David.Turing's blog

 

[原创]实施WebService Security[WS-Security1.0]的Encrypt和Sign模式(XFire+WSS4J)

鉴于很多系统需要实施WS-Security的标准,我们在SpringSide中提供了XFire+WSS4J的Demo,本文介绍SpringSide中Spring+XFire+WSS4J的基本配置

[WebService Server端配置]
第一,创建一个基本的BookService
public interface BookService {
    
/**
     * 按书名模糊查询图书
     
*/

    List findBooksByName(String name);

    
/**
     * 查找目录下的所有图书
     *
     * 
@param categoryId 如果category为null或“all”, 列出所有图书。
     
*/

    List findBooksByCategory(String categoryId);

    
/**
     * 列出所有分类.
     *
     * 
@return List<Category>,或是null。
     
*/

    List getAllCategorys();
}

第二,接口扩展,即Extend基本的BookService,在XFire中,不同的WSS4J策略需要针对不同的ServiceClass,否则<inHandlers>里面的定义会Overlap。
public interface BookServiceWSS4JEnc  extends BookService {

}

public interface BookServiceWSS4JSign  extends BookService {

}

第三,配置Spring的ApplicationContext文件
    <!--BookService 基类-->
    
<bean id="baseWebService" class="org.codehaus.xfire.spring.remoting.XFireExporter" abstract="true">
        
<property name="serviceFactory" ref="xfire.serviceFactory"/>
        
<property name="xfire" ref="xfire"/>
    
</bean>

    
<bean class="org.springframework.web.servlet.handler.SimpleUrlHandlerMapping">
        
<property name="mappings">
            
<value>
                /BookService=bookService
                /BookServiceWSS4J=bookServiceWSS4J
                /BookServiceWSS4JEnc=bookServiceWSS4JEnc
                /BookServiceWSS4JSign=bookServiceWSS4JSign
            
</value>
        
</property>
    
</bean>

   
<!--(1)BookWebService 不需要认证-->
    
<bean id="bookService" class="org.codehaus.xfire.spring.remoting.XFireExporter">
        
<property name="serviceFactory" ref="xfire.serviceFactory"/>
        
<property name="xfire" ref="xfire"/>
        
<property name="serviceBean" ref="bookManager"/>
        
<property name="serviceClass" value="org.springside.bookstore.plugins.xfire.service.BookService"/>
    
</bean>

    
<!--  (3)BookWebService 使用 WSS4J验证-->
    
<bean id="bookServiceWSS4J" class="org.codehaus.xfire.spring.remoting.XFireExporter">
        
<property name="serviceBean" ref="bookManager"/>
        
<property name="serviceClass" value="org.springside.bookstore.plugins.xfire.service.BookServiceWSS4J"/>
        
<property name="inHandlers">
            
<list>
                
<ref bean="domInHandler"/>
                
<ref bean="wss4jInHandler"/>
                
<ref bean="validateUserTokenHandler"/>
            
</list>
        
</property>
    
</bean>

    
<bean id="domInHandler" class="org.codehaus.xfire.util.dom.DOMInHandler"/>

    
<bean id="wss4jInHandler" class="org.codehaus.xfire.security.wss4j.WSS4JInHandler">
        
<property name="properties">
            
<props>
                
<prop key="action">UsernameToken</prop>
                
<prop key="passwordCallbackClass">org.springside.bookstore.plugins.xfire.wss4j.PasswordHandler</prop>
            
</props>
        
</property>
    
</bean>

    
<bean id="validateUserTokenHandler" class="org.springside.bookstore.plugins.xfire.wss4j.WSS4JTokenHandler"/>
    
    
<!--  (4)BookWebService 使用 WSS4J验证 Encrypt模式-->
    
<bean id="bookServiceWSS4JEnc" class="org.codehaus.xfire.spring.remoting.XFireExporter">
        
<property name="serviceBean" ref="bookManager"/>
        
<property name="serviceClass" value="org.springside.bookstore.plugins.xfire.service.BookServiceWSS4JEnc"/>
        
<property name="inHandlers">
            
<list>
                
<ref bean="domInHandler"/>
                
<ref bean="wss4jInHandlerEnc"/>
                
<ref bean="validateUserTokenHandler"/>
            
</list>
        
</property>
    
</bean>
        
    
<bean id="wss4jInHandlerEnc" class="org.codehaus.xfire.security.wss4j.WSS4JInHandler">
        
<property name="properties">
          
<props>
            
<prop key="action">Encrypt</prop>
            
<prop key="decryptionPropFile">org/springside/bookstore/plugins/xfire/wss4j/insecurity_enc.properties</prop>
            
<prop key="passwordCallbackClass">org.springside.bookstore.plugins.xfire.wss4j.PasswordHandler</prop>
          
