Web Service Security with Axis2

Posted 悦峰

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了Web Service Security with Axis2相关的知识,希望对你有一定的参考价值。

This document base on following version of applications:

Axis2 1.3, Rampart 1.3, Tomcat 5.5

If you get a higher version of them, this document maybe out of date for you.

 

1. Rampart setup

Axis2 comes with a module based on Apache WSS4J [1] to provide WS-Security features, called "Rampart".

Rampart is released as a module of Axis2, you should download it separately.

You can download the release of rampart1.3 at:

http://www.apache.org/dyn/mirrors/mirrors.cgi/ws/rampart/1_3/rampart-1.3.zip

For how to set up rampart, please refer to the readme.txt in the zip file you download. After that you should be engaged by inserting the following in the axis2.xml file at:

[your tomcat directory]/webapps/axis2/WEB-INF/conf.

 

<module ref="rampart"/>

 

2. Configuration

Rampart module uses two parameters:

OutflowSecurity

InflowSecurity

 

2.1 OutflowSecurity Parameter

This parameter is used to configure the outflow security handler. The outflow handler can be invoked more than once in the outflow one can provide configuration for each of these invocations. The 'action' element describes one of these configurations. Therefore the 'OutflowSecurity' parameter can contain more than one 'action' elements.

 

Following is a description of the elements that can go in an 'action' element of the OutflowSecurity parameter

 

Parameter

Description

Example

items

Security actions for the inflow

Add a Timestamp, Sign the SOAP body and Encrypt the SOAP body
<items> Timestamp Signature Encrypt</items>

user

The user's name

Set alias of the key to be used to sign
<user> bob</user>

passwordCallbackClass

Callback class used to provide the password required to create the UsernameToken or to sign the message

<passwordCallbackClass> org.apache.axis2.security.PWCallback</passwordCallbackClass>

signaturePropFile

property file used to get the signature parameters such as crypto provider, keystore and its password

Set example.properties file as the signature property file
<signaturePropFile> example.properties</signaturePropFile>

signatureKeyIdentifier

Key identifier to be used in referring the key in the signature

Use the serial number of the certificate
<signatureKeyIdentifier> IssuerSerial</signatureKeyIdentifier>

encryptionKeyIdentifier

Key identifier to be used in referring the key in encryption

Use the serial number of the certificate
<encryptionKeyIdentifier>IssuerSerial</encryptionKeyIdentifier>

encryptionUser

The user's name for encryption.


<encryptionUser> alice </encryptionUser>

encryptionSymAlgorithm

Symmetric algorithm to be used for encryption

Use AES-128
<encryptionSymAlgorithm> http://www.w3.org/2001/04/xmlenc#aes128-cbc</encryptionSymAlgorithm>

encryptionKeyTransportAlgorithm

Key encryption algorithm

Use RSA-OAEP
<parameter name="encryptionSymAlgorithm"> http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p</parameter>

signatureParts

Sign multiple parts in the SOAP message

Sign Foo and Bar elements qualified by "http://app.ns/ns"
<signatureParts> {Element}{http://app.ns/ns}Foo;{Element}{http://app.ns/ns}Bar </signatureParts>

optimizeParts

MTOM Optimize the elements specified by the XPath query

Optimize the CipherValue
<optimizeParts> //xenc:EncryptedData/xenc:CipherData/xenc:CipherValue </optimizeParts>

 

2.2 InflowSecurity Parameter

This parameter is used to configure the inflow security handler. The 'action' element is used to encapsulate the configuration elements here as well

 

Parameter

Description

Example

items

Security actions for the inflow

first the incoming message should be decrypted and then the signatures should be verified and should be checked for the availability of the Timestamp
<items> Timestamp Signature Encrypt</items>

passwordCallbackClass

Callback class used to obtain password for decryption and UsernameToken verification


<passwordCallbackClass> org.apache.axis2.security.PWCallback</passwordCallbackClass>

signaturePropFile

Property file used for signature verification


<signaturePropFile> sig.properties</signaturePropFile>

decryptionPropFile

Property file used for decryption


<decryptionPropFile> dec.properties</decryptionPropFile>

 

3. Use basic rampart configuration

Use basic rampart configuration need you change two configuration files. One is on the server side which zipped in the arr file called services.xml, the other is on the client side usually named axis2.xml.

