对SCA中WS Policy的理解

日期: 2008-10-29 来源:TechTarget中国 英文

  在SCA规范中提供了关于安全的一套FrameWork(SCA_Policy_Framework),对服务调用过程中的数据传递进行了约束。下面针对其中的WebService Policy,结合自己的实践,对其实现方式进行详解。

  在Policy FrameWork中,定义安全分为两部分:Intent和PolicySet。Intent以抽象的方式定义Policy,仅声明存在这样的约束,对于具体的内容而不指定。PolicySet定义的策略的详细实现方式,与Intent相结合,提供了Intent的详细策略定义。

  Intent的指定方式:

  <intent name=”Intent名称” constrains=”使用约束”/>

  eg:
  <intent name=”RequiredTransaction” constrains=”sca:binding”/>PolicySet的指定方式:

  <policySet name=”Policyset名称” provides=”实现的Intent” appliesTo=”约束” >
         Policy的具体定义
    </policySet>
  eg:

  <policySet name=”RequiredTransactionPolicy”   provides=”RequiredTransaction” appliesTo=”sca:binding.sca”>
           <transactionPolicy action=”REQUIRES_NEW” />
      </policySet>针对WebService,规范中定义了三个固定的Intent,分别为:authentication,integrity,confidentiality。

  authentication根据用户提供的用户名和口令对传递的数据进行校验,integrity根据传递的证书(X509V3)来校验数据,confidentiality对传递的数据进行加密,解析并根据数据的散列值判断传递的数据是否被修改。

  下面对三种分别说明(以axis2为例,在axis2中采用rampart来完成安全的验证):

  (注:因WS 安全牵扯到的内容比较多,请大家自行复习,相关内容有:axis2,rampart,ws policy,sca policy,ws spec等)

  1、authentication

  对于Server端,需要根据传入的SOAP Header数据判断用户名和口令是否正确,这通过指定相应的CallbackHandler 来实现。

  Policy定义:

  parameter name=”InflowSecurity”>
      <action>
           <items>UsernameToken</items>
           <passwordCallbackClass>helloworld.ServerPWCBHandler</passwordCallbackClass>
     </action>
    </parameter>CallbackHandler 实现代码,在此判断用户名和口令的正确性:

public class ServerPWCBHandler implements CallbackHandler {  
public void handle(Callback[] callbacks)
throws IOException,UnsupportedCallbackException {
     for (int i = 0; i < callbacks.length; i++) {
            WSPasswordCallback pwcb = (WSPasswordCallback)callbacks[i];
            if ( pwcb.getUsage() == WSPasswordCallback.USERNAME_TOKEN ) {
                if ( pwcb.getIdentifer().equals(“wangfeng”) && pwcb.getPassword().equals(“Passwd”) ){
                   return;
                } else {
                    throw new UnsupportedCallbackException(pwcb,
“Authentication Failed : UserId – Password mismatch”);
                }
            }              
   }
      }

  }对于Client端,需要对输出的数据添加用户名和口令,用户名在Policy定义文件中指定,口令也是通过CallbackHandler 来进行设定的。

  Policy定义:

  <parameter name=”OutflowSecurity”>
      <action>
              <items>UsernameToken</items>
             <user>wangfeng</user>
               <passwordCallbackClass>helloworld.ClientPWCBHandler</passwordCallbackClass>” +
             <passwordType>PasswordText</passwordType>
        </action>
       </parameter>在Policy中定义了passwordType为PasswordText,则说明口令是以明文方式进行传递的。

  CallbackHandler 实现代码,在其中设置调用用户的口令:

  public class ClientPWCBHandler implements CallbackHandler {   
  public void handle(Callback[] callbacks)
  throws IOException,UnsupportedCallbackException {
        for (int i = 0; i < callbacks.length; i++) {
            WSPasswordCallback pwcb = (WSPasswordCallback)callbacks[i];
            System.out.println(“User Id = ” + pwcb.getIdentifer());
            pwcb.setPassword(“Passwd”);
        }
      }

   }当执行方法getGreetings,并传递字符器World时,传递的SOAP如下:

  <soapenv:Envelope   >
   <soapenv:Header>
    <wsse:Security >
     <wsse:UsernameToken
>
      <wsse:Username>wangfeng</wsse:Username>
      <wsse:Password
Type=”http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText”>
Passwd</wsse:Password>
     </wsse:UsernameToken>
    </wsse:Security>
   </soapenv:Header>
   <soapenv:Body>
    <ns:getGreetings >
     <ns3:name xsi_type=”xs:string”>World</ns3:name>
    </ns:getGreetings>
   </soapenv:Body>
  </soapenv:Envelope>从传递的SOAP Head可以看到,在Header中包含了传递的用户名和口令供Server端进行校验。

