我正在尝试使用 WebLogic 10.3.6 库从独立的 JAX-WS 客户端调用 Metro 安全 Web 服务。WS 使用 2-way X.509 策略进行保护。
我的 WS 期望我的 SOAP 请求使用服务器公钥加密和签名。但是,在尝试了WebLogic 手册中的示例后,我发现 JAX-WS 客户端使用客户端私钥对肥皂请求进行签名,并使用服务器公钥对它们进行加密。
- 需要:加密和签名 -> 服务器公钥
- 当前:加密 -> 服务器公钥;签名 -> 客户端私钥
如何配置我的独立客户端,以便它对 SOAP 请求进行所需的签名和加密?
客户端代码和策略粘贴在下面。谢谢,巴斯
客户端代码:
public class Main {
public static void main(String[] args) {
// Prepare request
MyServiceService test = new MyServiceService();
MyService port = test.getMyServicePort();
// String constants to for server certificate, and client identity store
String serverCertFile = "D:\\Development\\ws-config\\client_trust.der";
String clientKeyStore = "D:\\Development\\ws-config\\client_store.jks";
String clientKeyStorePass = "Leia";
String clientKeyAlias = "trust";
String clientKeyPass = "Leia";
// Create list of credential providers
List<CredentialProvider> credProviders = new ArrayList<CredentialProvider>();
X509Certificate serverCertInit = null;
CredentialProvider cp = null;
try {
// Create a credential provider with the client indentity and the server certificate
serverCertInit = (X509Certificate) CertUtils.getCertificate(serverCertFile);
serverCertInit.checkValidity();
cp = new ClientBSTCredentialProvider(clientKeyStore, clientKeyStorePass, clientKeyAlias, clientKeyPass, "JKS", serverCertInit);
} catch (Exception e) {
e.printStackTrace();
System.exit(1);
}
credProviders.add(cp);
// Finally add the credential providers to the request context
Map<String, Object> requestContext = ((BindingProvider) port).getRequestContext();
requestContext.put(WSSecurityContext.CREDENTIAL_PROVIDER_LIST, credProviders);
List certificate = CertUtils.getCertificate(clientKeyStore, clientKeyStorePass, clientKeyAlias, "JKS");
final X509Certificate clientCert = (X509Certificate) certificate.get(0);
final X509Certificate serverCert = serverCertInit;
// Setup the TrustManager to verify the signature on the returned message
requestContext.put(WSSecurityContext.TRUST_MANAGER, new TrustManager() {
public boolean certificateCallback(X509Certificate[] chain, int validateErr) {
// Check the server and client cert
boolean validServer = chain[0].equals(serverCert);
System.out.println("Server cert valid: " + validServer);
boolean validClient = chain[0].equals(clientCert);
System.out.println("Client cert valid: " + validClient);
return validClient ^ validServer;
}
});
// Invoke the service
// port. ...
}
}
WSDL 策略:
<wsp:Policy wsu:Id="MyPortBindingPolicy">
<wsp:ExactlyOne>
<wsp:All>
<wsam:Addressing wsp:Optional="false" />
<sp:SymmetricBinding>
<wsp:Policy>
<sp:ProtectionToken>
<wsp:Policy>
<sp:SecureConversationToken sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:RequireDerivedKeys />
<sp:BootstrapPolicy>
<wsp:Policy>
<sp:AsymmetricBinding>
<wsp:Policy>
<sp:InitiatorToken>
<wsp:Policy>
<sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:WssX509V3Token10 />
<sp:RequireIssuerSerialReference />
<sp:RequireDerivedKeys />
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:InitiatorToken>
<sp:RecipientToken>
<wsp:Policy>
<sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never">
<wsp:Policy>
<sp:WssX509V3Token10 />
<sp:RequireIssuerSerialReference />
<sp:RequireDerivedKeys />
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:RecipientToken>
<sp:Layout>
<wsp:Policy>
<sp:Strict />
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp />
<sp:OnlySignEntireHeadersAndBody />
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic256 />
</wsp:Policy>
</sp:AlgorithmSuite>
</wsp:Policy>
</sp:AsymmetricBinding>
<sp:Wss10>
<wsp:Policy>
<sp:MustSupportRefIssuerSerial />
</wsp:Policy>
</sp:Wss10>
<sp:EncryptedParts>
<sp:Body />
</sp:EncryptedParts>
<sp:SignedParts>
<sp:Body />
<sp:Header Name="To" Namespace="http://www.w3.org/2005/08/addressing" />
<sp:Header Name="From" Namespace="http://www.w3.org/2005/08/addressing" />
