xfire的webservice安全机制之签名
服务端配置修改点:
applicationContext-webservice.xml文件:
<property name="inHandlers">
<list>
<ref bean="domInHandler" />
<ref bean="wss4jInHandlerSign"/>
<ref bean="validateUserTokenHandler" />
</list>
</property>
<bean id="wss4jInHandlerSign" class="org.codehaus.xfire.security.wss4j.WSS4JInHandler">
<property name="properties">
<props>
<prop key="action">Signature</prop>
<prop key="signaturePropFile">
insecurity_sign.properties
</prop>
</props>
</property>
</bean>
新增配置文件insecurity_sign.properties:
org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin
org.apache.ws.security.crypto.merlin.keystore.type=jks
org.apache.ws.security.crypto.merlin.keystore.password=dv110.com
org.apache.ws.security.crypto.merlin.file=tianyi_public.jks
客户端配置文件:
只需要修改XFireClientFactory.java文件:
//签名
getSign(obj);
public void getSign(Object service){
Client client = ((XFireProxy) Proxy.getInvocationHandler(service)).getClient();
//挂上WSS4JOutHandler,提供认证
client.addOutHandler(new DOMOutHandler());
Properties properties = new Properties();
properties.setProperty(WSHandlerConstants.ACTION, WSHandlerConstants.SIGNATURE);
// User in keystore
properties.setProperty(WSHandlerConstants.USER, "safedv");
// This callback is used to specify password for given user for keystore
properties.setProperty(WSHandlerConstants.PW_CALLBACK_CLASS, PasswordHandler.class.getName());
// Configuration for accessing private key in keystore
properties.setProperty(WSHandlerConstants.SIG_PROP_FILE, "outsecurity_sign.properties");
properties.setProperty(WSHandlerConstants.SIG_KEY_ID, "IssuerSerial");
client.addOutHandler(new WSS4JOutHandler(properties));
}
客户端增加配置文件,outsecurity_sign.properties
org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin
org.apache.ws.security.crypto.merlin.keystore.type=jks
org.apache.ws.security.crypto.merlin.keystore.password=dv110.com
org.apache.ws.security.crypto.merlin.file=tianyi_private.jks
附录,生成签名的各个KEY,其实就是和ENC反过来操作,私匙签名,公匙解
1、通过别名和密码创建私密钥到keystore:
C:\>keytool -genkey -alias safedv -keypass safedv -keystore tianyi_private.jks -storepass dv110.com -dname "cn=dv110" -keyalg RSA
2、证书:
C:\>keytool -selfcert -alias safedv -keystore tianyi_private.jks -storepass dv110.com -keypass safedv
3、导出公钥到key.rsa:
C:\>keytool -export -alias safedv -file safedv.rsa -keystore tianyi_private.jks -storepass dv110.com
4、导入公钥到新的keystore中:
C:\>keytool -import -alias safedv -file safedv.rsa -keystore tianyi_public.jks -storepass dv110.com