简体繁体 English

安全的Java Web服务

[英]Secure Java Web Services

原文 2011-02-02 12:34:43 4 2 java/ web-services/ security

I am trying to figure out which framework/API would be best for implementing my web services (Java EE). 我试图找出哪个框架/ API最适合实现我的Web服务（Java EE）。 The data being passed back and forth between client and web container needs to be super-secure, and so I'm even thinking of encrypting my data before it even gets wrapped up in a SOAP (or the secure equivalent to SOAP) message, regardless of what security services the framework provides me with. 在客户端和Web容器之间来回传递的数据需要是超级安全的，因此我甚至考虑在将数据包装到SOAP（或安全等效于SOAP）消息之前加密我的数据，无论如何该框架为我提供了哪些安全服务。

I see there is the so-called XWS-Security but it seems that it is for securing legacy JAX-RPC services. 我看到有所谓的XWS-Security，但它似乎是为了保护传统的JAX-RPC服务。 I'd like the framework to be standards-compliant (WSS/OASIS, etc.) and neither deprecated or deprecating (current; compatible with the upcoming Java 7 release, etc.). 我希望框架符合标准（WSS / OASIS等），既不赞成也不弃用（当前;与即将发布的Java 7版本兼容等）。

Is JAX-WS and JAX-RS secure by default? JAX-WS和JAX-RS默认是安全的吗？ If not, is there a compatible "secure wrapper" framework that can be used to adapt an existing JAX-WS web service to implement a secure framework? 如果没有，是否有兼容的“安全包装”框架可用于调整现有的JAX-WS Web服务以实现安全框架？

Any thoughts or suggestions greatly appreciated! 任何想法或建议非常感谢！

2 个解决方案

If you just want to secure the content then use transport layer security, such as HTTPS. 如果您只想保护内容，请使用传输层安全性，例如HTTPS。 This will automatically encrypt WS request/responses and prevent evesdropping and malicious modification. 这将自动加密WS请求/响应并防止窃听和恶意修改。

If you want to do any authentication/authorisation you might want to get the caller to sign the request too. 如果您想进行任何身份验证/授权，您可能希望让呼叫者也签署请求。

You should do two things, first secure the transport using SSL. 您应该做两件事，首先使用SSL保护传输。 If you control both the clients and the server then you can require 2-way SSL which would ensure that only trusted clients can connect. 如果您同时控制客户端和服务器，则可以要求双向SSL，以确保只有受信任的客户端才能连接。

Second you can implement WS security protocols. 其次，您可以实现WS安全协议。 Web service security standards tend to deal with three things: Authentication, Digital Signatures and Encyption/Decyption (from the Spring-WS docs): Web服务安全标准倾向于处理三件事：身份验证，数字签名和Encyption / Decyption（来自Spring-WS文档）：

Authentication. 验证。 This is the process of determining whether a principal is who they claim to be. 这是确定委托人是否是他们声称的人的过程。 In this context, a "principal" generally means a user, device or some other system which can perform an action in your application. 在此上下文中，“主体”通常表示可以在您的应用程序中执行操作的用户，设备或其他系统。

Digital signatures. 数字签名。 The digital signature of a message is a piece of information based on both the document and the signer's private key. 消息的数字签名是基于文档和签名者的私钥的一条信息。 It is created through the use of a hash function and a private signing function (encrypting with the signer's private key). 它是通过使用散列函数和私有签名函数（使用签名者的私钥加密）创建的。

Encryption and Decryption. 加密和解密。 Encryption is the process of transforming data into a form that is impossible to read without the appropriate key. 加密是将数据转换为没有适当密钥就无法读取的形式的过程。 It is mainly used to keep information hidden from anyone for whom it is not intended. 它主要用于将信息隐藏在任何非预期信息的人身上。 Decryption is the reverse of encryption; 解密与加密相反; it is the process of transforming of encrypted data back into an readable form. 它是将加密数据转换回可读形式的过程。

There are a number of protocols/standards for each of these functions, and there are a number of Java OSS projects that implement the various security protocols/standards in a reasonable, usable ways. 每种功能都有许多协议/标准，并且有许多Java OSS项目以合理，可用的方式实现各种安全协议/标准。

In particular I'd look at Sun's XWSS and APACHE WSS4J. 特别是我会看看Sun的XWSS和APACHE WSS4J。 Spring WS has implementations of both of these APIs, they also do a good job of describing the various components: http://static.springsource.org/spring-ws/sites/2.0/reference/html/security.html Spring WS具有这两种API的实现，它们还可以很好地描述各种组件： http ： //static.springsource.org/spring-ws/sites/2.0/reference/html/security.html