</props>
        
</property>
    
</bean>
    
    
<!--  (5)BookWebService 使用 WSS4J验证 Signature模式-->
    
<bean id="bookServiceWSS4JSign" class="org.codehaus.xfire.spring.remoting.XFireExporter">
        
<property name="serviceBean" ref="bookManager"/>
        
<property name="serviceClass" value="org.springside.bookstore.plugins.xfire.service.BookServiceWSS4JSign"/>
        
<property name="inHandlers">
            
<list>
                
<ref bean="domInHandler"/>
                
<ref bean="wss4jInHandlerSign"/>
                
<ref bean="validateUserTokenHandler"/>
            
</list>
        
</property>
    
</bean>
    
    
<bean id="wss4jInHandlerSign" class="org.codehaus.xfire.security.wss4j.WSS4JInHandler">
        
<property name="properties">
          
<props>
            
<prop key="action">Signature</prop>
            
<prop key="signaturePropFile">org/springside/bookstore/plugins/xfire/wss4j/insecurity_sign.properties</prop>
            
<prop key="passwordCallbackClass">org.springside.bookstore.plugins.xfire.wss4j.PasswordHandler</prop>
          
</props>
        
</property>
    
</bean>
    
</beans>

第四,配置insecurity_enc.properties和insecurity_sign.properties两个密钥库配置文件
insecurity_enc.properties:
org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin
org.apache.ws.security.crypto.merlin.keystore.type
=jks
org.apache.ws.security.crypto.merlin.keystore.password
=SpringSide
org.apache.ws.security.crypto.merlin.alias.password
=SpringSide
org.apache.ws.security.crypto.merlin.keystore.alias
=david
org.apache.ws.security.crypto.merlin.file
=org/springside/bookstore/plugins/xfire/wss4j/springside_private.jks

outsecurity_sign.properties:
org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin
org.apache.ws.security.crypto.merlin.keystore.type
=jks
org.apache.ws.security.crypto.merlin.keystore.password
=SpringSide
org.apache.ws.security.crypto.merlin.keystore.alias
=david
org.apache.ws.security.crypto.merlin.file
=org/springside/bookstore/plugins/xfire/wss4j/springside_public.jks

第五,使用SecureX生成了两个keystore文件
springside_private.jks
别名名称: david
创建日期: 
2006-8-6
输入类型:KeyEntry
认证链长度: 
1
认证 
[1]:
Owner: CN
=david, OU=SpringSide, O=org, L=gz, ST=gd, C=cn
发照者: CN
=david, OU=SpringSide, O=org, L=gz, ST=gd, C=cn
序号: 44d4cdcd
有效期间: Sun Aug 
06 00:56:45 CST 2006 至: Mon Aug 06 00:56:45 CST 2007
认证指纹:
         MD5:  CF:
97:13:0C:70:D0:4D:B6:B4:27:0F:1A:0B:CF:D9:F2
         SHA1: 8E:8E:E8:BC:
64:39:C8:43:E4:F7:1B:3B:CE:48:1D:6B:A0:2B:58:B5

springside_public.jks
别名名称: david
创建日期: 
2006-8-6
输入类型: trustedCertEntry

Owner: CN
=david, OU=SpringSide, O=org, L=gz, ST=gd, C=cn
发照者: CN
=david, OU=SpringSide, O=org, L=gz, ST=gd, C=cn
序号: 44d4cdcd
有效期间: Sun Aug 
06 00:56:45 CST 2006 至: Mon Aug 06 00:56:45 CST 2007
认证指纹:
         MD5:  CF:
97:13:0C:70:D0:4D:B6:B4:27:0F:1A:0B:CF:D9:F2
         SHA1: 8E:8E:E8:BC:
64:39:C8:43:E4:F7:1B:3B:CE:48:1D:6B:A0:2B:58:B5

第五,新版本SpringSide需要
http://www.bouncycastle.org/download/bcprov-jdk15-133.jar
并且要配置java.security
另外,还要使用jdk加密增强策略
http://www.blogjava.net/openssl/archive/2006/03/08/34381.html

用户要使用WSS4J,需要配置Bouncycastle这个SecurityProvider,否则
运行Enc模式的XFire认证的时候,会抛出异常:
org.apache.ws.security.WSSecurityException: An unsupported signature or encryption algorithm was used unsupported key
配合java.security也是非常简单:
在最后加入BouncycastleProvider。
security.provider.1=sun.security.provider.Sun
security.provider.2=com.sun.net.ssl.internal.ssl.Provider
security.provider.3=com.sun.rsajca.Provider
security.provider.4=com.sun.crypto.provider.SunJCE
security.provider.5=sun.security.jgss.SunProvider
security.provider.6=org.bouncycastle.jce.provider.BouncyCastleProvider

