欢迎您访问程序员文章站本站旨在为大家提供分享程序员计算机编程知识!
您现在的位置是: 首页

(转)对SCA中WS Policy的理解 soapwebservicesecurity 

程序员文章站 2022-05-21 18:41:12
...

原文链接:http://gocom.primeton.com/modules/newbb/item57151_57151.htm
在SCA规范中提供了关于安全的一套FrameWork(SCA_Policy_Framework),对服务调用过程中的数据传递进行了约束。下面针对其中的WebService Policy,结合自己的实践,对其实现方式进行详解。

在Policy FrameWork中,定义安全分为两部分:Intent和PolicySet。Intent以抽象的方式定义Policy,仅声明存在这样的约束,对于具体的内容而不指定。PolicySet定义的策略的详细实现方式,与Intent相结合,提供了Intent的详细策略定义。

Intent的指定方式:

<intent name="Intent名称" constrains="使用约束"/>
eg:
<intent name="RequiredTransaction" constrains="sca:binding"/>
PolicySet的指定方式:

<policySet name="Policyset名称" provides="实现的Intent" appliesTo="约束" >
         Policy的具体定义
    </policySet>
eg:
<policySet name="RequiredTransactionPolicy" provides="RequiredTransaction" appliesTo="sca:binding.sca">
         <transactionPolicy action="REQUIRES_NEW" />
    </policySet>
针对WebService,规范中定义了三个固定的Intent,分别为:authentication,integrity,confidentiality。

authentication根据用户提供的用户名和口令对传递的数据进行校验,integrity根据传递的证书(X509V3)来校验数据,confidentiality对传递的数据进行加密,解析并根据数据的散列值判断传递的数据是否被修改。

下面对三种分别说明(以axis2为例,在axis2中采用rampart来完成安全的验证):

(注:因WS 安全牵扯到的内容比较多,请大家自行复习,相关内容有:axis2,rampart,ws policy,sca policy,ws spec等)

1、authentication

对于Server端,需要根据传入的SOAP Header数据判断用户名和口令是否正确,这通过指定相应的CallbackHandler 来实现。

Policy定义:

parameter name="InflowSecurity">
    <action>
         <items>UsernameToken</items>
         <passwordCallbackClass>helloworld.ServerPWCBHandler</passwordCallbackClass>
     </action>
    </parameter>
CallbackHandler 实现代码,在此判断用户名和口令的正确性:

public class ServerPWCBHandler implements CallbackHandler {  
public void handle(Callback[] callbacks)
throws IOException,UnsupportedCallbackException {
     for (int i = 0; i < callbacks.length; i++) {
            WSPasswordCallback pwcb = (WSPasswordCallback)callbacks[i];
            if ( pwcb.getUsage() == WSPasswordCallback.USERNAME_TOKEN ) {
                if ( pwcb.getIdentifer().equals("wangfeng") && pwcb.getPassword().equals("Passwd") ){
                   return;
                } else {
                    throw new UnsupportedCallbackException(pwcb,
"Authentication Failed : UserId - Password mismatch");
                }
            }              
}
    }
}
对于Client端,需要对输出的数据添加用户名和口令,用户名在Policy定义文件中指定,口令也是通过CallbackHandler 来进行设定的。

Policy定义:

<parameter name="OutflowSecurity">
    <action>
             <items>UsernameToken</items>
             <user>wangfeng</user>
             <passwordCallbackClass>helloworld.ClientPWCBHandler</passwordCallbackClass>" +
             <passwordType>PasswordText</passwordType>
        </action>
     </parameter>
在Policy中定义了passwordType为PasswordText,则说明口令是以明文方式进行传递的。
CallbackHandler 实现代码,在其中设置调用用户的口令:

