从.wsdl中为Java生成Web服务客户端安全策略

Question

I have been researching how to implement a web service client policies from a .wsdl file.

The policies of the web services implicates a signature and encryption using a .jks file with the necessary keys (asymmetric privateKey for signing, and a symmetric privateKey for encryption). The policy is: username:oracle/wss10_username_token_with_message_protection_service_policy .

I am able to make the .xsd files (request, response and service objects) using the wsimport tool for java (or with cxf or axis2). What i can't resolve is how to make the correct policy.

Is there any way to automatically generate the policies from the .wsdl or do i have to make them by myself

Answer 1

The username:oracle/wss10_username_token_with_message_protection_service_policy is solved with spring ws this way:

<!-- == Ougoing interceptor == -->
<bean id="loginOutgoingWss4jSecurityInterceptor" class="org.springframework.ws.soap.security.wss4j2.Wss4jSecurityInterceptor">
    <property name="securementActions" value="Timestamp Signature Encrypt" />

    <!--  == Set Outgoing Signature properties == -->
    <property name="securementUsername" value="alias"/>
    <property name="securementPassword" value="aliasPass"/>
    <property name="securementSignatureKeyIdentifier" value="DirectReference"/>
    <property name="securementSignatureCrypto" ref="cryptoFactoryBean" />
    <property name="securementSignatureParts" value="{Element}{}Body;{Element}{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd}Timestamp;" />

    <!--  == Set Outgoing Encryption properties == -->
    <property name="securementEncryptionUser" value="alias"/> 
    <property name="securementEncryptionCrypto" ref="cryptoFactoryBean" />
    <property name="securementEncryptionKeyIdentifier" value="DirectReference"/>
    <property name="securementEncryptionParts" value="{Content}{}Body;" />
</bean>

<!-- == Incoming interceptor == -->
 <bean id="loginIncomingWss4jSecurityInterceptor" class="org.springframework.ws.soap.security.wss4j2.Wss4jSecurityInterceptor">
    <property name="validationActions" value="Timestamp Signature Encrypt" />

    <!--  == Set Validations Response, This validate signature and decrypts response == -->
    <property name="validateResponse" value="true" />

    <!-- The lower operation validation. Less time consume-->
    <property name="validateRequest" value="false" />
    <property name="enableSignatureConfirmation" value="false"/>

    <!--  == Set Incoming Signature/Decryption keystore == -->
    <property name="validationDecryptionCrypto" ref="cryptoFactoryBean" />
    <property name="validationSignatureCrypto" ref="cryptoFactoryBean" />

    <!-- Sets the {@link org.apache.ws.security.WSPasswordCallback} handler to use when validating messages -->
    <property name="validationCallbackHandler">
        <bean class="org.springframework.ws.soap.security.wss4j2.callback.KeyStoreCallbackHandler">
            <property name="privateKeyPassword" value="aliasPass"/>
        </bean>
    </property> 
 </bean>

Answer 2

If you are using policies in WS-SecurityPolicy (1.1 or later) in your wsdl, no need to generate policies nor make them on client side with Apache CXF. With WS-SecurityPolicy, CXF's security runtime is policy driven.

1) You follow CXF's WSDL-first approach to generate the client code, using either wsdl2java command-line tool or Maven cxf-codegen-plugin (wsdl2java goal). This is described in CXF doc's How to develop a client .

2) Following CXF's doc on WS-SecurityPolicy usage , you configure the client security properties for the wsdl port you want to use, either using JAX-WS API (on the client's RequestContext ) or Spring XML configuration. For the list of possible properties, there are the generic XML security ones and WS-Security-specific ones. Example with Spring XML for UsernameToken policy (from Glen Mazza's blog samples ):

<beans xmlns="http://www.springframework.org/schema/beans"
   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
   xmlns:jaxws="http://cxf.apache.org/jaxws"
   xsi:schemaLocation="http://www.springframework.org/schema/beans 
   http://www.springframework.org/schema/beans/spring-beans.xsd
   http://cxf.apache.org/jaxws 
   http://cxf.apache.org/schemas/jaxws.xsd">
<jaxws:client name="{http://www.example.org/contract/DoubleIt}DoubleItPort" createdFromAPI="true">
        <!-- Use this for the UsernameToken Symmetric Binding w/X.509 for secret key derivation -->
        <jaxws:properties>
            <entry key="ws-security.username" value="alice"/>        
            <entry key="ws-security.callback-handler" value="client.ClientPasswordCallback"/>        
            <entry key="ws-security.encryption.properties" value="clientKeystore.properties"/>
            <entry key="ws-security.encryption.username" value="myservicekey"/>
        </jaxws:properties>

        <!-- Use this for the UsernameToken Symmetric Binding w/UT password for secret key derivation -->
        <!--jaxws:properties>
            <entry key="ws-security.username" value="alice"/>        
            <entry key="ws-security.callback-handler" value="client.ClientPasswordCallback"/>        
        </jaxws:properties-->
</jaxws:client>
</beans>

Put this in /cxf.xml on the class path. Warning: the example is using a CallbackHandler subclass ( client.ClientPasswordCallback in this example) to provide the password. So you'll need to provide your own implementation.

3) Back to CXF doc's How to develop a client - last part - in the application code, initialize the client using JAX-WS API with arguments: a) the location of the WSDL (URL) having the WS-SecurityPolicy policies (you already have that, as far as I understand); b) service and port's QNames to be used by the client, as defined in the WSDL:

final Service service = Service.create(wsdlLocation, SERVICE_QNAME);
final DoubleItPortType transportPort = service.getPort(PORT_QNAME, DoubleItPortType.class);

4) Make sure you have cxf-rt-ws-policy and cxf-rt-ws-security modules on the classpath at runtime to enable WS-SecurityPolicy support.