[WebService Client端配置]
1,Encrypt模式的Client是在客户端用david的公钥加密Soap里面的usernameToken,然后发送到Web服务,Web服务用david的私钥来验证。这种模式需要客户端预先知道服务器端的公钥。

在Encrypt模式中,需要这样配置ClientHandler:
        Service serviceModel = new ObjectServiceFactory().create(BookServiceWSS4JEnc.class);
        XFireProxyFactory factory 
= new XFireProxyFactory(getXFire());

        BookService service 
= (BookService) factory.create(serviceModel, "xfire.local://BookServiceWSS4JEnc");

        Client client 
= ((XFireProxy) Proxy.getInvocationHandler(service)).getClient();
        
//挂上WSS4JOutHandler,提供认证
        client.addOutHandler(new DOMOutHandler());
        Properties properties 
= new Properties();
        configureOutProperties(properties);
        client.addOutHandler(
new WSS4JOutHandler(properties));

        List list 
= service.getAllCategorys();
configureOutProperties函数负责指定Client使用何种安全策略,没错,使用outsecurity_enc.properties,这个properties是跟Server端的insecurity_enc.properties一起使用的。
    protected void configureOutProperties(Properties config) {
        config.setProperty(WSHandlerConstants.ACTION, WSHandlerConstants.ENCRYPT);
        config.setProperty(WSHandlerConstants.USER, 
"david");
        
//config.setProperty(WSHandlerConstants.PW_CALLBACK_CLASS, PasswordHandler.class.getName());
        
//Configuration of public key used to encrypt message goes to properties file.
        config.setProperty(WSHandlerConstants.ENC_PROP_FILE,
                               
"org/springside/bookstore/plugins/xfire/outsecurity_enc.properties");
    }

outsecurity_enc.properties:
org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin
org.apache.ws.security.crypto.merlin.keystore.type
=jks
org.apache.ws.security.crypto.merlin.keystore.password
=SpringSide
org.apache.ws.security.crypto.merlin.keystore.alias
=david
org.apache.ws.security.crypto.merlin.file
=org/springside/bookstore/plugins/xfire/wss4j/springside_public.jks


2, Sign模式的Client同样也是很简单,这种模式是Client端用自己的私钥为usernameToken签名,服务器端用Client的公钥来验证签名,因此,服务器端需要预先知道客户端的公钥。
对应于Encrypt模式,这里的configureOutProperties需要这样来配置:
    protected void configureOutProperties(Properties properties) {
        properties.setProperty(WSHandlerConstants.ACTION,WSHandlerConstants.SIGNATURE);
        
// User in keystore
        properties.setProperty(WSHandlerConstants.USER, "david");
        
// This callback is used to specify password for given user for keystore
        properties.setProperty(WSHandlerConstants.PW_CALLBACK_CLASS, PasswordHandler.class.getName());
        
// Configuration for accessing private key in keystore
        properties.setProperty(WSHandlerConstants.SIG_PROP_FILE,"org/springside/bookstore/plugins/xfire/outsecurity_sign.properties");
        properties.setProperty(WSHandlerConstants.SIG_KEY_ID,
"IssuerSerial");
    }


outsecurity_sign.properties:
org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin
org.apache.ws.security.crypto.merlin.keystore.type
=jks
org.apache.ws.security.crypto.merlin.keystore.password
=SpringSide
org.apache.ws.security.crypto.merlin.alias.password
=SpringSide
org.apache.ws.security.crypto.merlin.keystore.alias
=david
org.apache.ws.security.crypto.merlin.file
=org/springside/bookstore/plugins/xfire/wss4j/springside_private.jks

posted on 2006-08-08 09:09 david.turing 阅读(22347) 评论(42)  编辑  收藏 所属分类: Security领域

评论

# re: 实施WebService Security[WS-Security1.0]的Encrypt和Sign模式(XFire+WSS4J) 2006-08-08 09:17 江南白衣

酷,XFire终于足够安全,不用再公司项目那样,靠防火墙过滤IP白名单了:)  回复  更多评论   

# re: 实施WebService Security[WS-Security1.0]的Encrypt和Sign模式(XFire+WSS4J) 2006-08-08 11:40 david.turing

理论上,Sign模式适合分发型的Webservice结构,举一个例子,Microsoft公司有一个能够计算股市走势的WebService,他当然不希望授权才能访问,于是,他要求调用方为每个Soap请求签名,这样他可以确保购买了服务的人才能享受此服务

Encrypt模式适合集中式的WebService结构,举一个例子,中国最高人民检察院提供一个WebService服务,它希望民间团体能够向政府举证揭发贪污腐败的官员,于是,他公布了自己的keystore,其中包含了私钥,于是,民间团体可以通过Encrypt模式加密一些比较私隐的信息(Username),Only检察院才能解密(因为他们有私钥)。  回复  更多评论   