public class ClientPWCBHandler implements CallbackHandler {   
public void handle(Callback[] callbacks)
throws IOException,UnsupportedCallbackException {
        for (int i = 0; i < callbacks.length; i++) {
            WSPasswordCallback pwcb = (WSPasswordCallback)callbacks[i];
            System.out.println("User Id = " + pwcb.getIdentifer());
            pwcb.setPassword("Passwd");
        }
    }
}
当执行方法getGreetings,并传递字符器World时,传递的SOAP如下:
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
  <wsse:Security xmlns:wsse=http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
soapenv:mustUnderstand="1">
   <wsse:UsernameToken
xmlns:wsu=http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
wsu:Id="UsernameToken-13482579">
    <wsse:Username>wangfeng</wsse:Username>
    <wsse:Password
Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">
Passwd</wsse:Password>
   </wsse:UsernameToken>
  </wsse:Security>
</soapenv:Header>
<soapenv:Body>
  <ns:getGreetings xmlns:ns="http://helloworld">
   <ns3:name xmlns:ns3="http://helloworld" xmlns:ns2="http://helloworld/" xmlns:xs=http://www.w3.org/2001/XMLSchema
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">World</ns3:name>
  </ns:getGreetings>
</soapenv:Body>
</soapenv:Envelope>
从传递的SOAP Head可以看到,在Header中包含了传递的用户名和口令供Server端进行校验。

(转)对SCA中WS Policy的理解
            
    
    
        soapwebservicesecurity 

2、integrity
在Server端,需要指定integrity对应的具体的WebService Policy,需要指定证书的加密算法,证书中的别名以用证书的保存口令,证书位置等与证书有关的信息,在传递的过程中通过证书的验证来保证调用的正确性。

<wsp:Policy wsu:Id="SignOnly"
   xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
   xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
  <wsp:ExactlyOne>
   <wsp:All>
    <sp:AsymmetricBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
     <wsp:Policy>
      <sp:InitiatorToken>
       <wsp:Policy>
        <sp:X509Token
sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
         <wsp:Policy>
          <sp:WssX509V3Token10/>
         </wsp:Policy>
        </sp:X509Token>
       </wsp:Policy>
      </sp:InitiatorToken>
      <sp:RecipientToken>
       <wsp:Policy>
        <sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never">
         <wsp:Policy>
          <sp:WssX509V3Token10/>
         </wsp:Policy>
        </sp:X509Token>
       </wsp:Policy>
      </sp:RecipientToken>
      <sp:AlgorithmSuite>
       <wsp:Policy>
        <sp:TripleDesRsa15/>   <!-- 说明证书采用RSA加密 -->
       </wsp:Policy>
      </sp:AlgorithmSuite>
      <sp:Layout>
       <wsp:Policy>
        <sp:Strict/>
       </wsp:Policy>
      </sp:Layout>
      <sp:IncludeTimestamp/>
      <sp:OnlySignEntireHeadersAndBody/>
     </wsp:Policy>
    </sp:AsymmetricBinding>
    <sp:Wss10 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
     <wsp:Policy>
      <sp:MustSupportRefKeyIdentifier/>
      <sp:MustSupportRefIssuerSerial/>
     </wsp:Policy>
    </sp:Wss10>
    <sp:SignedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
     <sp:Body/>
    </sp:SignedParts>

    <ramp:RampartConfig xmlns:ramp="http://ws.apache.org/rampart/policy">
     <ramp:user>wangfeng</ramp:user>
     <ramp:encryptionUser>wangfeng</ramp:encryptionUser>
     <ramp:passwordCallbackClass>helloworld.ServerPWCBHandler</ramp:passwordCallbackClass>
    
     <ramp:signatureCrypto>
      <ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin">
       <ramp:property name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property>
       <ramp:property name="org.apache.ws.security.crypto.merlin.file">key.jks</ramp:property>
       <ramp:property name="org.apache.ws.security.crypto.merlin.keystore.password">passwd</ramp:property>
      </ramp:crypto>
     </ramp:signatureCrypto>
    </ramp:RampartConfig>

   </wsp:All>
  </wsp:ExactlyOne>
</wsp:Policy>
在Policy的后面部分,通过对rampart的配置来指定证书的信息。

对以上配置如不清楚,请参照WebService Policy的规范及Rampart实现的相关文档。

在CallbackHandler中需要指定相应的用户名口令,以完成对证书的校验。

public class ServerPWCBHandler implements CallbackHandler {     public void handle(Callback[] callbacks)
throws IOException,UnsupportedCallbackException {
     for (int i = 0; i < callbacks.length; i++) {
            WSPasswordCallback pwcb = (WSPasswordCallback)callbacks[i];
          
            if ( pwcb.getUsage() == WSPasswordCallback.SIGNATURE ) {
                pwcb.setPassword("Passwd");
            }
        }
    }
}
在client端,同样也要指定相应的Policy和CallbackHandler,在此可与Server端的指定保持一致就可以了。
证书可以用Java工具keytool来进行生成。
对于上述示例,传递的SOAP和返回的SOAP如下:
发送SOAP:

<?xml version="1.0" encoding="UTF-8"?>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
  <wsse:Security
xmlns:wsse=http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
soapenv:mustUnderstand="1">
   <wsu:Timestamp
xmlns:wsu=http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
wsu:Id="Timestamp-9550256">
    <wsu:Created>2008-08-28T03:04:45.734Z</wsu:Created>
    <wsu:Expires>2008-08-28T03:09:45.734Z</wsu:Expires>
   </wsu:Timestamp>
   <wsse:BinarySecurityToken
xmlns:wsu=http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
EncodingType=http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
ValueType=http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3
wsu:Id="CertId-1436578">MIICSjCCAbMCBEePj2cwDQYJKoZIhvcNAQEEBQAwbDEQMA4GA1UEBhMHVW5rbm93bjEQMA4GA1UECBMHVW
5rbm93bjEQMA4GA1UEBxMHVW5rbm93bjEQMA4GA1UEChMHVW5rbm93bjEQMA4GA1UECxMHVW5rbm93bjEQMA4GA1UEAxMHVW5rbm
93bjAeFw0wODAxMTcxNzI0NTVaFw0xODEyMzAxNzI0NTVaMGwxEDAOBgNVBAYTB1Vua25vd24xEDAOBgNVBAgTB1Vua25vd24xEDAOBgN
VBAcTB1Vua25vd24xEDAOBgNVBAoTB1Vua25vd24xEDAOBgNVBAsTB1Vua25vd24xEDAOBgNVBAMTB1Vua25vd24wgZ8wDQYJKoZIhvcN
AQEBBQADgY0AMIGJAoGBAIsUK0NiI6DnMP/3XBKeSUJ1F15uJ2IcmJVDq3BVd/EHDVU9IEq+g95mpX99mAXQVVwV98PDxEKdQ0C+KNa
ku9XndBCu9IURUYtQk7Rgl0vMN+hEHvzPvMJ2NT/61/y22cAiLZF9k4fQxcxF6IX8EMWk439RBQZ2og7ZV2UUHxrzAgMBAAEwDQYJKoZIh
vcNAQEEBQADgYEAe55/HZRUFG3QjpbiTCgwoWZKsYzfYJSnQrO8rewGdFKf4SwhOGbmf3s9iKO6xdLz+5hnrZ3ySv28g1GwsUt4GMUHYi/jn
7p+Vmot10h1/yL/p06IEiTzkj1Dluq4tJW2KPCagQZqoJ5SEcoimnvkjD5ZoFqGwyJ0DoDk3BP907c=</wsse:BinarySecurityToken>
   <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="Signature-3790865">
    <ds:SignedInfo>
     <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
     <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
     <ds:Reference URI="#Id-10013687">
      <ds:Transforms>
       <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
      </ds:Transforms>
      <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
      <ds:DigestValue>xf0YRx+TekKz/7e8pRVpQekBPVQ=</ds:DigestValue>
     </ds:Reference>
     <ds:Reference URI="#Timestamp-9550256">
      <ds:Transforms>
       <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
      </ds:Transforms>
      <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
      <ds:DigestValue>mo2eoha6ygEvERYuxcxhhdadLD8=</ds:DigestValue>
     </ds:Reference>
    </ds:SignedInfo>
    <ds:SignatureValue>
cMyhvlnQAJ1RvlrdSTC6pic5JRr6nWX0D2DlPBQ+FVHMNrLwMfp35Rxj2NZiMF+HCo4g3LUvEeTk
hTAfIrTE48uVpvc7VyqgZPqxvX5f1Ks3XmAXqgGlNMVCZqOK4mSqdrLATOeuGWFzkuOzsajqkL//
/SXBiMuq6A96dshj0UU=
</ds:SignatureValue>
    <ds:KeyInfo Id="KeyId-9089012">
     <wsse:SecurityTokenReference
xmlns:wsu=http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
wsu:Id="STRId-30729370">
      <wsse:Reference URI="#CertId-1436578"
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
     </wsse:SecurityTokenReference>
    </ds:KeyInfo>
   </ds:Signature>
  </wsse:Security>
</soapenv:Header>
<soapenv:Body xmlns:wsu=http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
wsu:Id="Id-10013687">
  <_ns_:getGreetings xmlns:_ns_="http://helloworld">
   <ns3:name xmlns:ns3=http://helloworld
xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:ns2=http://helloworld/
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">World</ns3:name>
  </_ns_:getGreetings>
</soapenv:Body>
</soapenv:Envelope> 
返回SOAP:

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
  <wsse:Security xmlns:wsse=http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
soapenv:mustUnderstand="1">
   <wsu:Timestamp xmlns:wsu=http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
wsu:Id="Timestamp-12372212">
    <wsu:Created>2008-08-28T03:04:47.187Z</wsu:Created>
    <wsu:Expires>2008-08-28T03:09:47.187Z</wsu:Expires>
   </wsu:Timestamp>
   <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="Signature-9805729">
    <ds:SignedInfo>
     <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
     <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
     <ds:Reference URI="#Id-2954177">
      <ds:Transforms>
       <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
      </ds:Transforms>
      <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
      <ds:DigestValue>AvpChhWzYb6Hl8Xuc8WnZKsClpA=</ds:DigestValue>
     </ds:Reference>
     <ds:Reference URI="#Timestamp-12372212">
      <ds:Transforms>
       <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
      </ds:Transforms>
      <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
      <ds:DigestValue>Qtj/n4wiHPzih8rcyvLwnek7TcE=</ds:DigestValue>
     </ds:Reference>
    </ds:SignedInfo>
    <ds:SignatureValue>
Omtf8ktomHmBzvYrnJy0thbyOE1exvjXIsHVDhcQtt4zXXKXCU4EmF4ipHDrSrjsIN5uwb0pWvvf
z7oebDx6k2IBin1/O5+Sj48VhUkIJXRr6ehrZlvhRAfv/KZrdf7dfpXUGl3caQ1i4gqV2KVc06QG
QHK/iCqJSiK2JMOXR1g=
</ds:SignatureValue>
    <ds:KeyInfo Id="KeyId-33486858">
     <wsse:SecurityTokenReference
xmlns:wsu=http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
wsu:Id="STRId-5142872">
      <wsse:KeyIdentifier
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#
Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#
X509SubjectKeyIdentifier">7n1V7BAAn28161h3Jn7JZkY1HfA=</wsse:KeyIdentifier>
     </wsse:SecurityTokenReference>
    </ds:KeyInfo>
   </ds:Signature>
  </wsse:Security>
</soapenv:Header>
<soapenv:Body xmlns:wsu=http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
wsu:Id="Id-2954177">
  <_ns_:getGreetingsResponse xmlns:_ns_="http://helloworld">
   <ns3:getGreetingsReturn xmlns:ns3="http://helloworld" xmlns:xs=http://www.w3.org/2001/XMLSchema
xmlns:ns2="http://helloworld/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">
Hello World</ns3:getGreetingsReturn>
  </_ns_:getGreetingsResponse>
</soapenv:Body>
</soapenv:Envelope>
从传递的SOAP我们可以看到SOAP Head的内容根据传递的证书进行了加密处理。

3、confidentiality
对于输入,输出数据根据指定的算法进行加密,解密处理,并根据证书的内容进行校验,完成合法性判断。
Server端指定输入输出数据的加密方式,通过InflowSecurity指定输入数据的处理方式,通过OutflowSecurity指定输出数据的处理方式。

如:

<parameter name="InflowSecurity">
        <action>
          <items>Timestamp Signature Encrypt</items>
          <passwordCallbackClass>helloworld.ServerPWCBHandler</passwordCallbackClass>
          <signaturePropFile>security.properties</signaturePropFile>
        </action>
     </parameter>
   <parameter name="OutflowSecurity">
        <action>
          <items>Timestamp Signature Encrypt</items>
          <user>wangfeng</user>
          <encryptionUser>wangfeng</encryptionUser>
          <passwordCallbackClass>helloworld.ServerPWCBHandler</passwordCallbackClass>
          <signaturePropFile>security.properties</signaturePropFile>
         <signatureKeyIdentifier>DirectReference</signatureKeyIdentifier>
         <encryptionKeyIdentifier>SKIKeyIdentifier</encryptionKeyIdentifier>
<!-- 公钥证书 SKIKeyIdentifier或者IssuerSerial -->
       </action>
     </parameter>
属性encryptionKeyIdentifier指定了证书的方式,有两种: SKIKeyIdentifier或者IssuerSerial ,通常的SKIKeyIdentifier。

