Web Service Security with Axis2
Posted 悦峰
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了Web Service Security with Axis2相关的知识,希望对你有一定的参考价值。
This document base on following version of applications:
Axis2 1.3, Rampart 1.3, Tomcat 5.5
If you get a higher version of them, this document maybe out of date for you.
1. Rampart setup
Axis2 comes with a module based on Apache WSS4J [1] to provide WS-Security features, called "Rampart".
Rampart is released as a module of Axis2, you should download it separately.
You can download the release of rampart1.3 at:
http://www.apache.org/dyn/mirrors/mirrors.cgi/ws/rampart/1_3/rampart-1.3.zip
For how to set up rampart, please refer to the readme.txt in the zip file you download. After that you should be engaged by inserting the following in the axis2.xml file at:
[your tomcat directory]/webapps/axis2/WEB-INF/conf.
<module ref="rampart"/>
2. Configuration
Rampart module uses two parameters:
OutflowSecurity
InflowSecurity
2.1 OutflowSecurity Parameter
This parameter is used to configure the outflow security handler. The outflow handler can be invoked more than once in the outflow one can provide configuration for each of these invocations. The 'action' element describes one of these configurations. Therefore the 'OutflowSecurity' parameter can contain more than one 'action' elements.
Following is a description of the elements that can go in an 'action' element of the OutflowSecurity parameter
| Parameter | Description | Example |
| items | Security actions for the inflow | Add a Timestamp, Sign the SOAP body and Encrypt the SOAP body |
| user | The user's name | Set alias of the key to be used to sign |
| passwordCallbackClass | Callback class used to provide the password required to create the UsernameToken or to sign the message | <passwordCallbackClass> org.apache.axis2.security.PWCallback</passwordCallbackClass> |
| signaturePropFile | property file used to get the signature parameters such as crypto provider, keystore and its password | Set example.properties file as the signature property file |
| signatureKeyIdentifier | Key identifier to be used in referring the key in the signature | Use the serial number of the certificate |
| encryptionKeyIdentifier | Key identifier to be used in referring the key in encryption | Use the serial number of the certificate |
| encryptionUser | The user's name for encryption. |
|
| encryptionSymAlgorithm | Symmetric algorithm to be used for encryption | Use AES-128 |
| encryptionKeyTransportAlgorithm | Key encryption algorithm | Use RSA-OAEP |
| signatureParts | Sign multiple parts in the SOAP message | Sign Foo and Bar elements qualified by "http://app.ns/ns" |
| optimizeParts | MTOM Optimize the elements specified by the XPath query | Optimize the CipherValue |
2.2 InflowSecurity Parameter
This parameter is used to configure the inflow security handler. The 'action' element is used to encapsulate the configuration elements here as well
| Parameter | Description | Example |
| items | Security actions for the inflow | first the incoming message should be decrypted and then the signatures should be verified and should be checked for the availability of the Timestamp |
| passwordCallbackClass | Callback class used to obtain password for decryption and UsernameToken verification |
|
| signaturePropFile | Property file used for signature verification |
|
| decryptionPropFile | Property file used for decryption |
|
3. Use basic rampart configuration
Use basic rampart configuration need you change two configuration files. One is on the server side which zipped in the arr file called services.xml, the other is on the client side usually named axis2.xml.
3.1 No security
First let’s take a look at a simple web service without security.
The services.xml file on server:
| <service> <operation name="echo"> <messageReceiver class="org.apache.axis2.rpc.receivers.RPCMessageReceiver"/> </operation> <parameter name="ServiceClass" locked="false"> org.apache.rampart.samples.sample01.SimpleService</parameter>
<module ref="rampart" /> </service> |
The axis2.xml file on client:
| <axisconfig name="AxisJava2.0"> <module ref="rampart" /> …… other parameter we don’t care about </axisconfig> |
Request soap message:
| <?xml version='1.0' encoding='UTF-8'?> <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Body> <ns1:echo xmlns:ns1="http://sample01.samples.rampart.apache.org"> <param0>Hello world</param0> </ns1:echo> </soapenv:Body> </soapenv:Envelope> |
Response soap message:
| <?xml version='1.0' encoding='UTF-8'?> <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Body> <ns:echoResponse xmlns:ns="http://sample01.samples.rampart.apache.org"> <ns:return>Hello world</ns:return> </ns:echoResponse> </soapenv:Body> </soapenv:Envelope> |
As you see, there’s no security information attached in the soap message. There’s even no soapenv:header in the envelope.
3.2. Username token
“WS-Security 2004” defines the <wsse:Security> header as a mechanism for conveying security information with and about a SOAP message. This header is, by design, extensible to support many types of security information. For security tokens based on XML, the extensibility of the <wsse:Security> header allows for these security tokens to be directly inserted into the header.
Username token is the simplest token, you can use this type security easy with rampart.
The services.xml file on server:
| <service> <operation name="echo"> <messageReceiver class="org.apache.axis2.rpc.receivers.RPCMessageReceiver"/> </operation> <parameter name="ServiceClass" locked="false"> org.apache.rampart.samples.sample03.SimpleService</parameter>
<module ref="rampart" /> <parameter name="InflowSecurity"> <action> <items>UsernameToken</items> <passwordCallbackClass>org.apache.rampart.samples.sample03.PWCBHandler</passwordCallbackClass> </action> </parameter> </service> |
The axis2.xml file on client:
| <axisconfig name="AxisJava2.0"> <module ref="rampart" /> <parameter name="OutflowSecurity"> <action> <items>UsernameToken</items> <user>bob</user> <passwordCallbackClass>org.apache.rampart.samples.sample03.PWCBHandler</passwordCallbackClass> <passwordType>PasswordText</passwordType> </action> </parameter> …… other parameter we don’t care about </axisconfig> |
In the two configure file we learn that we only attach username security token in the messages from client to server. Also we should note that there is a node named “passwordCallbackClass” which indicate a java class. Of course no one will think put the username and password in the configure file is a good idea. So rampart need you write a callback class to validate the security information. Here’s the source code of this class:
| package org.apache.rampart.samples.sample03;
import org.apache.ws.security.WSPasswordCallback; import javax.security.auth.callback.Callback; 以上是关于Web Service Security with Axis2的主要内容,如果未能解决你的问题,请参考以下文章 browser_switcher_service.cc(238)] XXX Init() error with Python Selenium Script with Chrome for Web S Amazon Web Service S3 Access Denied with 看似不错的 IAM 策略 Error creating bean with name 'security.filter.filterInvocation' defined in URL 报错 |