# re: 实施WebService Security[WS-Security1.0]的Encrypt和Sign模式(XFire+WSS4J) 2006-08-08 16:14 向大家学习

david研究AXIS2没有?  回复  更多评论   

# re: 实施WebService Security[WS-Security1.0]的Encrypt和Sign模式(XFire+WSS4J) 2006-08-08 16:28 david.turing

我和白衣都是从Axis2转移到XFire,仅仅因为XFire是build on在Spring之上,集成Spring更容易。  回复  更多评论   

# re: 实施WebService Security[WS-Security1.0]的Encrypt和Sign模式(XFire+WSS4J) 2006-08-09 23:07 向大家学习

david写篇wss4j中使用opensaml的文章,网上都找不到相关文章  回复  更多评论   

# re: 实施WebService Security[WS-Security1.0]的Encrypt和Sign模式(XFire+WSS4J) 2006-08-11 08:40 david.turing

好建议,我打算做一个Weblogic 9.2和XFire SAML的SSO Demo  回复  更多评论   

# re: 实施WebService Security[WS-Security1.0]的Encrypt和Sign模式(XFire+WSS4J) 2006-08-11 14:30 向大家学习

代表人民感谢你了,只是我用的是AXIS2,很期待你的作品。  回复  更多评论   

# re: [原创]实施WebService Security[WS-Security1.0]的Encrypt和Sign模式(XFire+WSS4J) 2006-09-06 02:24 shuangxi

Hi, I have a question regarding to the exception handling. In my app,
the server encrypt the message before sending to client. But when
exception occurs, the client doesn't seem to be able to read the fault,
here is the stacktrace:

org.codehaus.xfire.fault.XFireFault: WSS4JInHandler: Request does not contain required Security header
at org.codehaus.xfire.security.wss4j.WSS4JInHandler.invoke(WSS4JInHandler.java:159)
at org.codehaus.xfire.handler.HandlerPipeline.invoke(HandlerPipeline.java:110)
at org.codehaus.xfire.client.Client.onReceive(Client.java:382)
....

Have you experiencing the same problem?

thanks,  回复  更多评论   

# re: [原创]实施WebService Security[WS-Security1.0]的Encrypt和Sign模式(XFire+WSS4J) 2006-09-06 10:21 david.turing

it seems that you have not correctly config the xfire configuration.
I meant that if you use Sign-Mode, you should not use the Encrypt-Mode Handler

Carefully check the configuration
<bean id="wss4jInHandlerSign" class="org.codehaus.xfire.security.wss4j.WSS4JInHandler">
<property name="properties">
<props>
<prop key="action">Signature</prop>
<prop key="signaturePropFile">org/springside/bookstore/plugins/xfire/wss4j/insecurity_sign.properties</prop>
<prop key="passwordCallbackClass">org.springside.bookstore.plugins.xfire.wss4j.PasswordHandler</prop>
</props>
</property>
</bean>

check the "Signature" and "signaturePropFile". Be Sure not to confuss by "Encrypt" and "decryptionPropFile".  回复  更多评论   

# re: [原创]实施WebService Security[WS-Security1.0]的Encrypt和Sign模式(XFire+WSS4J) 2006-10-13 12:59 guofeng

很高兴国内有这样的作品,不过我做了WS-Security测试, Signature签名这个例子走不通,遇到异常:
org.codehaus.xfire.fault.XFireFault: WSHandler: Signature: error during message processing org.apache..ws.security.WSSecurityException:Signature creation failed; nested exception is: java.lang.NullPointerException
我很希望能够得到您的指点在WS-Security方面。非常感谢!  回复  更多评论   

# re: [原创]实施WebService Security[WS-Security1.0]的Encrypt和Sign模式(XFire+WSS4J) 2006-10-27 12:53 david.turing

Debug一下,我在SpringSide2提供了一个测试的使用类,去借鉴一下?  回复  更多评论   

# re: [原创]实施WebService Security[WS-Security1.0]的Encrypt和Sign模式(XFire+WSS4J) 2007-01-12 13:24 三石

两种方式按照例子都调通了,不过现在有个问题,我的客户端是通过wsdl用XFire的wsgen生成的,生成了3个文件:BookServiceClient.java/BookServiceImpl.java/BookServicePortType.java,仍然用例子中的代码,只是把BookService改成了BookServicePortType,其他基本没变.
发布的方法如果返回的是基本类型,能正常访问到.如果返回的是对象,客户端就会报错org.codehaus.xfire.fault.XFireFault: Couldn't instantiate class. javax.xml.bind.JAXBElement.如果返回的是List,客户端不报错,但List的size为0
对于复杂对象应该怎么处理?用wsgen生成的客户端如何才能和WS security关联起来?  回复  更多评论   

