xfire的webservice安全机制之加密(一)

xfire的webservice安全机制 在原来使用xfire和spring集成的基础上，需要加入下面的这些包 在集成到jboss的时候还出了一个问题，wss4j-1.5.0.jar这个包还死活找不到，不知道是什么原因，后来找了半天 发现jboss4.2这娃在这个路径上有些安全相关的jar吧，拷贝到这里后，jboss运行正常了 D:\tool\jboss-4.2\server\default\deploy\jbossws.sar 其他的包，都仍到WEB-INF/lib下面就可以了 commons-discovery-0.2.jar bcprov-jdk15-133.jar wss4j-1.5.0.jar xalan-2.7.0.jar 先说server端如何配置和加入程序： 1、server端提供出来的webservice先写个接口，可以直接继承自原来的WS接口UserServiceEnc.java: package com.megaeyes.ipcamera.service.webservice.iface; public interface UserServiceEnc extends UserService { } 2、写一个passwordHandler来校验用户名，PasswordHandler.java: package com.megaeyes.ipcamera.service.webservice.tools; import java.util.HashMap; import java.util.Map; import javax.security.auth.callback.Callback; import javax.security.auth.callback.CallbackHandler; import org.apache.ws.security.WSPasswordCallback; public class PasswordHandler implements CallbackHandler { private final Map passwords = new HashMap(); @SuppressWarnings("unchecked") public PasswordHandler() {    passwords.put("safedv","safedv");    passwords.put("tianyi","tianyi"); } public void handle(Callback[] callbacks) {    WSPasswordCallback callback = (WSPasswordCallback) callbacks[0];    String id = callback.getIdentifer();    callback.setPassword((String) passwords.get(id)); } } 3、写一个WSS4JTokenHandler对加密内容的操作的handler，WSS4JTokenHandler.java: package com.megaeyes.ipcamera.service.webservice.tools; import java.security.cert.X509Certificate; import java.util.Vector; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; import org.apache.ws.security.WSConstants; import org.apache.ws.security.WSSecurityEngineResult; import org.apache.ws.security.WSUsernametokenPrincipal; import org.apache.ws.security.handler.WSHandlerConstants; import org.apache.ws.security.handler.WSHandlerResult; import org.codehaus.xfire.MessageContext; import org.codehaus.xfire.handler.AbstractHandler; import sun.security.x509.X500Name; public class WSS4JTokenHandler extends AbstractHandler { private static final Log log = LogFactory.getLog(WSS4JTokenHandler.class); public void invoke(MessageContext context) throws Exception {    Vector result = (Vector) context.getProperty(WSHandlerConstants.RECV_RESULTS);    if (result == null) {     log.error("Client does not contain Security Header,need WSSJOutHandler");     return;    }    for (int i = 0; i < result.size(); i++) {     WSHandlerResult res = (WSHandlerResult) result.get(i);     for (int j = 0; j < res.getResults().size(); j++) {      WSSecurityEngineResult secRes = (WSSecurityEngineResult) res.getResults().get(j);      int action = secRes.getAction();      // USER TOKEN      if ((action & WSConstants.UT) > 0) {       WSUsernametokenPrincipal principal = (WSUsernametokenPrincipal) secRes         .getPrincipal();       // Set user property to user from UT to allow response encryption       context.setProperty(WSHandlerConstants.ENCRYPTION_USER,principal.getName());       log.info("Client's Username: " + principal.getName() + " Client's Password: "         + principal.getpassword() + "\n");      }      // SIGNATURE      if ((action & WSConstants.SIGN) > 0) {       @SuppressWarnings("unused")       X509Certificate cert = secRes.getCertificate();       X500Name principal = (X500Name) secRes.getPrincipal();       // Do something whith cert       log.info("Signature for : " + principal.getCommonName());      }     }    }    log.info("WSS4JTokenHandler Done!"); } } 4、applicationContext-webservice.xml服务端专门配置文件里面加入： <bean name="userServiceEnc" parent="baseWebService"> <property name="serviceBean" ref="UserServiceImpl" /> <property name="serviceClass"    value="com.megaeyes.ipcamera.service.webservice.iface.UserServiceEnc" /> <property name="inHandlers">    <list>     <ref bean="domInHandler" />     <ref bean="wss4jInHandlerEnc" />     <ref bean="validateUserTokenHandler" />    </list> </property> </bean> <bean id="domInHandler" class="org.codehaus.xfire.util.dom.DOMInHandler"/> <bean id="wss4jInHandlerEnc" class="org.codehaus.xfire.security.wss4j.WSS4JInHandler"> <property name="properties">    <props>     <prop key="action">Encrypt</prop>     <prop key="decryptionPropFile">      insecurity_enc.properties     </prop>     <prop key="passwordCallbackClass">      com.megaeyes.ipcamera.service.webservice.tools.PasswordHandler     </prop>    </props> </property> </bean> <bean id="validateUserTokenHandler"    class="com.megaeyes.ipcamera.service.webservice.tools.WSS4JTokenHandler"/> 4、在SRPING的配置文件里面的那个properties，放置到classpath下面就可以了insecurity_enc.properties： #调用的类 org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.merlin org.apache.ws.security.crypto.merlin.keystore.type=jks #加密的密匙的打开密码 org.apache.ws.security.crypto.merlin.keystore.password=ipcamera #私匙的名字 org.apache.ws.security.crypto.merlin.file=safedv_private.jks 5、在服务端的classpath里面要放置自己的私匙。关于这几个私匙的生成。后续会讲。以上5步服务端的配置就结束了。