与 Web 服务的相互认证 [英] Mutual-authentication with web services

问题描述

目前，只要客户端使用 Web 浏览器访问网站，我就已经成功实现了相互身份验证的安全性，因为浏览器会为您处理所有证书交换.现在我需要创建一个安全接口，用户可以使用该接口通过 HTTPS 访问 Web 服务，使用服务器所需的相互身份验证.

Currently, I've been successful implementing Mutual Authentication security so long as the client accesses the website using a web browser, because browsers take care of all the certificate exchange for you. Now I need to create a secure interface with which users can access web services over HTTPS, using the mutual authentication required by the server.

首先，有没有人知道的任何资源可以帮助我解决这个问题?我找了很长时间，什么也没找到.任何人都可以给我关于如何解决这个问题的任何其他提示?

First off, are there any resources anyone knows of that can help me with this? I've looked for quite some time and found nothing. Any other tips anyone can give me on how to go about this?

其次，我认为我最大的障碍是我对如何处理证书缺乏了解.我如何协商接受服务器的密钥并将我自己的密钥提交给服务器?这是在 Java 中.

Secondly, I think my biggest roadblock is my lack of understanding of how to handle certificates. How do I negotiate accepting the server's key and presenting my own key to the server? This is in Java.

推荐答案

我在这上面花了很长时间，但我终于找到了一个真正有效的例子.它是基于 Glassfish 和 Netbeans 的，但我想你可以在其他环境(例如 Eclipse 和 Tomcat)中使用它，如果你玩过它.

I spent a long time on this but I finally found an example that actually works. It's Glassfish and Netbeans-based but I guess you could get it working in other environments (e.g. Eclipse and Tomcat) if you played around with it.

http://java.sun.com/webservices/reference/tutorials/wsit/doc/WSIT_Security9.html#wp162511

我发现的问题是当您想使用自己的证书，而不是使用 glassfish 预装的证书时.

The problem I've found though is when you want to use your own certificates, not the ones that come pre-installed with glassfish.

注意:我不是安全专家.不要将其部署到生产环境！

为此，我使用 NetBeans 6.9、JDK 1.6、GlassFish 3.0.1 和 OpenSSL v1.0(我使用的是非官方的 Win32 二进制文件)

To do this I'm using NetBeans 6.9, JDK 1.6, GlassFish 3.0.1 and OpenSSL v1.0 (I'm using the unofficial Win32 binaries)

# Create the CA
mkdir ca server client
cd ca
openssl req -new -x509 -days 3650 -extensions v3_ca -keyout ca.key -out ca.pem
echo 02 > serial.txt
cd ..

# Creating the Server Keystore

openssl req -days 3650 -newkey rsa:1024 -keyout server/server.key -out server/server.req
openssl x509 -extensions usr_cert -extfile C:	estbedOpenSSL-Win32inopenssl.cfg -CA ca/ca.pem -CAkey ca/ca.key -CAserial ca/serial.txt -req -in server/server.req -out server/server.crt
openssl pkcs12 -export -inkey server/server.key -in server/server.crt -out server/server.p12 -name server
keytool -importkeystore -destkeystore server/server.jks -deststoretype jks -srckeystore server/server.p12 -srcstoretype pkcs12
keytool -exportcert -alias server -keystore server/server.jks -file server/server.cer

# Create the Client Keystore

openssl req -days 3650 -newkey rsa:1024 -keyout client/client1.key -out client/client1.req
openssl x509 -extensions usr_cert -extfile C:	estbedOpenSSL-Win32inopenssl.cfg -CA ca/ca.pem -CAkey ca/ca.key -CAserial ca/serial.txt -req -in client/client1.req -out client/client1.crt
openssl pkcs12 -export -inkey client/client1.key -in client/client1.crt -out client/client1.p12 -name client1
keytool -importkeystore -destkeystore client/client1.jks -deststoretype jks -srckeystore client/client1.p12 -srcstoretype pkcs12
keytool -exportcert -alias client1 -keystore client/client1.jks -file client/client1.cer

# Import public keys and certificates into each others keystores

keytool -import -noprompt -trustcacerts -alias client1 -file client/client1.cer -keystore server/server.jks
keytool -import -noprompt -trustcacerts -alias server -file server/server.cer -keystore client/client1.jks
keytool -import -noprompt -trustcacerts -alias my_ca -file ca/ca.pem -keystore server/server.jks
keytool -import -noprompt -trustcacerts -alias my_ca -file ca/ca.pem -keystore client/client1.jks
keytool -import -noprompt -trustcacerts -alias my_ca -file ca/ca.pem -keystore "C:Program Filesglassfish-3.0.1glassfishdomainsdomain1configcacerts.jks"
keytool -import -noprompt -trustcacerts -alias my_ca -file ca/ca.pem -keystore "C:Program FilesJavajdk1.6jrelibsecuritycacerts"
move "C:Program Filesglassfish-3.0.1glassfishdomainsdomain1configkeystore.jks" "C:Program Filesglassfish-3.0.1glassfishdomainsdomain1configkeystore.jks.backup"
copy serverserver.jks "C:Program Filesglassfish-3.0.1glassfishdomainsdomain1configkeystore.jks"

在 GlassFish 管理控制台中，在您的 http 侦听器上启用安全性，勾选 SSL3、TLS 和客户端身份验证框，将证书昵称设置为服务器，将密钥存储设置为 configkeystore.jks，将信任存储设置为 configkeystore.jks，PKIX 的信任算法，并将最大证书长度保留为 5.

