我一直在研究如何从.wsdl文件实现Web服务客户端策略。
Web服务的策略涉及使用带有必要密钥的.jks文件的签名和加密(用于签名的非对称privateKey和用于加密的对称privateKey)。策略是:username:oracle / wss10_username_token_with_message_protection_service_policy。
我可以使用wsimport工具为java(或使用cxf或axis2)创建.xsd文件(请求,响应和服务对象)。我无法解决的是如何制定正确的政策。
有没有办法从.wsdl自动生成策略,或者我必须自己生成它们
用户名:oracle / wss10_username_token_with_message_protection_service_policy通过spring ws解决:
<!-- == Ougoing interceptor == -->
<bean id="loginOutgoingWss4jSecurityInterceptor" class="org.springframework.ws.soap.security.wss4j2.Wss4jSecurityInterceptor">
<property name="securementActions" value="Timestamp Signature Encrypt" />
<!-- == Set Outgoing Signature properties == -->
<property name="securementUsername" value="alias"/>
<property name="securementPassword" value="aliasPass"/>
<property name="securementSignatureKeyIdentifier" value="DirectReference"/>
<property name="securementSignatureCrypto" ref="cryptoFactoryBean" />
<property name="securementSignatureParts" value="{Element}{}Body;{Element}{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd}Timestamp;" />
<!-- == Set Outgoing Encryption properties == -->
<property name="securementEncryptionUser" value="alias"/>
<property name="securementEncryptionCrypto" ref="cryptoFactoryBean" />
<property name="securementEncryptionKeyIdentifier" value="DirectReference"/>
<property name="securementEncryptionParts" value="{Content}{}Body;" />
</bean>
<!-- == Incoming interceptor == -->
<bean id="loginIncomingWss4jSecurityInterceptor" class="org.springframework.ws.soap.security.wss4j2.Wss4jSecurityInterceptor">
<property name="validationActions" value="Timestamp Signature Encrypt" />
<!-- == Set Validations Response, This validate signature and decrypts response == -->
<property name="validateResponse" value="true" />
<!-- The lower operation validation. Less time consume-->
<property name="validateRequest" value="false" />
<property name="enableSignatureConfirmation" value="false"/>
<!-- == Set Incoming Signature/Decryption keystore == -->
<property name="validationDecryptionCrypto" ref="cryptoFactoryBean" />
<property name="validationSignatureCrypto" ref="cryptoFactoryBean" />
<!-- Sets the {@link org.apache.ws.security.WSPasswordCallback} handler to use when validating messages -->
<property name="validationCallbackHandler">
<bean class="org.springframework.ws.soap.security.wss4j2.callback.KeyStoreCallbackHandler">
<property name="privateKeyPassword" value="aliasPass"/>
</bean>
</property>
</bean>
如果您在wsdl中使用WS-SecurityPolicy(1.1或更高版本)中的策略,则无需生成策略,也无需在客户端使用Apache CXF生成策略。借助WS-SecurityPolicy,CXF的安全运行时是策略驱动的。
1)您使用wsdl2java命令行工具或Maven cxf-codegen-plugin(wsdl2java目标)遵循CXF的WSDL优先方法来生成客户端代码。这在CXF doc的How to develop a client中有所描述。
2)遵循CXF关于WS-SecurityPolicy usage的文档,您可以使用JAX-WS API(在客户端的RequestContext上)或Spring XML配置为您要使用的wsdl端口配置客户端安全性属性。对于可能的属性列表,有通用的XML security和WS-Security-specific。使用Spring XML for UsernameToken策略的示例(来自Glen Mazza's blog samples):
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:jaxws="http://cxf.apache.org/jaxws"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
http://cxf.apache.org/jaxws
http://cxf.apache.org/schemas/jaxws.xsd">
<jaxws:client name="{http://www.example.org/contract/DoubleIt}DoubleItPort" createdFromAPI="true">
<!-- Use this for the UsernameToken Symmetric Binding w/X.509 for secret key derivation -->
<jaxws:properties>
<entry key="ws-security.username" value="alice"/>
<entry key="ws-security.callback-handler" value="client.ClientPasswordCallback"/>
<entry key="ws-security.encryption.properties" value="clientKeystore.properties"/>
<entry key="ws-security.encryption.username" value="myservicekey"/>
</jaxws:properties>
<!-- Use this for the UsernameToken Symmetric Binding w/UT password for secret key derivation -->
<!--jaxws:properties>
<entry key="ws-security.username" value="alice"/>
<entry key="ws-security.callback-handler" value="client.ClientPasswordCallback"/>
</jaxws:properties-->
</jaxws:client>
</beans>
把它放在类路径上的/cxf.xml中。警告:该示例使用CallbackHandler子类(在此示例中为client.ClientPasswordCallback)来提供密码。所以你需要提供自己的实现。
3)回到CXF doc的How to develop a client - 最后一部分 - 在应用程序代码中,使用带有参数的JAX-WS API初始化客户端:a)具有WS-SecurityPolicy策略的WSDL(URL)的位置(您已经拥有它,如据我所知); b)客户端使用的服务和端口的QNames,如WSDL中所定义:
final Service service = Service.create(wsdlLocation, SERVICE_QNAME);
final DoubleItPortType transportPort = service.getPort(PORT_QNAME, DoubleItPortType.class);
4)确保在运行时在类路径上有cxf-rt-ws-policy和cxf-rt-ws-security模块以启用WS-SecurityPolicy支持。