求高手解答:apache CXF集成spring 数字签名原理
若_离 2012-05-29 02:02:55 刚接触APACHE CXF,根据网上的教程,整合了好多天
不得不说这方面资料很少,虽然面前运行起来,但很多问题不知道其中原理,望指教。
发布webservice过程就不多说了,认证这块:客户端和服务端分别 创建私钥和KeyStore,给私钥进行自签名, 导出私钥,将导出的证书将作为公钥保存到TrustStore中,类似下面的命令:
keytool -genkey -alias clientprivatekey -keypass keypass -keystore Client_KeyStore.jks -storepass storepass
-dname "CN=tong.com.cn,C=CN" -keyalg RSA
keytool -selfcert -keystore Client_KeyStore.jks -storepass storepass -alias clientprivatekey -keypass keypass
keytool -export -alias clientprivatekey -file Client_PublicCert.cer -keystore Client_KeyStore.jks -storepass storepass
然后是配置文件中加上认证相关的拦截器:
<bean id="wss4jIn" class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
<constructor-arg>
<map>
<entry key="action" value="Signature Encrypt" />
<entry key="signaturePropFile" value="webservice/Server_Verf.properties" />
<entry key="decryptionPropFile" value="webservice/Server_Decrypt.properties" />
<entry key="passwordCallbackClass"
value="cn.com.test.UTPasswordServerCallBack" />
</map>
</constructor-arg>
</bean>
服务端webservice:
<jaxws:endpoint id="testWebService"
implementor="cn.com.test.TestWebServiceImpl"
address="/testWebService">
<jaxws:inInterceptors>
<ref bean="logIn" />
<ref bean="saajIn" />
<!--<ref bean="soapheaderIn" /> -->
<ref bean="wss4jIn" />
</jaxws:inInterceptors>
<jaxws:outInterceptors>
<ref bean="logOut" />
</jaxws:outInterceptors>
</jaxws:endpoint>
Server_Verf.properties :
org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin
org.apache.ws.security.crypto.merlin.keystore.type=jks
org.apache.ws.security.crypto.merlin.keystore.password=storepass
org.apache.ws.security.crypto.merlin.keystore.alias=clientpublickey
org.apache.ws.security.crypto.merlin.file=cert/Server_TrustStore.jks
Server_Decrypt.properties :
org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin
org.apache.ws.security.crypto.merlin.keystore.type=jks
org.apache.ws.security.crypto.merlin.keystore.password=storepass
org.apache.ws.security.crypto.merlin.keystore.alias=serverprivatekey
org.apache.ws.security.crypto.merlin.file=cert/Server_KeyStore.jks
UTPasswordServerCallBack:
public class UTPasswordServerCallBack implements CallbackHandler {
public void handle(Callback[] callbacks) throws IOException,
UnsupportedCallbackException {
WSPasswordCallback pc = (WSPasswordCallback) callbacks[0];
pc.setPassword("keypass");
}
}
客户端配置基本相同,callback也基本相同
疑问来了,我们在生成认证文件时,使用的密码 -keypass keypass -storepass storepass
都需要明文的配置在配置文件中?并且在调用callback时需要明文设置 pc.setPassword("keypass");
如果密码都这样明文配置,那还有安全性可言么?
而且我始终不是很明白这2个密码是怎么用的,是访问我们的keystore时需要的密码么?
而且我理解的认证,应该是客户端和服务端各自拥有自己的私钥并且拥有对方的公钥,然后进行一组加密解密的过程
为什么还需要我们明文设置密码呢?