  2、integrity

  在Server端,需要指定integrity对应的具体的WebService Policy,需要指定证书的加密算法,证书中的别名以用证书的保存口令,证书位置等与证书有关的信息,在传递的过程中通过证书的验证来保证调用的正确性。

   <wsp:Policy wsu_Id=”SignOnly”
    
     >
    <wsp:ExactlyOne>
     <wsp:All>
      <sp:AsymmetricBinding >
       <wsp:Policy>
        <sp:InitiatorToken>
         <wsp:Policy>
          <sp:X509Token
  sp:IncludeToken=”http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient”>
         <wsp:Policy>
          <sp:WssX509V3Token10/>
         </wsp:Policy>
        </sp:X509Token>
       </wsp:Policy>
      </sp:InitiatorToken>
      <sp:RecipientToken>
       <wsp:Policy>
        <sp:X509Token sp_IncludeToken=”http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never”>
         <wsp:Policy>
          <sp:WssX509V3Token10/>
         </wsp:Policy>
        </sp:X509Token>
       </wsp:Policy>
      </sp:RecipientToken>
      <sp:AlgorithmSuite>
       <wsp:Policy>
        <sp:TripleDesRsa15/>   <!– 说明证书采用RSA加密 –>
       </wsp:Policy>
      </sp:AlgorithmSuite>
      <sp:Layout>
       <wsp:Policy>
        <sp:Strict/>
       </wsp:Policy>
      </sp:Layout>
      <sp:IncludeTimestamp/>
      <sp:OnlySignEntireHeadersAndBody/>
     </wsp:Policy>
    </sp:AsymmetricBinding>
    <sp:Wss10 >
     <wsp:Policy>
      <sp:MustSupportRefKeyIdentifier/>
      <sp:MustSupportRefIssuerSerial/>
     </wsp:Policy>
    </sp:Wss10>
    <sp:SignedParts >
     <sp:Body/>
    </sp:SignedParts>
 
    <ramp:RampartConfig >
     <ramp:user>wangfeng</ramp:user>
     <ramp:encryptionUser>wangfeng</ramp:encryptionUser>
     <ramp:passwordCallbackClass>helloworld.ServerPWCBHandler</ramp:passwordCallbackClass>
    
     <ramp:signatureCrypto>
      <ramp:crypto provider=”org.apache.ws.security.components.crypto.Merlin”>
       <ramp:property name=”org.apache.ws.security.crypto.merlin.keystore.type”>JKS</ramp:property>
       <ramp:property name=”org.apache.ws.security.crypto.merlin.file”>key.jks</ramp:property>
       <ramp:property name=”org.apache.ws.security.crypto.merlin.keystore.password”>passwd</ramp:property>
      </ramp:crypto>
     </ramp:signatureCrypto>
    </ramp:RampartConfig>
 
   </wsp:All>
  </wsp:ExactlyOne>
   </wsp:Policy>在Policy的后面部分,通过对rampart的配置来指定证书的信息。

  对以上配置如不清楚,请参照WebService Policy的规范及Rampart实现的相关文档。

  在CallbackHandler中需要指定相应的用户名口令,以完成对证书的校验。

  public class ServerPWCBHandler implements CallbackHandler {     public void handle(Callback[] callbacks)
throws IOException,UnsupportedCallbackException {
     for (int i = 0; i < callbacks.length; i++) {
            WSPasswordCallback pwcb = (WSPasswordCallback)callbacks[i];
          
            if ( pwcb.getUsage() == WSPasswordCallback.SIGNATURE ) {
                pwcb.setPassword(“Passwd”);
            }
        }
    }

  }在client端,同样也要指定相应的Policy和CallbackHandler,在此可与Server端的指定保持一致就可以了。

  证书可以用Java工具keytool来进行生成。

  对于上述示例,传递的SOAP和返回的SOAP如下:

  发送SOAP:

  <?xml version=”1.0″ encoding=”UTF-8″?>
  <soapenv:Envelope   >
   <soapenv:Header>
    <wsse:Security
  >
     <wsu:Timestamp
>
    <wsu:Created>2008-08-28T03:04:45.734Z</wsu:Created>
    <wsu:Expires>2008-08-28T03:09:45.734Z</wsu:Expires>
   </wsu:Timestamp>
   <wsse:BinarySecurityToken
>MIICSjCCAbMCBEePj2cwDQYJKoZIhvcNAQEEBQAwbDEQMA4GA1UEBhMHVW5rbm93bjEQMA4GA1UECBMHVW
5rbm93bjEQMA4GA1UEBxMHVW5rbm93bjEQMA4GA1UEChMHVW5rbm93bjEQMA4GA1UECxMHVW5rbm93bjEQMA4GA1UEAxMHVW5rbm
93bjAeFw0wODAxMTcxNzI0NTVaFw0xODEyMzAxNzI0NTVaMGwxEDAOBgNVBAYTB1Vua25vd24xEDAOBgNVBAgTB1Vua25vd24xEDAOBgN
VBAcTB1Vua25vd24xEDAOBgNVBAoTB1Vua25vd24xEDAOBgNVBAsTB1Vua25vd24xEDAOBgNVBAMTB1Vua25vd24wgZ8wDQYJKoZIhvcN
AQEBBQADgY0AMIGJAoGBAIsUK0NiI6DnMP/3XBKeSUJ1F15uJ2IcmJVDq3BVd/EHDVU9IEq+g95mpX99mAXQVVwV98PDxEKdQ0C+KNa
ku9XndBCu9IURUYtQk7Rgl0vMN+hEHvzPvMJ2NT/61/y22cAiLZF9k4fQxcxF6IX8EMWk439RBQZ2og7ZV2UUHxrzAgMBAAEwDQYJKoZIh
vcNAQEEBQADgYEAe55/HZRUFG3QjpbiTCgwoWZKsYzfYJSnQrO8rewGdFKf4SwhOGbmf3s9iKO6xdLz+5hnrZ3ySv28g1GwsUt4GMUHYi/jn
7p+Vmot10h1/yL/p06IEiTzkj1Dluq4tJW2KPCagQZqoJ5SEcoimnvkjD5ZoFqGwyJ0DoDk3BP907c=</wsse:BinarySecurityToken>
   <ds:Signature Id=”Signature-3790865″>
    <ds:SignedInfo>
     <ds:CanonicalizationMethod Algorithm=”http://www.w3.org/2001/10/xml-exc-c14n#”/>
     <ds:SignatureMethod Algorithm=”http://www.w3.org/2000/09/xmldsig#rsa-sha1″/>
     <ds:Reference URI=”#Id-10013687″>
      <ds:Transforms>
       <ds:Transform Algorithm=”http://www.w3.org/2001/10/xml-exc-c14n#”/>
      </ds:Transforms>
      <ds:DigestMethod Algorithm=”http://www.w3.org/2000/09/xmldsig#sha1″/>
      <ds:DigestValue>xf0YRx+TekKz/7e8pRVpQekBPVQ=</ds:DigestValue>
     </ds:Reference>
     <ds:Reference URI=”#Timestamp-9550256″>
      <ds:Transforms>
       <ds:Transform Algorithm=”http://www.w3.org/2001/10/xml-exc-c14n#”/>
      </ds:Transforms>
      <ds:DigestMethod Algorithm=”http://www.w3.org/2000/09/xmldsig#sha1″/>
      <ds:DigestValue>mo2eoha6ygEvERYuxcxhhdadLD8=</ds:DigestValue>
     </ds:Reference>
    </ds:SignedInfo>
    <ds:SignatureValue>
cMyhvlnQAJ1RvlrdSTC6pic5JRr6nWX0D2DlPBQ+FVHMNrLwMfp35Rxj2NZiMF+HCo4g3LUvEeTk
hTAfIrTE48uVpvc7VyqgZPqxvX5f1Ks3XmAXqgGlNMVCZqOK4mSqdrLATOeuGWFzkuOzsajqkL//
/SXBiMuq6A96dshj0UU=
</ds:SignatureValue>
    <ds:KeyInfo Id=”KeyId-9089012″>
     <wsse:SecurityTokenReference
>
      <wsse:Reference URI=”#CertId-1436578″
ValueType=”http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3″/>
     </wsse:SecurityTokenReference>
    </ds:KeyInfo>
   </ds:Signature>
  </wsse:Security>
 </soapenv:Header>
 <soapenv:Body >
  <_ns_:getGreetings >
   <ns3:name xsi_type=”xs:string”>World</ns3:name>
  </_ns_:getGreetings>
 </soapenv:Body>
</soapenv:Envelope>  返回SOAP:

<soapenv:Envelope >
 <soapenv:Header>
  <wsse:Security >
   <wsu:Timestamp >
    <wsu:Created>2008-08-28T03:04:47.187Z</wsu:Created>
    <wsu:Expires>2008-08-28T03:09:47.187Z</wsu:Expires>
   </wsu:Timestamp>
   <ds:Signature Id=”Signature-9805729″>
    <ds:SignedInfo>
     <ds:CanonicalizationMethod Algorithm=”http://www.w3.org/2001/10/xml-exc-c14n#”/>
     <ds:SignatureMethod Algorithm=”http://www.w3.org/2000/09/xmldsig#rsa-sha1″/>
     <ds:Reference URI=”#Id-2954177″>
      <ds:Transforms>
       <ds:Transform Algorithm=”http://www.w3.org/2001/10/xml-exc-c14n#”/>
      </ds:Transforms>
      <ds:DigestMethod Algorithm=”http://www.w3.org/2000/09/xmldsig#sha1″/>
      <ds:DigestValue>AvpChhWzYb6Hl8Xuc8WnZKsClpA=</ds:DigestValue>
     </ds:Reference>
     <ds:Reference URI=”#Timestamp-12372212″>
      <ds:Transforms>
       <ds:Transform Algorithm=”http://www.w3.org/2001/10/xml-exc-c14n#”/>
      </ds:Transforms>
      <ds:DigestMethod Algorithm=”http://www.w3.org/2000/09/xmldsig#sha1″/>
      <ds:DigestValue>Qtj/n4wiHPzih8rcyvLwnek7TcE=</ds:DigestValue>
     </ds:Reference>
    </ds:SignedInfo>
    <ds:SignatureValue>
Omtf8ktomHmBzvYrnJy0thbyOE1exvjXIsHVDhcQtt4zXXKXCU4EmF4ipHDrSrjsIN5uwb0pWvvf
z7oebDx6k2IBin1/O5+Sj48VhUkIJXRr6ehrZlvhRAfv/KZrdf7dfpXUGl3caQ1i4gqV2KVc06QG
QHK/iCqJSiK2JMOXR1g=
</ds:SignatureValue>
    <ds:KeyInfo Id=”KeyId-33486858″>
     <wsse:SecurityTokenReference
>
      <wsse:KeyIdentifier
EncodingType=”http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#
Base64Binary” ValueType=”http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#
X509SubjectKeyIdentifier”>7n1V7BAAn28161h3Jn7JZkY1HfA=</wsse:KeyIdentifier>
     </wsse:SecurityTokenReference>
    </ds:KeyInfo>
   </ds:Signature>
  </wsse:Security>
 </soapenv:Header>
 <soapenv:Body >
  <_ns_:getGreetingsResponse >
   <ns3:getGreetingsReturn xsi_type=”xs:string”>
Hello World</ns3:getGreetingsReturn>
  </_ns_:getGreetingsResponse>
 </soapenv:Body>
  </soapenv:Envelope>从传递的SOAP我们可以看到SOAP Head的内容根据传递的证书进行了加密处理。
 
  3、confidentiality

  对于输入,输出数据根据指定的算法进行加密,解密处理,并根据证书的内容进行校验,完成合法性判断。

  Server端指定输入输出数据的加密方式,通过InflowSecurity指定输入数据的处理方式,通过OutflowSecurity指定输出数据的处理方式。

  如:

  <parameter name=”InflowSecurity”>
        <action>
          <items>Timestamp Signature Encrypt</items>
          <passwordCallbackClass>helloworld.ServerPWCBHandler</passwordCallbackClass>
          <signaturePropFile>security.properties</signaturePropFile>
        </action>
     </parameter>
   <parameter name=”OutflowSecurity”>
        <action>
          <items>Timestamp Signature Encrypt</items>
          <user>wangfeng</user>
          <encryptionUser>wangfeng</encryptionUser>
          <passwordCallbackClass>helloworld.ServerPWCBHandler</passwordCallbackClass>
          <signaturePropFile>security.properties</signaturePropFile>
         <signatureKeyIdentifier>DirectReference</signatureKeyIdentifier>
         <encryptionKeyIdentifier>SKIKeyIdentifier</encryptionKeyIdentifier>

  <!– 公钥证书 SKIKeyIdentifier或者IssuerSerial –>
       </action>
     </parameter> 属性encryptionKeyIdentifier指定了证书的方式,有两种: SKIKeyIdentifier或者IssuerSerial ,通常的SKIKeyIdentifier。