在CallbackHandler 中指定证书的口令。

public class ServerPWCBHandler implements CallbackHandler {

    public void handle(Callback[] callbacks) throws IOException,
            UnsupportedCallbackException {
     for (int i = 0; i < callbacks.length; i++) {
            WSPasswordCallback pwcb = (WSPasswordCallback)callbacks[i];
            pwcb.setPassword("Passwd");
        }
    }

}
在配置文件security.properties中指定相应的证书及相关的信息,在axis中指定rampart的相应信息。

org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin
org.apache.ws.security.crypto.merlin.keystore.type=jks
org.apache.ws.security.crypto.merlin.keystore.password=Passwd
org.apache.ws.security.crypto.merlin.file=key.jks
在Client端,需要指定与Server相对应的处理方式,Server端的InflowSecurity对应Client的的OutflowSecurity,Server端的OutflowSecurity对应Client端的InflowSecurity,相应的配置如下:

<parameter name="InflowSecurity">
        <action>
          <items>Timestamp Signature Encrypt</items>
          <passwordCallbackClass>helloworld.ClientPWCBHandler</passwordCallbackClass>
          <signaturePropFile>security.properties</signaturePropFile>
        </action>
     </parameter>
   <parameter name="OutflowSecurity">
        <action>
          <items>Timestamp Signature Encrypt</items>
          <user>wangfeng</user>
          <encryptionUser>wangfeng</encryptionUser>
          <passwordCallbackClass>helloworld.ClientPWCBHandler</passwordCallbackClass>
          <signaturePropFile>security.properties</signaturePropFile>
         <signatureKeyIdentifier>DirectReference</signatureKeyIdentifier>
         <encryptionKeyIdentifier>SKIKeyIdentifier</encryptionKeyIdentifier>
       </action>
     </parameter>
传输的SOAP如下:
发送SOAP

