如何手动加密SOAP消息? [英] How to encrypt SOAP messages manually?
问题描述
我使用JBoss 4.2.3.GA.在之前的任务中,我使用了JBoss支持的基本加密机制(WS-Security)。即我使用密钥库,信任库文件进行加密和签名消息。通常(以标准方式)在jboss-wsse- *文件中定义了必须在加密过程中使用的密钥别名。我在行动书中使用了JBoss的ws安全配置。
I use JBoss 4.2.3.GA. In previous task I've used base encryption mechanism which JBoss supports (WS-Security). I.e. I used keystore, truststore files for encryption and signing messages. As usually (in standard way) in jboss-wsse-* files were defined aliases of keys that must be used during crypt process. I used ws security configuration from JBoss in Action book.
没关系。加密工作正常。
That's Ok. Encryption works fine.
但是在我当前的任务中,我需要手动和动态地为键指定别名。
任务描述:
But in my current task I need to specify aliases for keys manually and dynamically. Task description:
-
我有几个配置文件。在每个配置文件中,可以是必须用于加密消息的公钥的别名别名。
I have several profiles. In every profile can be specifiey alias of public key that must be used for encrypting message.
我的密钥库包含服务器的私钥/公钥以及将向服务器发送消息的客户的公钥
I have keystore containing private/public key of server and public keys of clients that will send message to server
我需要使用此别名指定的公钥从配置文件中获取别名并加密消息(在客户端)。
I need get alias from profile and encrypt message (on client side) using public key specified by this alias.
所以问题是关于:
- 有没有办法指定JBoss文件系统目录从哪里加载密钥库?
- 我可以为标准JBoss WSS机制指定加密别名,以允许jboss在crypt进程中使用这些信息吗?
- 如果我必须进行手动加密/解密,那么如何将多个Java对象包装成WS消息和,然后使用必要的别名和对其进行加密将此消息发送到远程Web服务手动?
- Is there a way to specify for JBoss the file system directory to load keystores from?
- Can I specify alias for encryption for standard JBoss WSS mechanism to allow jboss to use this information in crypt process?
- If I must to do manual encryption/decryption then How can I wrap several Java-objects into WS message and then encrypt it using necessary alias and how to send this message to remote web service manually?
我只是不知道如何开始,什么框架使用,甚至有必要使用外部(非JBoss)框架...
I just don't know how to start, what framework to use and even is it necessary to use external (non JBoss) frameworks for this...
推荐答案
如果p你可以使用Axis2和Rampart。我已成功地在类似情况下使用它们。
If possible you can use Axis2 and Rampart. I've successfully used them both in a similar situation.
Rampart是一个用于处理安全性的axis2模块,它公开了一个API,允许您定义密钥存储位置和您想要使用的别名,因此允许您动态定义它。
Rampart is an axis2 module for handling security and it exposes an API that allows you to define the key store location and aliases that you want to use, thus allowing you to define it dynamically.
示例代码:
private static final String CONFIGURATION_CTX = "src/ctx";
private static final String KEYSTORE_TYPE = "org.apache.ws.security.crypto.merlin.keystore.type";
private static final String KEYSTORE_FILE = "org.apache.ws.security.crypto.merlin.file";
private static final String KEYSTORE_PWD = "org.apache.ws.security.crypto.merlin.keystore.password";
private static final String PROVIDER = "org.apache.ws.security.components.crypto.Merlin";
private static void engageRampartModules(Stub stub)
throws AxisFault, FileNotFoundException, XMLStreamException {
ServiceClient serviceClient = stub._getServiceClient();
engageAddressingModule(stub);
serviceClient.engageModule("rampart");
serviceClient.engageModule("rahas");
RampartConfig rampartConfig = prepareRampartConfig();
attachPolicy(stub,rampartConfig);
}
/**
* Sets all the required security properties.
* @return rampartConfig - an object containing rampart configurations
*/
private static RampartConfig prepareRampartConfig() {
String certAlias = "alias"; //The alias of the public key in the jks file
String keyStoreFile = "ctx/client.ks";
String keystorePassword = "pwd";
String userName = "youusename";
RampartConfig rampartConfig = new RampartConfig();
//Define properties for signing and encription
Properties merlinProp = new Properties();
merlinProp.put(KEYSTORE_TYPE, "JKS");
merlinProp.put(KEYSTORE_FILE,keyStoreFile);
merlinProp.put(KEYSTORE_PWD, keystorePassword);
CryptoConfig cryptoConfig = new CryptoConfig();
cryptoConfig.setProvider(PROVIDER);
cryptoConfig.setProp(merlinProp);
//Rampart configurations
rampartConfig.setUser(userName);
rampartConfig.setUserCertAlias(certAlias);
rampartConfig.setEncryptionUser(certAlias);
rampartConfig.setPwCbClass("com.callback.tests.PasswordCallbackHandler"); //Password Callbak class
rampartConfig.setSigCryptoConfig(cryptoConfig);
rampartConfig.setEncrCryptoConfig(cryptoConfig);
return rampartConfig;
}
/**
* attach the security policy to the stub.
* @param stub
* @param rampartConfig
* @throws XMLStreamException
* @throws FileNotFoundException
*/
private static void attachPolicy(Stub stub, RampartConfig rampartConfig) throws XMLStreamException, FileNotFoundException {
Policy policy = new Policy();
policy.addAssertion(rampartConfig);
stub._getServiceClient().getAxisService().getPolicySubject().attachPolicy(policy);
}
PasswordCallbackHandler:
PasswordCallbackHandler:
import java.io.IOException;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.UnsupportedCallbackException;
import org.apache.ws.security.WSPasswordCallback;
public class PasswordCallbackHandler implements CallbackHandler {
// @Override
public void handle(Callback[] callbacks) throws IOException,
UnsupportedCallbackException {
for (int i = 0; i < callbacks.length; i++) {
WSPasswordCallback pwcb = (WSPasswordCallback) callbacks[i];
String id = pwcb.getIdentifer();
switch (pwcb.getUsage()) {
case WSPasswordCallback.USERNAME_TOKEN: {
if (id.equals("pwd")) {
pwcb.setPassword("pwd");
}
}
}
}
}
}
这篇关于如何手动加密SOAP消息?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