  在CallbackHandler 中指定证书的口令。

  public class ServerPWCBHandler implements CallbackHandler {

    public void handle(Callback[] callbacks) throws IOException,
            UnsupportedCallbackException {
     for (int i = 0; i < callbacks.length; i++) {
            WSPasswordCallback pwcb = (WSPasswordCallback)callbacks[i];
            pwcb.setPassword(“Passwd”);
        }
    }

  }在配置文件security.properties中指定相应的证书及相关的信息,在axis中指定rampart的相应信息。

 org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin
org.apache.ws.security.crypto.merlin.keystore.type=jks
org.apache.ws.security.crypto.merlin.keystore.password=Passwd
org.apache.ws.security.crypto.merlin.file=key.jks在Client端,需要指定与Server相对应的处理方式,Server端的InflowSecurity对应Client的的OutflowSecurity,Server端的OutflowSecurity对应Client端的InflowSecurity,相应的配置如下:

  <parameter name=”InflowSecurity”>
        <action>
          <items>Timestamp Signature Encrypt</items>
          <passwordCallbackClass>helloworld.ClientPWCBHandler</passwordCallbackClass>
          <signaturePropFile>security.properties</signaturePropFile>
        </action>
     </parameter>
   <parameter name=”OutflowSecurity”>
        <action>
          <items>Timestamp Signature Encrypt</items>
          <user>wangfeng</user>
          <encryptionUser>wangfeng</encryptionUser>
          <passwordCallbackClass>helloworld.ClientPWCBHandler</passwordCallbackClass>
          <signaturePropFile>security.properties</signaturePropFile>
         <signatureKeyIdentifier>DirectReference</signatureKeyIdentifier>
         <encryptionKeyIdentifier>SKIKeyIdentifier</encryptionKeyIdentifier>
       </action>
     </parameter>传输的SOAP如下:
  发送SOAP