<?xml version="1.0" encoding="UTF-8"?>
<soapenv:Envelope
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
<soapenv:Header>
  <wsse:Security xmlns:wsse=http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
soapenv:mustUnderstand="1">
   <xenc:EncryptedKey Id="EncKeyId-12890052">
    <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>
    <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
     <wsse:SecurityTokenReference>
      <wsse:KeyIdentifier
EncodingType=http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#
X509SubjectKeyIdentifier">MDMfMNMO10+i/kdPBYb9rJop9Eg=</wsse:KeyIdentifier>
     </wsse:SecurityTokenReference>
    </ds:KeyInfo>
    <xenc:CipherData>
     <xenc:CipherValue>oeFjdDJeIpm55UretATfaiiXK+mbmNtracz4rIsSfboNXO04HYFRAH9u7jYLg4d49mqm4LZEHQS2pw
XYI/SJi4B2x1PNjIlMOv8iuRpHe3RXgFQiVoWNYxgyK9q/GAdzIKzah5VSOUy0ez2hqVpctAJqayZ1iNhJqNk9XBHNGpc=
</xenc:CipherValue>
    </xenc:CipherData>
    <xenc:ReferenceList>
     <xenc:DataReference URI="#EncDataId-15868406"/>
    </xenc:ReferenceList>
   </xenc:EncryptedKey>
   <wsse:BinarySecurityToken
xmlns:wsu=http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
EncodingType=http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
ValueType=http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3
wsu:Id="CertId-2120440">MIICVjCCAb8CBEddgt8wDQYJKoZIhvcNAQEEBQAwcjEQMA4GA1UEBhMHVW5rbm93bjEQMA4GA
1UECBMHVW5rbm93bjEQMA4GA1UEBxMHVW5rbm93bjEQMA4GA1UEChMHVW5rbm93bjEQMA4GA1UECxMHVW5rbm93bjEWM
BQGA1UEAxMNVHVzY2FueVdzVXNlcjAeFw0wNzEyMTAxODE4MDdaFw0wOTAxMTMxODE4MDdaMHIxEDAOBgNVBAYTB1Vua25vd2
4xEDAOBgNVBAgTB1Vua25vd24xEDAOBgNVBAcTB1Vua25vd24xEDAOBgNVBAoTB1Vua25vd24xEDAOBgNVBAsTB1Vua25vd24x
FjAUBgNVBAMTDVR1c2NhbnlXc1VzZXIwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMT6zc0gqdlNVXNfLBqc7TiegqDcLyvjT3M
mpU7dAIpsDB1+3oWDU+0tTHBKu/KYap9Zwp+/xrqtCVNNg4eDWqW88Z51lhJwq5Dn9zadnBfPEPB5c6gZVTd8ouZFd/ZCGpiktx4
54iA2TAnuLLJt306SFqC5XKD5SDUZvmtMpQeRAgMBAAEwDQYJKoZIhvcNAQEEBQADgYEAB72+v2ajRs1Oy7D6D4lDoXN90ZuMC3
CjZm6M871eu9Kk74AFc/dMfBoj5b5H4367DZrMz47/yFcU8N5QFq6inx+8RU0XDwuGYTIbXv7es9BcqG2/um86V10N30Ep2HfTm
6Ag3zkpfvk8/K/YUBZ8WJWLbGxbZDpRzzEEpxfOCY8=</wsse:BinarySecurityToken>
   <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="Signature-32653965">
    <ds:SignedInfo>
     <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
     <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
     <ds:Reference URI="#id-15868406">
      <ds:Transforms>
       <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
      </ds:Transforms>
      <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
      <ds:DigestValue>8IdqFtLVMouLQ8WijhNUPMH+xx4=</ds:DigestValue>
     </ds:Reference>
    </ds:SignedInfo>
    <ds:SignatureValue>
t6PSuLaynhSsuXRBlbO5dqKXScHKCgeheLvriD9aD9nIOeQM+grMIXJQh9sKvSdnDIVh+Fh7NpiQ
AY/TzLCxb01+W2lbZ8XzGAsIty8geHmz1I0YKr05mp9halywVR0ACsKLzcF/ToMpeO5dISFb6ZMx
b8XXFo33rCy6HxANuek=
</ds:SignatureValue>
    <ds:KeyInfo Id="KeyId-26533782">
     <wsse:SecurityTokenReference
xmlns:wsu=http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd wsu:Id="STRId-602878">
      <wsse:Reference URI="#CertId-2120440"
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
     </wsse:SecurityTokenReference>
    </ds:KeyInfo>
   </ds:Signature>
   <wsu:Timestamp xmlns:wsu=http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
wsu:Id="Timestamp-4368107">
    <wsu:Created>2008-10-22T05:16:04.953Z</wsu:Created>
    <wsu:Expires>2008-10-22T05:21:04.953Z</wsu:Expires>
   </wsu:Timestamp>
  </wsse:Security>
</soapenv:Header>
<soapenv:Body xmlns:wsu=http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
wsu:Id="id-15868406">
  <xenc:EncryptedData Id="EncDataId-15868406" Type="http://www.w3.org/2001/04/xmlenc#Content">
   <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
   <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
    <wsse:SecurityTokenReference
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
     <wsse:Reference URI="#EncKeyId-12890052"/>
    </wsse:SecurityTokenReference>
   </ds:KeyInfo>
   <xenc:CipherData>
    <xenc:CipherValue>oslygTCQMQx1IcFIe62I8adMBM1n7AcU/J9h+lzJfIatelbzOFeqMi9KpNMglJQnIdmCtZRIxleq
pZ3ZYSH70zewqCcCw/PfiIFcXSF0WGYEynyEPC/5W8mNWAk7XSR7bZ+o1qUTh0JywQ8OE5agHVYC
4UXjHVzdritVTrv+1t0J+z3RSygcUVGJ5yblUwFXrCTTDIB90XZVhGJZuwa1wp/3/iJNCEZ1fJ6n
DvMPDzIMjAKBplwuaHlXkwlUJzsQGz1IpKFpXqOd+AVg9mjQoNaZjsxb/ceG93XdoQvNFkQzGzdF
XOqr4ThCg383ilaDjyytQQPc+d3ynZGqmYhaNP9RnP8H0SPX3NtZEiEVu/I8Sws8baN4BCuAEJrB
MeDF4Xmbg6+oywuRt0pwvmkKtj7KDlb9n6wzWoHSZevWKhuxNTBCmyBcy6joGIvW8A1CVMWonQ52
6GJCaLJb1Gvq9iUtACPCk2AYDp9jvmvNt60=</xenc:CipherValue>
   </xenc:CipherData>
  </xenc:EncryptedData>
</soapenv:Body>
</soapenv:Envelope>
接收SOAP