In the GlassFish admin console, enable Security on your http-listener, tick the SSL3, TLS and Client Authentication boxes, set the Certificate NickName to server, the Key Store to configkeystore.jks, the Trust Store to configkeystore.jks, the Trust Algorithm to PKIX and leave the Max Certificate Length at 5.

在 NetBeans 中，创建一个新的 Web 应用程序项目.在其中创建一个新的 Web 服务.

In NetBeans, create a new Web Application project. Within that, create a new Web Service.

我的 Web 服务代码如下所示:

My Web Service code looked like this:

@WebService()
public class ListProducts {

  @Resource WebServiceContext context;

  @WebMethod(operationName = "listProducts")
  public String listProducts() {
    return context.getUserPrincipal().toString();
  }

}

右键单击 Web 服务并选择编辑 Web 服务属性.勾选 Secure Service 框并选择 Mutual Certificates Security 作为安全机制.单击配置...按钮并勾选加密签名框.现在取消选中 Use Development Defaults 框，然后单击 Keystore 按钮.设置 server.jks 密钥库的位置并选择 server 别名.对 Truststore 配置执行相同操作(尽管您不必在此处选择别名).

Right click on the Web Service and select Edit Web Service Attributes. Tick the Secure Service box and select Mutual Certificates Security as the Security Mechanism. Click on the Configure... button and tick the Encrypt Signature box. Now untick the Use Development Defaults box and then click the Keystore button. Set the location of your server.jks keystore and select the server alias. Do the same for the Truststore configuration (although you don't have to select an alias here).

将 client1.p12 客户端证书导入浏览器.将您的 Web 服务部署到 Glassfish.在浏览器中打开您的 Web 服务并通过 HTTPS 浏览到已部署的 WSDL.下载 WSDL 和任何其他模式.将任何引用的模式重命名为本地副本，以便在您使用 WSDL2Java 时 NetBeans 不会使用任何远程资源.(此段是因为您已将 WSDL 限制为具有已批准证书的客户端，但 NetBeans 无法远程获取它，因为它无权访问相关证书.

Import the client1.p12 client certificate into your browser. Deploy your Web Service to Glassfish. Open up your web service in a browser and browse to the deployed WSDL via HTTPS. Download the WSDL and any other schemas. Rename any referenced schemas to local copies so that when you use WSDL2Java NetBeans won't use any remote resources. (This paragraph is because you've restricted your WSDL to clients with an approved certificate but NetBeans can't fetch it remotely because it doesn't have access to the certificate in question).

创建一个新的 Java 项目.创建一个新的 Web 服务客户端.出现提示时，将 NetBeans 指向您保存的 WSDL 文件.导入 METRO2.0 库文件 (C:Program FilesNetbeans 6.9enterprisemodulesextmetrwebservices-*.jar).我的代码如下所示:

Create a new Java Project. Create a new Web Service Client. When prompted, point NetBeans to your saved WSDL file. Import the METRO2.0 library files (C:Program FilesNetbeans 6.9enterprisemodulesextmetrwebservices-*.jar). My code looked like this:

public static void main(String[] args) {
  System.getProperties().put("javax.net.ssl.keyStore", "C:\NetBeansProjects\security-04\ssl\client\client1.jks");
  System.getProperties().put("javax.net.ssl.keyStorePassword", "changeit");
  System.getProperties().put("javax.net.ssl.trustStore", "C:\NetBeansProjects\security-04\ssl\client\client1.jks");
  System.getProperties().put("javax.net.ssl.trustStorePassword", "changeit");
  System.out.println(new ListProductsService().getListProductsPort().listProducts());
}

将 webservices-api.jar 复制到您的 Javajdk1.6jrelibendorsed 目录中.右键单击 Web 服务引用并选择编辑 Web 服务属性.将密钥库位置设置为 client1.jks，并将别名设置为 client1.将信任库位置设置为 client1.jks 并将别名设置为 server.

Copy webservices-api.jar into your Javajdk1.6jrelibendorsed directory. Right-click on the Web Service reference and select Edit Web Service Attributes. Set the keystore location to client1.jks and set the alias to client1. Set the truststore location to client1.jks and set the alias to server.

希望您现在可以运行您的客户端，您应该会看到如下输出:EMAILADDRESS=bob@anonymous.org，CN=Bob Smith，OU=Something，O=SomethingElse，L=AnyTown，ST=AnyState，C=US

Hopefully you can now run your client and you should see output like so: EMAILADDRESS=bob@anonymous.org, CN=Bob Smith, OU=Something, O=SomethingElse, L=AnyTown, ST=AnyState, C=US

这篇关于与 Web 服务的相互认证的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！