  <?xml version=”1.0″ encoding=”UTF-8″?>
<soapenv:Envelope
>
 <soapenv:Header>
  <wsse:Security >
   <xenc:EncryptedKey Id=”EncKeyId-12890052″>
    <xenc:EncryptionMethod Algorithm=”http://www.w3.org/2001/04/xmlenc#rsa-1_5″/>
    <ds:KeyInfo >
     <wsse:SecurityTokenReference>
      <wsse:KeyIdentifier
EncodingType=http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
ValueType=”http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#
X509SubjectKeyIdentifier”>MDMfMNMO10+i/kdPBYb9rJop9Eg=</wsse:KeyIdentifier>
     </wsse:SecurityTokenReference>
    </ds:KeyInfo>
    <xenc:CipherData>
     <xenc:CipherValue>oeFjdDJeIpm55UretATfaiiXK+mbmNtracz4rIsSfboNXO04HYFRAH9u7jYLg4d49mqm4LZEHQS2pw
XYI/SJi4B2x1PNjIlMOv8iuRpHe3RXgFQiVoWNYxgyK9q/GAdzIKzah5VSOUy0ez2hqVpctAJqayZ1iNhJqNk9XBHNGpc=
</xenc:CipherValue>
    </xenc:CipherData>
    <xenc:ReferenceList>
     <xenc:DataReference URI=”#EncDataId-15868406″/>
    </xenc:ReferenceList>
   </xenc:EncryptedKey>
   <wsse:BinarySecurityToken
>MIICVjCCAb8CBEddgt8wDQYJKoZIhvcNAQEEBQAwcjEQMA4GA1UEBhMHVW5rbm93bjEQMA4GA
1UECBMHVW5rbm93bjEQMA4GA1UEBxMHVW5rbm93bjEQMA4GA1UEChMHVW5rbm93bjEQMA4GA1UECxMHVW5rbm93bjEWM
BQGA1UEAxMNVHVzY2FueVdzVXNlcjAeFw0wNzEyMTAxODE4MDdaFw0wOTAxMTMxODE4MDdaMHIxEDAOBgNVBAYTB1Vua25vd2
4xEDAOBgNVBAgTB1Vua25vd24xEDAOBgNVBAcTB1Vua25vd24xEDAOBgNVBAoTB1Vua25vd24xEDAOBgNVBAsTB1Vua25vd24x
FjAUBgNVBAMTDVR1c2NhbnlXc1VzZXIwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMT6zc0gqdlNVXNfLBqc7TiegqDcLyvjT3M
mpU7dAIpsDB1+3oWDU+0tTHBKu/KYap9Zwp+/xrqtCVNNg4eDWqW88Z51lhJwq5Dn9zadnBfPEPB5c6gZVTd8ouZFd/ZCGpiktx4
54iA2TAnuLLJt306SFqC5XKD5SDUZvmtMpQeRAgMBAAEwDQYJKoZIhvcNAQEEBQADgYEAB72+v2ajRs1Oy7D6D4lDoXN90ZuMC3
CjZm6M871eu9Kk74AFc/dMfBoj5b5H4367DZrMz47/yFcU8N5QFq6inx+8RU0XDwuGYTIbXv7es9BcqG2/um86V10N30Ep2HfTm
6Ag3zkpfvk8/K/YUBZ8WJWLbGxbZDpRzzEEpxfOCY8=</wsse:BinarySecurityToken>
   <ds:Signature Id=”Signature-32653965″>
    <ds:SignedInfo>
     <ds:CanonicalizationMethod Algorithm=”http://www.w3.org/2001/10/xml-exc-c14n#”/>
     <ds:SignatureMethod Algorithm=”http://www.w3.org/2000/09/xmldsig#rsa-sha1″/>
     <ds:Reference URI=”#id-15868406″>
      <ds:Transforms>
       <ds:Transform Algorithm=”http://www.w3.org/2001/10/xml-exc-c14n#”/>
      </ds:Transforms>
      <ds:DigestMethod Algorithm=”http://www.w3.org/2000/09/xmldsig#sha1″/>
      <ds:DigestValue>8IdqFtLVMouLQ8WijhNUPMH+xx4=</ds:DigestValue>
     </ds:Reference>
    </ds:SignedInfo>
    <ds:SignatureValue>
t6PSuLaynhSsuXRBlbO5dqKXScHKCgeheLvriD9aD9nIOeQM+grMIXJQh9sKvSdnDIVh+Fh7NpiQ
AY/TzLCxb01+W2lbZ8XzGAsIty8geHmz1I0YKr05mp9halywVR0ACsKLzcF/ToMpeO5dISFb6ZMx
b8XXFo33rCy6HxANuek=
</ds:SignatureValue>
    <ds:KeyInfo Id=”KeyId-26533782″>
     <wsse:SecurityTokenReference
>
      <wsse:Reference URI=”#CertId-2120440″
ValueType=”http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3″/>
     </wsse:SecurityTokenReference>
    </ds:KeyInfo>
   </ds:Signature>
   <wsu:Timestamp >
    <wsu:Created>2008-10-22T05:16:04.953Z</wsu:Created>
    <wsu:Expires>2008-10-22T05:21:04.953Z</wsu:Expires>
   </wsu:Timestamp>
  </wsse:Security>
 </soapenv:Header>
 <soapenv:Body >
  <xenc:EncryptedData Id=”EncDataId-15868406″ Type=”http://www.w3.org/2001/04/xmlenc#Content”>
   <xenc:EncryptionMethod Algorithm=”http://www.w3.org/2001/04/xmlenc#aes128-cbc”/>
   <ds:KeyInfo >
    <wsse:SecurityTokenReference
>
     <wsse:Reference URI=”#EncKeyId-12890052″/>
    </wsse:SecurityTokenReference>
   </ds:KeyInfo>
   <xenc:CipherData>
    <xenc:CipherValue>oslygTCQMQx1IcFIe62I8adMBM1n7AcU/J9h+lzJfIatelbzOFeqMi9KpNMglJQnIdmCtZRIxleq
pZ3ZYSH70zewqCcCw/PfiIFcXSF0WGYEynyEPC/5W8mNWAk7XSR7bZ+o1qUTh0JywQ8OE5agHVYC
4UXjHVzdritVTrv+1t0J+z3RSygcUVGJ5yblUwFXrCTTDIB90XZVhGJZuwa1wp/3/iJNCEZ1fJ6n
DvMPDzIMjAKBplwuaHlXkwlUJzsQGz1IpKFpXqOd+AVg9mjQoNaZjsxb/ceG93XdoQvNFkQzGzdF
XOqr4ThCg383ilaDjyytQQPc+d3ynZGqmYhaNP9RnP8H0SPX3NtZEiEVu/I8Sws8baN4BCuAEJrB
MeDF4Xmbg6+oywuRt0pwvmkKtj7KDlb9n6wzWoHSZevWKhuxNTBCmyBcy6joGIvW8A1CVMWonQ52
6GJCaLJb1Gvq9iUtACPCk2AYDp9jvmvNt60=</xenc:CipherValue>
   </xenc:CipherData>
  </xenc:EncryptedData>
 </soapenv:Body>
</soapenv:Envelope>接收SOAP