<sp:Header Name="FaultTo" Namespace="http://www.w3.org/2005/08/addressing" />
<sp:Header Name="ReplyTo" Namespace="http://www.w3.org/2005/08/addressing" />
<sp:Header Name="MessageID" Namespace="http://www.w3.org/2005/08/addressing" />
<sp:Header Name="RelatesTo" Namespace="http://www.w3.org/2005/08/addressing" />
<sp:Header Name="Action" Namespace="http://www.w3.org/2005/08/addressing" />
<sp:Header Name="AckRequested" Namespace="http://docs.oasis-open.org/ws-rx/wsrmp/200702" />
<sp:Header Name="SequenceAcknowledgement" Namespace="http://docs.oasis-open.org/ws-rx/wsrmp/200702" />
<sp:Header Name="Sequence" Namespace="http://docs.oasis-open.org/ws-rx/wsrmp/200702" />
<sp:Header Name="CreateSequence" Namespace="http://docs.oasis-open.org/ws-rx/wsrmp/200702" />
</sp:SignedParts>
</wsp:Policy>
</sp:BootstrapPolicy>
</wsp:Policy>
</sp:SecureConversationToken>
</wsp:Policy>
</sp:ProtectionToken>
<sp:Layout>
<wsp:Policy>
<sp:Strict />
</wsp:Policy>
</sp:Layout>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic256 />
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:IncludeTimestamp />
<sp:OnlySignEntireHeadersAndBody />
</wsp:Policy>
</sp:SymmetricBinding>
<sp:Wss11>
<wsp:Policy>
<sp:MustSupportRefIssuerSerial />
<sp:MustSupportRefThumbprint />
<sp:MustSupportRefEncryptedKey />
</wsp:Policy>
</sp:Wss11>
<sp:Trust13>
<wsp:Policy>
<sp:RequireClientEntropy />
<sp:RequireServerEntropy />
<sp:MustSupportIssuedTokens />
</wsp:Policy>
</sp:Trust13>
<tcp:OptimizedTCPTransport enabled="true" />
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
<wsp:Policy wsu:Id="SecureInputMessagePolicy">
<wsp:ExactlyOne>
<wsp:All>
<sp:EncryptedParts>
<sp:Body />
</sp:EncryptedParts>
<sp:SignedParts>
<sp:Body />
<sp:Header Name="To" Namespace="http://www.w3.org/2005/08/addressing" />
<sp:Header Name="From" Namespace="http://www.w3.org/2005/08/addressing" />
<sp:Header Name="FaultTo" Namespace="http://www.w3.org/2005/08/addressing" />
<sp:Header Name="ReplyTo" Namespace="http://www.w3.org/2005/08/addressing" />
<sp:Header Name="MessageID" Namespace="http://www.w3.org/2005/08/addressing" />
<sp:Header Name="RelatesTo" Namespace="http://www.w3.org/2005/08/addressing" />
<sp:Header Name="Action" Namespace="http://www.w3.org/2005/08/addressing" />
<sp:Header Name="AckRequested" Namespace="http://docs.oasis-open.org/ws-rx/wsrmp/200702" />
<sp:Header Name="SequenceAcknowledgement" Namespace="http://docs.oasis-open.org/ws-rx/wsrmp/200702" />
<sp:Header Name="Sequence" Namespace="http://docs.oasis-open.org/ws-rx/wsrmp/200702" />
<sp:Header Name="CreateSequence" Namespace="http://docs.oasis-open.org/ws-rx/wsrmp/200702" />
</sp:SignedParts>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
<wsp:Policy wsu:Id="SecureOutputMessagePolicy">
<wsp:ExactlyOne>
<wsp:All>
<sp:EncryptedParts>
<sp:Body />
</sp:EncryptedParts>
<sp:SignedParts>
<sp:Body />
<sp:Header Name="To" Namespace="http://www.w3.org/2005/08/addressing" />
<sp:Header Name="From" Namespace="http://www.w3.org/2005/08/addressing" />
<sp:Header Name="FaultTo" Namespace="http://www.w3.org/2005/08/addressing" />
<sp:Header Name="ReplyTo" Namespace="http://www.w3.org/2005/08/addressing" />
<sp:Header Name="MessageID" Namespace="http://www.w3.org/2005/08/addressing" />
<sp:Header Name="RelatesTo" Namespace="http://www.w3.org/2005/08/addressing" />
<sp:Header Name="Action" Namespace="http://www.w3.org/2005/08/addressing" />
<sp:Header Name="AckRequested" Namespace="http://docs.oasis-open.org/ws-rx/wsrmp/200702" />
<sp:Header Name="SequenceAcknowledgement" Namespace="http://docs.oasis-open.org/ws-rx/wsrmp/200702" />
<sp:Header Name="Sequence" Namespace="http://docs.oasis-open.org/ws-rx/wsrmp/200702" />
<sp:Header Name="CreateSequence" Namespace="http://docs.oasis-open.org/ws-rx/wsrmp/200702" />
</sp:SignedParts>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>