# re: [原创]实施WebService Security[WS-Security1.0]的Encrypt和Sign模式(XFire+WSS4J) 2007-03-09 15:21 lodzio

http://www.filmati-sadomaso.irsuto.info @X@   回复  更多评论   

# re: [原创]实施WebService Security[WS-Security1.0]的Encrypt和Sign模式(XFire+WSS4J) 2007-05-10 18:26 王金柱

使用WSS4J,配置Bouncycastle这个SecurityProvider时,不用更改jdk中的java.security.直接将包bcprov-jdk16-136.jar导入工程即可.下载地址是http://www.bouncycastle.org/

  回复  更多评论   

# re: [原创]实施WebService Security[WS-Security1.0]的Encrypt和Sign模式(XFire+WSS4J) 2007-05-10 18:31 王金柱

最近作网关的安全性功能.david关于WS-Security的文章讲得非常好.对我的
帮助很大.谢谢~~~~~  回复  更多评论   

# re: [原创]实施WebService Security[WS-Security1.0]的Encrypt和Sign模式(XFire+WSS4J) 2007-05-11 10:21 csnowfox

不错不错,我也附上我的客户端中使用spring的Sign模式配置
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE beans PUBLIC "-//SPRING//DTD BEAN//EN" "http://www.springframework.org/dtd/spring-beans.dtd">
<beans default-autowire="byName">
<bean id="xFireClientFactoryBean"
class="org.codehaus.xfire.spring.remoting.XFireClientFactoryBean">
<property name="serviceClass">
<value>org.cmb.webservice.service.Transaction</value>
</property>
<property name="wsdlDocumentUrl">
<value>http://localhost:9090/transaction.ser?wsdl</value>
</property>
<property name="outHandlers">
<list>
<ref bean="domOutHandler" />
<ref bean="wss4jOutHandlerSign" />
</list>
</property>
</bean>
<bean id="domOutHandler"
class="org.codehaus.xfire.util.dom.DOMOutHandler" />
<bean id="wss4jOutHandlerSign"
class="org.codehaus.xfire.security.wss4j.WSS4JOutHandler">
<property name="properties">
<props>
<prop key="action">Signature</prop>
<prop key="user">ws_security</prop>
<prop key="passwordCallbackClass"> org.cmb.client.web.util.PasswordHandler
</prop>
<prop key="signaturePropFile"> org/cmb/client/web/util/insecurity.properties
</prop>
<prop key="signatureKeyIdentifie">IssuerSerial</prop>
</props>
</property>
</bean>
</beans>  回复  更多评论   

# re: [原创]实施WebService Security[WS-Security1.0]的Encrypt和Sign模式(XFire+WSS4J)[未登录] 2007-05-24 17:14 kevin

有个问题想要问一下:
一个webservices的发布接口,既要签名又要加密该怎么配置?
意思就是客户端的请求需要用自己的私钥签名,用服务端的公钥加密,服务端用客户端的公钥验证签名,用自己的私钥解密  回复  更多评论   

# re: [原创]实施WebService Security[WS-Security1.0]的Encrypt和Sign模式(XFire+WSS4J) 2007-05-30 13:39 王金拄

和只作加密或只作签名时的方法基本一样。
例如:
在服务端配置:
<!-- (6)BookWebService 使用 WSS4J验证 Encrypt & Signature模式-->
<bean id="bookServiceWSS4JSignEnc" class="org.codehaus.xfire.spring.remoting.XFireExporter">
<property name="serviceBean" ref="bookManager"/>
<property name="serviceClass" value="org.springside.bookstore.plugins.xfire.service.BookServiceWSS4JSignEnc"/>
<property name="inHandlers">
<list>
<ref bean="domInHandler"/>
<ref bean="wss4jInHandlerSignEnc"/>
<ref bean="validateUserTokenHandler"/>
</list>
</property>
</bean>

<bean id="wss4jInHandlerSignEnc" class="org.codehaus.xfire.security.wss4j.WSS4JInHandler">
<property name="properties">
<props>
<prop key="action">Encrypt Signature</prop>
<prop key="signaturePropFile">org/springside/bookstore/plugins/xfire/wss4j/insecurity_sign.properties</prop>
<prop key="decryptionPropFile">org/springside/bookstore/plugins/xfire/wss4j/insecurity_enc.properties</prop>
<prop key="passwordCallbackClass">org.springside.bookstore.plugins.xfire.wss4j.PasswordHandler</prop>
</props>
</property>
</bean>

</beans>

客户端也作相应的修改即可。
注意:1.客户端在配置WSHandlerConstants.ACTION时,Encrypt Signature的顺序不能写反。
2.用于加密和签名的密钥对最好配置成独立的两对。  回复  更多评论   