<?xml version=”1.0″ encoding=”UTF-8″?>
<soapenv:Envelope >
 <soapenv:Header>
  <wsse:Security
>
   <xenc:EncryptedKey Id=”EncKeyId-26127350″>
    <xenc:EncryptionMethod Algorithm=”http://www.w3.org/2001/04/xmlenc#rsa-1_5″/>
    <ds:KeyInfo >
     <wsse:SecurityTokenReference>
      <wsse:KeyIdentifier
EncodingType=http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
ValueType=”http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#
X509SubjectKeyIdentifier”>MDMfMNMO10+i/kdPBYb9rJop9Eg=</wsse:KeyIdentifier>
     </wsse:SecurityTokenReference>
    </ds:KeyInfo>
    <xenc:CipherData>
     <xenc:CipherValue>W14JvuGArIZoJNQKmlnK+q9CjPUI64wAesye0zu6Vcxwqgbm3tpYUn02AbFrdr3C50GTydDyKp0TIhxxwVp+
18cOydXTH6pixUO5DKE+G3HEYr2Jn5Dc4Y6D/PTh61aH6LfF5BVbQTUviEiRkAve8MVAuBikukaJbkd41+fg4Fw=</xenc:CipherValue>
    </xenc:CipherData>
    <xenc:ReferenceList>
     <xenc:DataReference URI=”#EncDataId-15736146″/>
    </xenc:ReferenceList>
   </xenc:EncryptedKey>
   <wsse:BinarySecurityToken
>MIICVjCCAb8CBEddgt8wDQYJKoZIhvcNAQEEBQAwcjEQMA4GA1UEBhMHVW5rbm93bjEQMA4GA1UECBMH
VW5rbm93bjEQMA4GA1UEBxMHVW5rbm93bjEQMA4GA1UEChMHVW5rbm93bjEQMA4GA1UECxMHVW5rbm93bjEWMBQGA1UEAxMNV
VzY2FueVdzVXNlcjAeFw0wNzEyMTAxODE4MDdaFw0wOTAxMTMxODE4MDdaMHIxEDAOBgNVBAYTB1Vua25vd24xEDAOBgNVBAgT
B1Vua25vd24xEDAOBgNVBAcTB1Vua25vd24xEDAOBgNVBAoTB1Vua25vd24xEDAOBgNVBAsTB1Vua25vd24xFjAUBgNVBAMTDVR
1c2NhbnlXc1VzZXIwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMT6zc0gqdlNVXNfLBqc7TiegqDcLyvjT3MmpU7dAIpsDB1+3o
WDU+0tTHBKu/KYap9Zwp+/xrqtCVNNg4eDWqW88Z51lhJwq5Dn9zadnBfPEPB5c6gZVTd8ouZFd/ZCGpiktx454iA2TAnuLLJt306SF
qC5XKD5SDUZvmtMpQeRAgMBAAEwDQYJKoZIhvcNAQEEBQADgYEAB72+v2ajRs1Oy7D6D4lDoXN90ZuMC3CjZm6M871eu9Kk7
4AFc/dMfBoj5b5H4367DZrMz47/yFcU8N5QFq6inx+8RU0XDwuGYTIbXv7es9BcqG2/um86V10N30Ep2HfTm6Ag3zkpfvk8/K/YUB
Z8WJWLbGxbZDpRzzEEpxfOCY8=</wsse:BinarySecurityToken>
   <ds:Signature Id=”Signature-9531264″>
    <ds:SignedInfo>
     <ds:CanonicalizationMethod Algorithm=”http://www.w3.org/2001/10/xml-exc-c14n#”/>
     <ds:SignatureMethod Algorithm=”http://www.w3.org/2000/09/xmldsig#rsa-sha1″/>
     <ds:Reference URI=”#id-15736146″>
      <ds:Transforms>
       <ds:Transform Algorithm=”http://www.w3.org/2001/10/xml-exc-c14n#”/>
      </ds:Transforms>
      <ds:DigestMethod Algorithm=”http://www.w3.org/2000/09/xmldsig#sha1″/>
      <ds:DigestValue>r3GJPoQlKifjL2t+/7yq9z4FdKA=</ds:DigestValue>
     </ds:Reference>
     <ds:Reference URI=”#SigConf-26469″>
      <ds:Transforms>
