分类: Java
2008-07-01 16:17:56
XFIRE安全整体方案
调用时验证密码+加密+签名
返回结果 加密
得到结果 解密
服务端配置:
XFIRE的配置文件修改点,applicationContext-webservice.xml:
UsernameToken Encrypt Signature
insecurity_enc.properties
com.megaeyes.ipcamera.service.webservice.tools.PasswordHandler
insecurity_sign.properties
outsecurity_enc.properties
insecurity_enc.properties配置文件:
org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin
org.apache.ws.security.crypto.merlin.keystore.type=jks
org.apache.ws.security.crypto.merlin.keystore.password=kaishi
org.apache.ws.security.crypto.merlin.file=server_private.jks
insecurity_sign.properties配置文件:
org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin
org.apache.ws.security.crypto.merlin.keystore.type=jks
org.apache.ws.security.crypto.merlin.keystore.password=kaishi
org.apache.ws.security.crypto.merlin.file=client_public.jks
outsecurity_enc.properties配置文件:
org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin
org.apache.ws.security.crypto.merlin.keystore.type=jks
org.apache.ws.security.crypto.merlin.keystore.password=kaishi
org.apache.ws.security.crypto.merlin.file=client_public.jks
客户端配置
只用修改XFireClientFactory.java文件就可以了,不过可以改成配置的,不用每次都来修改,有空再改改吧
getEncSign(obj);
public void getEncSign(Object service) {
Client client = ((XFireProxy) Proxy.getInvocationHandler(service))
.getClient();
// 挂上WSS4JOutHandler,提供认证
client.addOutHandler(new DOMOutHandler());
Properties properties = new Properties();
properties.setProperty(WSHandlerConstants.ACTION,
WSHandlerConstants.USERNAME_TOKEN + " "
+ WSHandlerConstants.ENCRYPT + " "
+ WSHandlerConstants.SIGNATURE);
properties.setProperty(WSHandlerConstants.PASSWORD_TYPE,
WSConstants.PASSWORD_DIGEST);
properties.setProperty(WSHandlerConstants.USER, "server");
properties.setProperty(WSHandlerConstants.ENCRYPTION_USER, "server");
properties.setProperty(WSHandlerConstants.ENC_PROP_FILE,
"outsecurity_enc.properties");
properties.setProperty(WSHandlerConstants.USER, "client");
properties.setProperty(WSHandlerConstants.PW_CALLBACK_CLASS,
PasswordHandler.class.getName());
properties.setProperty(WSHandlerConstants.SIG_PROP_FILE,
"outsecurity_sign.properties");
properties.setProperty(WSHandlerConstants.SIG_KEY_ID, "IssuerSerial");
client.addOutHandler(new WSS4JOutHandler(properties));
client.addInHandler(new DOMInHandler());
Properties properties_2 = new Properties();
properties_2.setProperty(WSHandlerConstants.ACTION,
WSHandlerConstants.ENCRYPT);
properties_2.setProperty(WSHandlerConstants.DEC_PROP_FILE,
"insecurity_enc.properties");
properties_2.setProperty(WSHandlerConstants.PW_CALLBACK_CLASS,
PasswordHandler.class.getName());
client.addInHandler(new WSS4JInHandler(properties_2));
}
密码处理的类PasswordHandler.java:
package com.sillycat.plugin.webservice.xfire;
import java.util.HashMap;
import java.util.Map;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import org.apache.ws.security.WSConstants;
import org.apache.ws.security.WSPasswordCallback;
import org.apache.ws.security.WSSecurityException;
/**
* @author david.turing
*/
public class PasswordHandler implements CallbackHandler {
private final Map passwords = new HashMap();
@SuppressWarnings("unchecked")
public PasswordHandler() {
passwords.put("server", "server");
passwords.put("client", "client");
}
public void handle(Callback[] callbacks) throws WSSecurityException {
WSPasswordCallback callback = (WSPasswordCallback) callbacks[0];
String id = callback.getIdentifer();
String validPw = (String) passwords.get(id);
if (WSConstants.PASSWORD_TEXT.equals(callback.getPasswordType())) {
// 密码是明文
String pw = callback.getPassword();
if (pw == null || !pw.equalsIgnoreCase(validPw)) {
throw new WSSecurityException("password not match");
}
} else {
callback.setPassword(validPw);
}
}
}
outsecurity_enc.properties配置文件:
org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin
org.apache.ws.security.crypto.merlin.keystore.type=jks
org.apache.ws.security.crypto.merlin.keystore.password=kaishi
org.apache.ws.security.crypto.merlin.file=server_public.jks
outsecurity_sign.properties配置文件:
org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin
org.apache.ws.security.crypto.merlin.keystore.type=jks
org.apache.ws.security.crypto.merlin.keystore.password=kaishi
org.apache.ws.security.crypto.merlin.file=client_private.jks
insecurity_enc.properties配置文件:
org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin
org.apache.ws.security.crypto.merlin.keystore.type=jks
org.apache.ws.security.crypto.merlin.keystore.password=kaishi
org.apache.ws.security.crypto.merlin.file=client_private.jks
附录:
生成KEY的方式
SERVER端的配置:
keytool -genkey -alias server -keypass server -keystore server_private.jks -storepass kaishi -dname "cn=server" -keyalg RSA
keytool -selfcert -alias server -keystore server_private.jks -storepass kaishi -keypass server
keytool -export -alias server -file server.rsa -keystore server_private.jks -storepass kaishi
keytool -import -alias server -file server.rsa -keystore server_public.jks -storepass kaishi
CLIENT端的配置:
keytool -genkey -alias client -keypass client -keystore client_private.jks -storepass kaishi -dname "cn=client" -keyalg RSA
keytool -selfcert -alias client -keystore client_private.jks -storepass kaishi -keypass client
keytool -export -alias client -file client.rsa -keystore client_private.jks -storepass kaishi
keytool -import -alias client -file client.rsa -keystore client_public.jks -storepass kaishi