yixiaoqi00 2010-01-05
xfire的webservice安全机制之签名
服务端配置修改点:
applicationContext-webservice.xml文件:
<propertyname="inHandlers">
<list>
<refbean="domInHandler"/>
<refbean="wss4jInHandlerSign"/>
<refbean="validateUserTokenHandler"/>
</list>
</property>
<beanid="wss4jInHandlerSign"class="org.codehaus.xfire.security.wss4j.WSS4JInHandler">
<propertyname="properties">
<props>
<propkey="action">Signature</prop>
<propkey="signaturePropFile">
insecurity_sign.properties
</prop>
</props>
</property>
</bean>
新增配置文件insecurity_sign.properties:
org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin
org.apache.ws.security.crypto.merlin.keystore.type=jks
org.apache.ws.security.crypto.merlin.keystore.password=dv110.com
org.apache.ws.security.crypto.merlin.file=tianyi_public.jks
客户端配置文件:
只需要修改XFireClientFactory.java文件:
//签名
getSign(obj);
publicvoidgetSign(Objectservice){
Clientclient=((XFireProxy)Proxy.getInvocationHandler(service)).getClient();
//挂上WSS4JOutHandler,提供认证
client.addOutHandler(newDOMOutHandler());
Propertiesproperties=newProperties();
properties.setProperty(WSHandlerConstants.ACTION,WSHandlerConstants.SIGNATURE);
//Userinkeystore
properties.setProperty(WSHandlerConstants.USER,"safedv");
//Thiscallbackisusedtospecifypasswordforgivenuserforkeystore
properties.setProperty(WSHandlerConstants.PW_CALLBACK_CLASS,PasswordHandler.class.getName());
//Configurationforaccessingprivatekeyinkeystore
properties.setProperty(WSHandlerConstants.SIG_PROP_FILE,"outsecurity_sign.properties");
properties.setProperty(WSHandlerConstants.SIG_KEY_ID,"IssuerSerial");
client.addOutHandler(newWSS4JOutHandler(properties));
}
客户端增加配置文件,outsecurity_sign.properties
org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin
org.apache.ws.security.crypto.merlin.keystore.type=jks
org.apache.ws.security.crypto.merlin.keystore.password=dv110.com
org.apache.ws.security.crypto.merlin.file=tianyi_private.jks
附录,生成签名的各个KEY,其实就是和ENC反过来操作,私匙签名,公匙解
1、通过别名和密码创建私密钥到keystore:
C:\>keytool-genkey-aliassafedv-keypasssafedv-keystoretianyi_private.jks-storepassdv110.com-dname"cn=dv110"-keyalgRSA
2、证书:
C:\>keytool-selfcert-aliassafedv-keystoretianyi_private.jks-storepassdv110.com-keypasssafedv
3、导出公钥到key.rsa:
C:\>keytool-export-aliassafedv-filesafedv.rsa-keystoretianyi_private.jks-storepassdv110.com
4、导入公钥到新的keystore中:
C:\>keytool-import-aliassafedv-filesafedv.rsa-keystoretianyi_public.jks-storepassdv110.com