# re: [原创]实施WebService Security[WS-Security1.0]的Encrypt和Sign模式(XFire+WSS4J) 2007-05-30 16:35 王金拄

@kevin
在xfire-distribution-1.2.6中的example文件夹中有个ws-security例子。也可以借鉴一下。  回复  更多评论   

# re: [原创]实施WebService Security[WS-Security1.0]的Encrypt和Sign模式(XFire+WSS4J) 2007-05-31 08:59 yanghuw

我写Client代码调用时为什么抛出异常,说NamespaceURI cannot be null.  回复  更多评论   

# re: [原创]实施WebService Security[WS-Security1.0]的Encrypt和Sign模式(XFire+WSS4J) 2007-06-01 18:27 王金拄

可能是你的服务端设置了命名空间而客户端没有设置命名空间。
要把服务端和客户端都的命名空间设置成相同的。或者都用默认的  回复  更多评论   

# re: [原创]实施WebService Security[WS-Security1.0]的Encrypt和Sign模式(XFire+WSS4J) 2007-06-03 14:39 sdfa

能和acegi集成实现安全认证?  回复  更多评论   

# re: [原创]实施WebService Security[WS-Security1.0]的Encrypt和Sign模式(XFire+WSS4J) 2007-06-04 12:05 yanghuw

我没有指定命名空间,如果返回的对象的所有属性都是基本类型的话没有问题,但是如果属性包含别的对象就会抛出异常
  回复  更多评论   

# re: [原创]实施WebService Security[WS-Security1.0]的Encrypt和Sign模式(XFire+WSS4J) 2007-06-11 11:04 nesta

为什么我的老是报这个错误呢?我使用的是1.26版的。
2007-06-11 10:59:12,640 ERROR - Servlet.service() for servlet jsp threw excepti
on
java.lang.IllegalStateException: getOutputStream() has already been called for t
his response
at org.apache.catalina.connector.Response.getWriter(Response.java:599)
at org.apache.catalina.connector.ResponseFacade.getWriter(ResponseFacade
.java:195)
at org.apache.jasper.runtime.JspWriterImpl.initOut(JspWriterImpl.java:12
4)
at org.apache.jasper.runtime.JspWriterImpl.flushBuffer(JspWriterImpl.jav
a:117)
at org.apache.jasper.runtime.PageContextImpl.release(PageContextImpl.jav
a:191)
at org.apache.jasper.runtime.JspFactoryImpl.internalReleasePageContext(J
spFactoryImpl.java:115)
at org.apache.jasper.runtime.JspFactoryImpl.releasePageContext(JspFactor
yImpl.java:75)
at org.apache.jsp.image_jsp._jspService(image_jsp.java:129)
at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:97)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:802)
at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper
.java:332)
at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:3
14)
at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:264)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:802)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Appl
icationFilterChain.java:252)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationF
ilterChain.java:173)
at com.syscanhc.tjy.util.SetCharacterEncodingFilter.doFilter(SetCharacte
rEncodingFilter.java:171)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Appl
icationFilterChain.java:202)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationF
ilterChain.java:173)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperV
alve.java:213)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextV
alve.java:178)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.j
ava:126)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.j
ava:105)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineVal
ve.java:107)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.jav
a:148)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java
:869)
at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.p
rocessConnection(Http11BaseProtocol.java:664)
at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpo
int.java:527)
at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFol
lowerWorkerThread.java:80)
at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadP
ool.java:684)
at java.lang.Thread.run(Thread.java:595)  回复  更多评论   

# re: [原创]实施WebService Security[WS-Security1.0]的Encrypt和Sign模式(XFire+WSS4J) 2007-06-12 20:26 ntucz

.net有可能调用ws-security啊?  回复  更多评论   

# re: [原创]实施WebService Security[WS-Security1.0]的Encrypt和Sign模式(XFire+WSS4J)[未登录] 2007-08-29 11:05 Neil

insecurity_sign.properties
这个文件没有呀  回复  更多评论   

# re: [原创]实施WebService Security[WS-Security1.0]的Encrypt和Sign模式(XFire+WSS4J) 2007-09-27 11:29 null

好像是xfire带的例子的子集  回复  更多评论   

# re: [原创]实施WebService Security[WS-Security1.0]的Encrypt和Sign模式(XFire+WSS4J) 2007-10-11 16:20 yd

" Encrypt模式的Client是在客户端用david的公钥加密Soap里面的usernameToken,然后发送到Web服务,Web服务用david的私钥来验证。这种模式需要客户端预先知道服务器端的公钥。"
encrypt模式是对usernameToken加密还是对整个soap消息加密?如过是前者,那如何对整个soap消息加密来保证消息的安全性呢?  回复  更多评论   

# re: [原創]實施WebService Security[WS-Security1.0]的Encrypt和Sign模式(XFire+WSS4J) 2007-12-23 14:19 srvrv12

我在Sign的模式下一直出現
Could not invoke service.. Nested exception is org.codehaus.xfire.fault.XFireFault: WSS4JInHandler: security processing failed
但在Enc的模式下卻是正常的,我檢查過所有的配置及寫法都是正確的,請問一下問題可能出在那裡?