 

3.1 No security

First let’s take a look at a simple web service without security.

The services.xml file on server:

 

<service>

       <operation name="echo">

              <messageReceiver class="org.apache.axis2.rpc.receivers.RPCMessageReceiver"/>

       </operation>

       <parameter name="ServiceClass" locked="false">

org.apache.rampart.samples.sample01.SimpleService</parameter>

      

<module ref="rampart" />

</service>

 

The axis2.xml file on client:

 

<axisconfig name="AxisJava2.0">

<module ref="rampart" />

…… other parameter we don’t care about

</axisconfig>

 

Request soap message:

 

<?xml version='1.0' encoding='UTF-8'?>

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">

<soapenv:Body>

<ns1:echo xmlns:ns1="http://sample01.samples.rampart.apache.org">

<param0>Hello world</param0>

</ns1:echo>

</soapenv:Body>

</soapenv:Envelope>

 

Response soap message:

 

<?xml version='1.0' encoding='UTF-8'?>

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">

<soapenv:Body>

<ns:echoResponse xmlns:ns="http://sample01.samples.rampart.apache.org">

<ns:return>Hello world</ns:return>

</ns:echoResponse>

</soapenv:Body>

</soapenv:Envelope>

 

As you see, there’s no security information attached in the soap message. There’s even no soapenv:header in the envelope.

 

3.2. Username token

“WS-Security 2004” defines the <wsse:Security> header as a mechanism for conveying security information with and about a SOAP message. This header is, by design, extensible to support many types of security information. For security tokens based on XML, the extensibility of the <wsse:Security> header allows for these security tokens to be directly inserted into the header.

Username token is the simplest token, you can use this type security easy with rampart.

 

The services.xml file on server:

 

<service>

<operation name="echo">

<messageReceiver class="org.apache.axis2.rpc.receivers.RPCMessageReceiver"/>

</operation>

<parameter name="ServiceClass" locked="false">

org.apache.rampart.samples.sample03.SimpleService</parameter>

 

<module ref="rampart" />

<parameter name="InflowSecurity">

<action>

<items>UsernameToken</items>

<passwordCallbackClass>org.apache.rampart.samples.sample03.PWCBHandler</passwordCallbackClass>

</action>

</parameter>

</service>

 

 

The axis2.xml file on client:

 

<axisconfig name="AxisJava2.0">

<module ref="rampart" />

<parameter name="OutflowSecurity">

    <action>

    <items>UsernameToken</items>

    <user>bob</user>

    <passwordCallbackClass>org.apache.rampart.samples.sample03.PWCBHandler</passwordCallbackClass>

    <passwordType>PasswordText</passwordType>

    </action>

</parameter>

…… other parameter we don’t care about

</axisconfig>

 

In the two configure file we learn that we only attach username security token in the messages from client to server. Also we should note that there is a node named “passwordCallbackClass” which indicate a java class. Of course no one will think put the username and password in the configure file is a good idea. So rampart need you write a callback class to validate the security information. Here’s the source code of this class:

 

package org.apache.rampart.samples.sample03;

 

import org.apache.ws.security.WSPasswordCallback;

import javax.security.auth.callback.Callback;

以上是关于Web Service Security with Axis2的主要内容,如果未能解决你的问题,请参考以下文章

browser_switcher_service.cc(238)] XXX Init() error with Python Selenium Script with Chrome for Web S

java 调用 .net web service 问题

Amazon Web Service S3 Access Denied with 看似不错的 IAM 策略

Error creating bean with name 'security.filter.filterInvocation' defined in URL 报错

REST Security with JWT using Java and Spring Security

Spring Security with Boot

(c)2006-2024 SYSTEM All Rights Reserved IT常识