       <ds:Transform Algorithm=”http://www.w3.org/2001/10/xml-exc-c14n#”/>
      </ds:Transforms>
      <ds:DigestMethod Algorithm=”http://www.w3.org/2000/09/xmldsig#sha1″/>
      <ds:DigestValue>gRWUodHEbu+3iQzPyX4/S3YiDvU=</ds:DigestValue>
     </ds:Reference>
    </ds:SignedInfo>
    <ds:SignatureValue>
eW11PF0/cMT0Nn2oR8huk6Dcvn3Rl+DA5y+VvPLm7VaA7AVnSeTh1O99aeTBv2gZlJ/6/+q0RIfC
fTDGCIWYELICdFanzvMphP9uJo94t+y/Y5+8ejFcmfHHTSDxGJNL5ruZbNa79uxs/sCGmfB9qiBb
D+2vKoP9/PeUOQYCy4E=
</ds:SignatureValue>
    <ds:KeyInfo Id=”KeyId-2419450″>
     <wsse:SecurityTokenReference
>
      <wsse:Reference URI=”#CertId-2120440″
ValueType=”http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3″/>
     </wsse:SecurityTokenReference>
    </ds:KeyInfo>
   </ds:Signature>
   <wsu:Timestamp >
    <wsu:Created>2008-10-22T05:16:09.062Z</wsu:Created>
    <wsu:Expires>2008-10-22T05:21:09.062Z</wsu:Expires>
   </wsu:Timestamp>
   <wsse11:SignatureConfirmation Value=”t6PSuLaynhSsuXR
BlbO5dqKXScHKCgeheLvriD9aD9nIOeQM+grMIXJQh9sKvSdnDIVh+Fh7NpiQAY/TzLCxb01+W2lbZ8XzGAsIty8geHmz1I0YKr05
mp9halywVR0ACsKLzcF/ToMpeO5dISFb6ZMxb8XXFo33rCy6HxANuek=” wsu_Id=”SigConf-26469″/>
  </wsse:Security>
 </soapenv:Header>
 <soapenv:Body >
  <xenc:EncryptedData Id=”EncDataId-15736146″ Type=”http://www.w3.org/2001/04/xmlenc#Content”>
   <xenc:EncryptionMethod Algorithm=”http://www.w3.org/2001/04/xmlenc#aes128-cbc”/>
   <ds:KeyInfo >
    <wsse:SecurityTokenReference
>
     <wsse:Reference URI=”#EncKeyId-26127350″/>
    </wsse:SecurityTokenReference>
   </ds:KeyInfo>
   <xenc:CipherData>
    <xenc:CipherValue>+SiSCzCdloFxPc3+Sb6HveZSLlkP6gGceTSNfaEKVR6YGb/mbkupz3I0exu+duxvVWApmNuWNzeB
vkEB/uMInp1+3SqC94tqizLx0vtiWuthF9S0hdYUqFWDYe4WadLhjcinjv5XcfK1XvQnD2KxB9Bn
jpg1qprFc8LSzB3NtoiLetSDcl7aRfv7GQ9kTfc+He8dY1cSteWoZ/0D5Ix6W4lK+exUbqpIEpWK
sUwzznKFMhgFPMhpUwJFyLPoJzt+zrjp0ERh4PBIuNQKwObdlJjfcWMoMbJ20fuK5m6+z1X6sL3N
tbB2ly6HYHzz/itfwoP7C0VLQGaY0SJbfBTrFLz3n2DNEZmEF0zRMPchxd//7kfD4MM0mdWWs0sE
9ecAWklC0xrb0PRFz5CbuNZvHi1CUs8EE1i0FAIY7XharUoXVW+AOIst4h90TBBRrryi</xenc:CipherValue>
   </xenc:CipherData>
  </xenc:EncryptedData>
 </soapenv:Body>
  </soapenv:Envelope>从传递的数据可以看到,对于传输的Body数据同样采用了加密的方式进行传递了。

  综上,authentication定义了简单的校验方式,integrity提供了传输的完整性校验,confidentiality定义了数据的最严格校验,包括对数据体的加密处理。

我们一直都在努力坚持原创.......请不要一声不吭,就悄悄拿走。

我原创,你原创,我们的内容世界才会更加精彩!

【所有原创内容版权均属TechTarget,欢迎大家转发分享。但未经授权,严禁任何媒体(平面媒体、网络媒体、自媒体等)以及微信公众号复制、转载、摘编或以其他方式进行使用。】

微信公众号

TechTarget微信公众号二维码

TechTarget

官方微博

TechTarget中国官方微博二维码

TechTarget中国

相关推荐