另外,我用Enc的模式在 TCP/IP Monitor裡進行觀查,發現Client所發出的訊息是有加密,但Server端所回覆的卻是明碼,請問我如何進行加密? thanks~~  回复  更多评论   

# re: [原创]实施WebService Security[WS-Security1.0]的Encrypt和Sign模式(XFire+WSS4J)[未登录] 2007-12-29 11:38 MagicYang

楼上的第二个问题应该是没有配置outHandlers
<bean id="bookServiceWSS4JEnc" class="org.codehaus.xfire.spring.remoting.XFireExporter">
<property name="serviceBean" ref="bookManager"/>
<property name="serviceClass" value="org.springside.bookstore.plugins.xfire.service.BookServiceWSS4JEnc"/>
<property name="inHandlers">
<list>
<ref bean="domInHandler"/>
<ref bean="wss4jInHandlerEnc"/>
<ref bean="validateUserTokenHandler"/>
</list>
</property>
<property name="outHandlers">
<list>
...
</list>
</property>
</bean>  回复  更多评论   

# re: [原创]实施WebService Security[WS-Security1.0]的Encrypt和Sign模式(XFire+WSS4J)[未登录] 2008-01-15 13:05 bruce

写的不错!  回复  更多评论   

# re: [原创]实施WebService Security[WS-Security1.0]的Encrypt和Sign模式(XFire+WSS4J)[未登录] 2008-01-15 16:55 william

16:47:32,875 DEBUG [org.codehaus.xfire.handler.HandlerPipeline] Invoking handler org.codehaus.xfire.soap.handler.ValidateHeadersHandler in phase pre-invoke
16:47:32,906 INFO [org.codehaus.xfire.handler.DefaultFaultHandler] Fault occurred!
org.codehaus.xfire.fault.XFireFault: Header {Security}http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd was not undertsood by the service.
at org.codehaus.xfire.soap.handler.ValidateHeadersHandler.assertUnderstandsHeader(ValidateHeadersHandler.java:76)
at org.codehaus.xfire.soap.handler.ValidateHeadersHandler.invoke(ValidateHeadersHandler.java:53)
at org.codehaus.xfire.handler.HandlerPipeline.invoke(HandlerPipeline.java:131)
at org.codehaus.xfire.transport.DefaultEndpoint.onReceive(DefaultEndpoint.java:64)
at org.codehaus.xfire.transport.AbstractChannel.receive(AbstractChannel.java:38)
at org.codehaus.xfire.transport.http.XFireServletController.invoke(XFireServletController.java:304)
at org.codehaus.xfire.transport.http.XFireServletController.doService(XFireServletController.java:129)
at org.codehaus.xfire.transport.http.XFireServlet.doPost(XFireServlet.java:116)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:810)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:252)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
at org.apache.struts2.dispatcher.FilterDispatcher.doFilter(FilterDispatcher.java:413)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
at org.apache.struts2.dispatcher.ActionContextCleanUp.doFilter(ActionContextCleanUp.java:99)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:81)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:178)
at org.jboss.web.tomcat.security.CustomPrincipalValve.invoke(CustomPrincipalValve.java:39)
at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:159)
at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:59)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:856)
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processConnection(Http11Protocol.java:744)
at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:527)
at org.apache.tomcat.util.net.MasterSlaveWorkerThread.run(MasterSlaveWorkerThread.java:112)
at java.lang.Thread.run(Thread.java:595)  回复  更多评论   

