Web Services

问题描述

我正在尝试找出哪种框架/API 最适合实现我的 Web 服务 (Java EE).在客户端和 Web 容器之间来回传递的数据需要是超级安全的，所以我什至考虑在我的数据被包裹在 SOAP(或与 SOAP 的安全等价物)消息中之前对其进行加密，无论如何框架为我提供了哪些安全服务.

I am trying to figure out which framework/API would be best for implementing my web services (Java EE). The data being passed back and forth between client and web container needs to be super-secure, and so I'm even thinking of encrypting my data before it even gets wrapped up in a SOAP (or the secure equivalent to SOAP) message, regardless of what security services the framework provides me with.

我看到有所谓的 XWS-Security，但它似乎是为了保护遗留的 JAX-RPC 服务.我希望该框架符合标准(WSS/OASIS 等)，既不弃用也不弃用(当前；与即将发布的 Java 7 版本兼容等).

I see there is the so-called XWS-Security but it seems that it is for securing legacy JAX-RPC services. I'd like the framework to be standards-compliant (WSS/OASIS, etc.) and neither deprecated or deprecating (current; compatible with the upcoming Java 7 release, etc.).

默认情况下 JAX-WS 和 JAX-RS 是否安全?如果没有，是否有兼容的安全包装器"框架可用于调整现有的 JAX-WS Web 服务以实现安全框架?

Is JAX-WS and JAX-RS secure by default? If not, is there a compatible "secure wrapper" framework that can be used to adapt an existing JAX-WS web service to implement a secure framework?

非常感谢任何想法或建议！

Any thoughts or suggestions greatly appreciated!

推荐答案

您应该做两件事，首先使用 SSL 保护传输.如果您同时控制客户端和服务器，那么您可能需要 2 向 SSL，以确保只有受信任的客户端才能连接.

You should do two things, first secure the transport using SSL. If you control both the clients and the server then you can require 2-way SSL which would ensure that only trusted clients can connect.

其次，您可以实现 WS 安全协议.Web 服务安全标准倾向于处理三件事:身份验证、数字签名和加密/解密(来自 Spring-WS 文档):

Second you can implement WS security protocols. Web service security standards tend to deal with three things: Authentication, Digital Signatures and Encyption/Decyption (from the Spring-WS docs):

身份验证.这是确定委托人是否是他们声称的人的过程.在这种情况下，校长"指的是通常是指可以在您的应用程序中执行操作的用户、设备或某些其他系统.

Authentication. This is the process of determining whether a principal is who they claim to be. In this context, a "principal" generally means a user, device or some other system which can perform an action in your application.

数字签名.消息的数字签名是基于文档和签名者私钥的一条信息.它是通过使用哈希函数和私有签名函数(使用签名者的私钥加密)创建的.

Digital signatures. The digital signature of a message is a piece of information based on both the document and the signer's private key. It is created through the use of a hash function and a private signing function (encrypting with the signer's private key).

加密和解密.加密是将数据转换为没有适当密钥就无法读取的形式的过程.它主要用于将信息隐藏起来，不让任何人看到它.解密是加密的逆过程；它是将加密数据转换回可读形式的过程.

Encryption and Decryption. Encryption is the process of transforming data into a form that is impossible to read without the appropriate key. It is mainly used to keep information hidden from anyone for whom it is not intended. Decryption is the reverse of encryption; it is the process of transforming of encrypted data back into an readable form.

这些功能中的每一个都有许多协议/标准，并且有许多 Java OSS 项目以合理、可用的方式实现各种安全协议/标准.

There are a number of protocols/standards for each of these functions, and there are a number of Java OSS projects that implement the various security protocols/standards in a reasonable, usable ways.

我特别关注 Sun 的 XWSS 和 APACHE WSS4J.Spring WS 有这两个 API 的实现，它们也很好地描述了各种组件:http://static.springsource.org/spring-ws/sites/2.0/reference/html/security.html

In particular I'd look at Sun's XWSS and APACHE WSS4J. Spring WS has implementations of both of these APIs, they also do a good job of describing the various components: http://static.springsource.org/spring-ws/sites/2.0/reference/html/security.html

这篇关于安全 Java Web 服务的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！