<?xml version="1.0" encoding="UTF-8"?>
<soapenv:Envelope xmlns:soapenv=http://schemas.xmlsoap.org/soap/envelope/
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
<soapenv:Header>
  <wsse:Security
xmlns:wsse=http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
soapenv:mustUnderstand="1">
   <xenc:EncryptedKey Id="EncKeyId-26127350">
    <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>
    <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
     <wsse:SecurityTokenReference>
      <wsse:KeyIdentifier
EncodingType=http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#
X509SubjectKeyIdentifier">MDMfMNMO10+i/kdPBYb9rJop9Eg=</wsse:KeyIdentifier>
     </wsse:SecurityTokenReference>
    </ds:KeyInfo>
    <xenc:CipherData>
     <xenc:CipherValue>W14JvuGArIZoJNQKmlnK+q9CjPUI64wAesye0zu6Vcxwqgbm3tpYUn02AbFrdr3C50GTydDyKp0TIhxxwVp+
18cOydXTH6pixUO5DKE+G3HEYr2Jn5Dc4Y6D/PTh61aH6LfF5BVbQTUviEiRkAve8MVAuBikukaJbkd41+fg4Fw=</xenc:CipherValue>
    </xenc:CipherData>
    <xenc:ReferenceList>
     <xenc:DataReference URI="#EncDataId-15736146"/>
    </xenc:ReferenceList>
   </xenc:EncryptedKey>
   <wsse:BinarySecurityToken
xmlns:wsu=http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
EncodingType=http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
ValueType=http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3
wsu:Id="CertId-2120440">MIICVjCCAb8CBEddgt8wDQYJKoZIhvcNAQEEBQAwcjEQMA4GA1UEBhMHVW5rbm93bjEQMA4GA1UECBMH
VW5rbm93bjEQMA4GA1UEBxMHVW5rbm93bjEQMA4GA1UEChMHVW5rbm93bjEQMA4GA1UECxMHVW5rbm93bjEWMBQGA1UEAxMNV
VzY2FueVdzVXNlcjAeFw0wNzEyMTAxODE4MDdaFw0wOTAxMTMxODE4MDdaMHIxEDAOBgNVBAYTB1Vua25vd24xEDAOBgNVBAgT
B1Vua25vd24xEDAOBgNVBAcTB1Vua25vd24xEDAOBgNVBAoTB1Vua25vd24xEDAOBgNVBAsTB1Vua25vd24xFjAUBgNVBAMTDVR
1c2NhbnlXc1VzZXIwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMT6zc0gqdlNVXNfLBqc7TiegqDcLyvjT3MmpU7dAIpsDB1+3o
WDU+0tTHBKu/KYap9Zwp+/xrqtCVNNg4eDWqW88Z51lhJwq5Dn9zadnBfPEPB5c6gZVTd8ouZFd/ZCGpiktx454iA2TAnuLLJt306SF
qC5XKD5SDUZvmtMpQeRAgMBAAEwDQYJKoZIhvcNAQEEBQADgYEAB72+v2ajRs1Oy7D6D4lDoXN90ZuMC3CjZm6M871eu9Kk7
4AFc/dMfBoj5b5H4367DZrMz47/yFcU8N5QFq6inx+8RU0XDwuGYTIbXv7es9BcqG2/um86V10N30Ep2HfTm6Ag3zkpfvk8/K/YUB
Z8WJWLbGxbZDpRzzEEpxfOCY8=</wsse:BinarySecurityToken>
   <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="Signature-9531264">
    <ds:SignedInfo>
     <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
     <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
     <ds:Reference URI="#id-15736146">
      <ds:Transforms>
       <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
      </ds:Transforms>
      <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
      <ds:DigestValue>r3GJPoQlKifjL2t+/7yq9z4FdKA=</ds:DigestValue>
     </ds:Reference>
     <ds:Reference URI="#SigConf-26469">