# re: [原创]实施WebService Security[WS-Security1.0]的Encrypt和Sign模式(XFire+WSS4J)[未登录] 2008-01-15 16:56 william

谁能告诉我这个异常是为什么啊?斑竹在吗?  回复  更多评论   

# re: [原创]实施WebService Security[WS-Security1.0]的Encrypt和Sign模式(XFire+WSS4J)[未登录] 2008-01-15 16:56 william

16:47:32,875 DEBUG [org.codehaus.xfire.handler.HandlerPipeline] Invoking handler org.codehaus.xfire.soap.handler.ValidateHeadersHandler in phase pre-invoke
16:47:32,906 INFO [org.codehaus.xfire.handler.DefaultFaultHandler] Fault occurred!
org.codehaus.xfire.fault.XFireFault: Header {Security}http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd was not undertsood by the service.
at org.codehaus.xfire.soap.handler.ValidateHeadersHandler.assertUnderstandsHeader(ValidateHeadersHandler.java:76)
at org.codehaus.xfire.soap.handler.ValidateHeadersHandler.invoke(ValidateHeadersHandler.java:53)
at org.codehaus.xfire.handler.HandlerPipeline.invoke(HandlerPipeline.java:131)
at org.codehaus.xfire.transport.DefaultEndpoint.onReceive(DefaultEndpoint.java:64)
at org.codehaus.xfire.transport.AbstractChannel.receive(AbstractChannel.java:38)
at org.codehaus.xfire.transport.http.XFireServletController.invoke(XFireServletController.java:304)
at org.codehaus.xfire.transport.http.XFireServletController.doService(XFireServletController.java:129)
at org.codehaus.xfire.transport.http.XFireServlet.doPost(XFireServlet.java:116)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:810)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:252)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
at org.apache.struts2.dispatcher.FilterDispatcher.doFilter(FilterDispatcher.java:413)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
at org.apache.struts2.dispatcher.ActionContextCleanUp.doFilter(ActionContextCleanUp.java:99)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:81)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:178)
at org.jboss.web.tomcat.security.CustomPrincipalValve.invoke(CustomPrincipalValve.java:39)
at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:159)
at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:59)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:856)
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processConnection(Http11Protocol.java:744)
at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:527)
at org.apache.tomcat.util.net.MasterSlaveWorkerThread.run(MasterSlaveWorkerThread.java:112)
at java.lang.Thread.run(Thread.java:595)  回复  更多评论   

# re: [原创]实施WebService Security[WS-Security1.0]的Encrypt和Sign模式(XFire+WSS4J)[未登录] 2008-01-18 16:31 william

斑竹能给我一个完整的例子吗?例如怎么配置services.xml文件,怎么和SPRING 整合,怎么生成私钥和公钥和证书等等,还有怎么通过SOAP HEADER来认证的,怎么通过SESSION认证,怎么实现和ACEGI的整合,怎么解决上面的问题,希望斑竹给个联系方式,我们可以交流交流,我的EMAIL是:362726130@QQ.COM,谢谢!  回复  更多评论   

# re: [原创]实施WebService Security[WS-Security1.0]的Encrypt和Sign模式(XFire+WSS4J) 2008-04-15 22:17 wmcoo

终于找到了,迟来的星星  回复  更多评论   

# re: [原创]实施WebService Security[WS-Security1.0]的Encrypt和Sign模式(XFire+WSS4J)[未登录] 2008-07-27 01:10 sam

如果客户端的是多个密钥的话,服务端怎么处理,怎么选择客户端的公钥来加密呢?  回复  更多评论   

# re: [原创]实施WebService Security[WS-Security1.0]的Encrypt和Sign模式(XFire+WSS4J) 2008-09-24 15:33 hello

SecureX 是什么啊,怎么用啊?  回复  更多评论   

# re: [原创]实施WebService Security[WS-Security1.0]的Encrypt和Sign模式(XFire+WSS4J) 2008-09-24 15:33 hello

生成.jks文件的sourceX是什么?怎么用的?什么原理呀?   回复  更多评论   

# re: [原创]实施WebService Security[WS-Security1.0]的Encrypt和Sign模式(XFire+WSS4J) 2008-11-26 13:14 leke_斌

真是好文章 在这篇文章的基础上我实现了用户验证+报文加密的WS-Security,在结合中出现org.apache.ws.security.components.crypto.Merlin cannot create instance这个异常 花费了我一天的时间才解决这问题 最后我是重新配置了一遍密钥库文件,把私钥和密钥对的别名的访问密码重新设定。

但现在我这边还有个问题,因为我这边是C#与java两点交互的系统 不知在C#端能不能怎么加密报文
大家多多指教 email: liubinan@yahoo.com.cn
  回复  更多评论   

# re: [原创]实施WebService Security[WS-Security1.0]的Encrypt和Sign模式(XFire+WSS4J) 2009-01-15 09:26 赈灾研究

@三石
Service serviceModel = new ObjectServiceFactory(
new AegisBindingProvider(new JaxbTypeRegistry()))
.create(UserServiceComPortType.class);

myeclipse自动生成的web service与xfire默认的绑定方式不一样造成的。
xfire默认的绑定方式是:aegis。而生成的客户端是用的JAXB@三石
  回复  更多评论   

# re: [原创]实施WebService Security[WS-Security1.0]的Encrypt和Sign模式(XFire+WSS4J) 2011-06-02 21:10 xuezhishou

不知楼主现在是否还能回答下问题!本人遇到了和srvrv12的第一个问题一样的问题,即在Sign的模式下一直出現 Could not invoke service.. Nested exception is org.codehaus.xfire.fault.XFireFault: WSS4JInHandler: security processing failed ,不知是否已经有人解决了,可否赐教下
  回复  更多评论   


只有注册用户登录后才能发表评论。


网站导航:
 

导航

统计

常用链接

留言簿(110)

我参与的团队

随笔分类(126)

随笔档案(155)

文章分类(9)

文章档案(19)

相册

搜索

积分与排名

最新随笔

最新评论

阅读排行榜

评论排行榜