如何手动加密 SOAP 消息? [英] How to encrypt SOAP messages manually?
问题描述
我使用 JBoss 4.2.3.GA.在之前的任务中,我使用了 JBoss 支持的基本加密机制(WS-Security).IE.我使用密钥库、信任库文件来加密和签署消息.通常(以标准方式)在 jboss-wsse-* 文件中定义了必须在 crypt 过程中使用的密钥别名.我使用了 JBoss in Action 书中的 ws 安全配置.
I use JBoss 4.2.3.GA. In previous task I've used base encryption mechanism which JBoss supports (WS-Security). I.e. I used keystore, truststore files for encryption and signing messages. As usually (in standard way) in jboss-wsse-* files were defined aliases of keys that must be used during crypt process. I used ws security configuration from JBoss in Action book.
没关系.加密工作正常.
That's Ok. Encryption works fine.
但在我当前的任务中,我需要手动和动态地为键指定别名.任务说明:
But in my current task I need to specify aliases for keys manually and dynamically. Task description:
我有几个配置文件.在每个配置文件中都可以指定必须用于加密消息的公钥的别名.
I have several profiles. In every profile can be specifiey alias of public key that must be used for encrypting message.
我有包含服务器的私钥/公钥和将向服务器发送消息的客户端公钥的密钥库
I have keystore containing private/public key of server and public keys of clients that will send message to server
我需要从配置文件中获取别名并使用此别名指定的公钥加密消息(在客户端).
I need get alias from profile and encrypt message (on client side) using public key specified by this alias.
所以问题是关于:
- 有没有办法为 JBoss 指定要从中加载密钥库的文件系统目录?
- 我能否为标准 JBoss WSS 机制指定加密别名以允许 jboss 在加密过程中使用此信息?
- 如果我必须进行手动加密/解密,那么我如何将几个 Java 对象包装到 WS 消息中和然后使用必要的别名对其进行加密和如何发送此消息手动向远程网络服务发送消息?
- Is there a way to specify for JBoss the file system directory to load keystores from?
- Can I specify alias for encryption for standard JBoss WSS mechanism to allow jboss to use this information in crypt process?
- If I must to do manual encryption/decryption then How can I wrap several Java-objects into WS message and then encrypt it using necessary alias and how to send this message to remote web service manually?
我只是不知道如何开始,使用什么框架,甚至是否有必要为此使用外部(非 JBoss)框架...
I just don't know how to start, what framework to use and even is it necessary to use external (non JBoss) frameworks for this...
推荐答案
如果可能,您可以使用 Axis2 和 Rampart.我已经在类似的情况下成功地使用了它们.
If possible you can use Axis2 and Rampart. I've successfully used them both in a similar situation.
Rampart 是一个用于处理安全性的 axis2 模块,它公开了一个 API,允许您定义要使用的密钥存储位置和别名,从而允许您动态定义它.
Rampart is an axis2 module for handling security and it exposes an API that allows you to define the key store location and aliases that you want to use, thus allowing you to define it dynamically.
示例代码:
private static final String CONFIGURATION_CTX = "src/ctx";
private static final String KEYSTORE_TYPE = "org.apache.ws.security.crypto.merlin.keystore.type";
private static final String KEYSTORE_FILE = "org.apache.ws.security.crypto.merlin.file";
private static final String KEYSTORE_PWD = "org.apache.ws.security.crypto.merlin.keystore.password";
private static final String PROVIDER = "org.apache.ws.security.components.crypto.Merlin";
private static void engageRampartModules(Stub stub)
throws AxisFault, FileNotFoundException, XMLStreamException {
ServiceClient serviceClient = stub._getServiceClient();
engageAddressingModule(stub);
serviceClient.engageModule("rampart");
serviceClient.engageModule("rahas");
RampartConfig rampartConfig = prepareRampartConfig();
attachPolicy(stub,rampartConfig);
}
/**
* Sets all the required security properties.
* @return rampartConfig - an object containing rampart configurations
*/
private static RampartConfig prepareRampartConfig() {
String certAlias = "alias"; //The alias of the public key in the jks file
String keyStoreFile = "ctx/client.ks";
String keystorePassword = "pwd";
String userName = "youusename";
RampartConfig rampartConfig = new RampartConfig();
//Define properties for signing and encription
Properties merlinProp = new Properties();
merlinProp.put(KEYSTORE_TYPE, "JKS");
merlinProp.put(KEYSTORE_FILE,keyStoreFile);
merlinProp.put(KEYSTORE_PWD, keystorePassword);
CryptoConfig cryptoConfig = new CryptoConfig();
cryptoConfig.setProvider(PROVIDER);
cryptoConfig.setProp(merlinProp);
//Rampart configurations
rampartConfig.setUser(userName);
rampartConfig.setUserCertAlias(certAlias);
rampartConfig.setEncryptionUser(certAlias);
rampartConfig.setPwCbClass("com.callback.tests.PasswordCallbackHandler"); //Password Callbak class
rampartConfig.setSigCryptoConfig(cryptoConfig);
rampartConfig.setEncrCryptoConfig(cryptoConfig);
return rampartConfig;
}
/**
* attach the security policy to the stub.
* @param stub
* @param rampartConfig
* @throws XMLStreamException
* @throws FileNotFoundException
*/
private static void attachPolicy(Stub stub, RampartConfig rampartConfig) throws XMLStreamException, FileNotFoundException {
Policy policy = new Policy();
policy.addAssertion(rampartConfig);
stub._getServiceClient().getAxisService().getPolicySubject().attachPolicy(policy);
}
PasswordCallbackHandler:
PasswordCallbackHandler:
import java.io.IOException;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.UnsupportedCallbackException;
import org.apache.ws.security.WSPasswordCallback;
public class PasswordCallbackHandler implements CallbackHandler {
// @Override
public void handle(Callback[] callbacks) throws IOException,
UnsupportedCallbackException {
for (int i = 0; i < callbacks.length; i++) {
WSPasswordCallback pwcb = (WSPasswordCallback) callbacks[i];
String id = pwcb.getIdentifer();
switch (pwcb.getUsage()) {
case WSPasswordCallback.USERNAME_TOKEN: {
if (id.equals("pwd")) {
pwcb.setPassword("pwd");
}
}
}
}
}
}
这篇关于如何手动加密 SOAP 消息?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