      <ds:Transforms>
       <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
      </ds:Transforms>
      <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
      <ds:DigestValue>gRWUodHEbu+3iQzPyX4/S3YiDvU=</ds:DigestValue>
     </ds:Reference>
    </ds:SignedInfo>
    <ds:SignatureValue>
eW11PF0/cMT0Nn2oR8huk6Dcvn3Rl+DA5y+VvPLm7VaA7AVnSeTh1O99aeTBv2gZlJ/6/+q0RIfC
fTDGCIWYELICdFanzvMphP9uJo94t+y/Y5+8ejFcmfHHTSDxGJNL5ruZbNa79uxs/sCGmfB9qiBb
D+2vKoP9/PeUOQYCy4E=
</ds:SignatureValue>
    <ds:KeyInfo Id="KeyId-2419450">
     <wsse:SecurityTokenReference
xmlns:wsu=http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd wsu:Id="STRId-29292935">
      <wsse:Reference URI="#CertId-2120440"
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
     </wsse:SecurityTokenReference>
    </ds:KeyInfo>
   </ds:Signature>
   <wsu:Timestamp xmlns:wsu=http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
wsu:Id="Timestamp-6109888">
    <wsu:Created>2008-10-22T05:16:09.062Z</wsu:Created>
    <wsu:Expires>2008-10-22T05:21:09.062Z</wsu:Expires>
   </wsu:Timestamp>
   <wsse11:SignatureConfirmation xmlns:wsse11=http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" Value="t6PSuLaynhSsuXR
BlbO5dqKXScHKCgeheLvriD9aD9nIOeQM+grMIXJQh9sKvSdnDIVh+Fh7NpiQAY/TzLCxb01+W2lbZ8XzGAsIty8geHmz1I0YKr05
mp9halywVR0ACsKLzcF/ToMpeO5dISFb6ZMxb8XXFo33rCy6HxANuek=" wsu:Id="SigConf-26469"/>
  </wsse:Security>
</soapenv:Header>
<soapenv:Body xmlns:wsu=http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
wsu:Id="id-15736146">
  <xenc:EncryptedData Id="EncDataId-15736146" Type="http://www.w3.org/2001/04/xmlenc#Content">
   <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
   <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
    <wsse:SecurityTokenReference
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
     <wsse:Reference URI="#EncKeyId-26127350"/>
    </wsse:SecurityTokenReference>
   </ds:KeyInfo>
   <xenc:CipherData>
    <xenc:CipherValue>+SiSCzCdloFxPc3+Sb6HveZSLlkP6gGceTSNfaEKVR6YGb/mbkupz3I0exu+duxvVWApmNuWNzeB
vkEB/uMInp1+3SqC94tqizLx0vtiWuthF9S0hdYUqFWDYe4WadLhjcinjv5XcfK1XvQnD2KxB9Bn
jpg1qprFc8LSzB3NtoiLetSDcl7aRfv7GQ9kTfc+He8dY1cSteWoZ/0D5Ix6W4lK+exUbqpIEpWK
sUwzznKFMhgFPMhpUwJFyLPoJzt+zrjp0ERh4PBIuNQKwObdlJjfcWMoMbJ20fuK5m6+z1X6sL3N
tbB2ly6HYHzz/itfwoP7C0VLQGaY0SJbfBTrFLz3n2DNEZmEF0zRMPchxd//7kfD4MM0mdWWs0sE
9ecAWklC0xrb0PRFz5CbuNZvHi1CUs8EE1i0FAIY7XharUoXVW+AOIst4h90TBBRrryi</xenc:CipherValue>
   </xenc:CipherData>
  </xenc:EncryptedData>
</soapenv:Body>
</soapenv:Envelope>
从传递的数据可以看到,对于传输的Body数据同样采用了加密的方式进行传递了。

综上,authentication定义了简单的校验方式,integrity提供了传输的完整性校验,confidentiality定义了数据的最严格校验,包括对数据体的加密处理。
  • (转)对SCA中WS Policy的理解
            
    
    
        soapwebservicesecurity 
  • 大小: 48.3 KB