wso2如何使用ws-security策略对响应出站消息进行签名?
我们有这个流程 客户端-->安全代理(esb)入站-->处理/将消息插入数据库 ...... 安全代理(esb)出站--(确认签名响应)--->客户端 消息架构流程图。 ack必须使用安全策略进行签名。此安全策略与入站邮件相同wso2如何使用ws-security策略对响应出站消息进行签名?,wso2,ws-security,Wso2,Ws Security,我们有这个流程 客户端-->安全代理(esb)入站-->处理/将消息插入数据库 ...... 安全代理(esb)出站--(确认签名响应)--->客户端 消息架构流程图。 ack必须使用安全策略进行签名。此安全策略与入站邮件相同 <wsp:ExactlyOne> <wsp:All> <sp:AsymmetricBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/sec
<wsp:ExactlyOne>
<wsp:All>
<sp:AsymmetricBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:InitiatorToken>
<wsp:Policy>
<sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:WssX509V3Token10/>
<!-- sp:WssX509V3Token10/ -->
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:InitiatorToken>
<sp:RecipientToken>
<wsp:Policy>
<sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never">
<wsp:Policy>
<sp:WssX509V3Token10/>
<!-- sp:WssX509V3Token10/ -->
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:RecipientToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:TripleDesRsa15/>
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Strict/>
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp/>
<sp:ProtectTokens/>
<sp:OnlySignEntireHeadersAndBody/>
</wsp:Policy>
</sp:AsymmetricBinding>
<sp:Wss10 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:MustSupportRefKeyIdentifier/>
<sp:MustSupportRefIssuerSerial/>
</wsp:Policy>
</sp:Wss10>
<sp:SignedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<sp:Body/>
</sp:SignedParts>
</wsp:All>
</wsp:ExactlyOne>
<rampart:RampartConfig xmlns:rampart="http://ws.apache.org/rampart/policy">
<rampart:user>my_private_key</rampart:user>
<rampart:encryptionUser>your_public_key</rampart:encryptionUser>
<rampart:timestampPrecisionInMilliseconds>true</rampart:timestampPrecisionInMilliseconds>
<rampart:timestampTTL>300</rampart:timestampTTL>
<rampart:timestampMaxSkew>300</rampart:timestampMaxSkew>
<rampart:timestampStrict>false</rampart:timestampStrict>
<rampart:passwordCallbackClass>es.example.wso2.PWCBHandler</rampart:passwordCallbackClass>
<rampart:tokenStoreClass>org.wso2.carbon.security.util.SecurityTokenStore</rampart:tokenStoreClass>
<rampart:nonceLifeTime>300</rampart:nonceLifeTime>
<rampart:encryptionCrypto>
<rampart:crypto cryptoKey="org.wso2.carbon.security.crypto.privatestore" provider="org.wso2.carbon.security.util.ServerCrypto">
<rampart:property name="org.wso2.carbon.security.crypto.alias">your_public_key</rampart:property>
<rampart:property name="org.wso2.carbon.security.crypto.privatestore">test.jks</rampart:property>
<rampart:property name="org.wso2.stratos.tenant.id">-1234</rampart:property>
<rampart:property name="org.wso2.carbon.security.crypto.truststores">test.jks</rampart:property>
<rampart:property name="rampart.config.user">your_public_key</rampart:property>
</rampart:crypto>
</rampart:encryptionCrypto>
<rampart:signatureCrypto>
<rampart:crypto cryptoKey="org.wso2.carbon.security.crypto.privatestore" provider="org.wso2.carbon.security.util.ServerCrypto">
<rampart:property name="org.wso2.carbon.security.crypto.alias">my_private_key</rampart:property>
<rampart:property name="org.wso2.carbon.security.crypto.privatestore">test.jks</rampart:property>
<rampart:property name="org.wso2.stratos.tenant.id">-1234</rampart:property>
<rampart:property name="org.wso2.carbon.security.crypto.truststores">test.jks</rampart:property>
<rampart:property name="rampart.config.user">my_private_key</rampart:property>
</rampart:crypto>
</rampart:signatureCrypto>
</rampart:RampartConfig>
</wsp:Policy>
这是我们的代理人
<?xml version="1.0" encoding="UTF-8"?>
<proxy name="secure_proxy" startOnLoad="true" transports="https http" xmlns="http://ws.apache.org/ns/synapse">
<target>
<inSequence>
<header action="remove" name="wsse:Security" scope="default" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"/>
<dbreport description="queryDataBase">
<connection>
<pool>
<dsName>JNDI/NAME</dsName>
</pool>
</connection>
<statement>
<sql><![CDATA[update TABLE SET PARAM1 =?, PARAM2=? WHERE CONDITION =? AND NUM=?]]></sql>
<parameter expression="get-property('PARAM1')" type="VARCHAR"/>
<parameter expression="get-property(//*[local-name()='PARAM2']" type="VARCHAR"/>
<parameter expression="get-property(//*[local-name()='CONDITION']" type="NUMERIC"/>
<parameter expression="get-property(//*[local-name()='NUM'])" type="NUMERIC"/>
</statement>
</dbreport>
<payloadFactory media-type="xml">
<format>
<ns:recepcionResponse xmlns:ns="http://es.ws">
<ns:return>200></ns:return>
</ns:recepcionResponse>
</format>
<args/>
</payloadFactory>
<header name="wsse:Security" scope="default" value="" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"/>
<loopback/>
</inSequence>
<outSequence>
<log level="full">
<property name="***********************OUT" value="**********ACK_S002"/>
</log>
<send/>
</outSequence>
<faultSequence>
<log description="Error" level="custom">
<property name="text" value="ERROR"/>
<property expression="get-property('ERROR_MESSAGE')" name="ErrorMessage: "/>
<property expression="get-property('ERROR_DETAIL')" name="ErrorDetail: "/>
<property expression="get-property('ERROR_EXCEPTION')" name="Exception:"/>
</log>
</faultSequence>
</target>
<publishWSDL uri="https://URI?wsdl"/>
<policy key="gov:ws-config/policy.xml"/>
<enableSec/>
</proxy>
JNDI/NAME
200>
我们接收使用此OSB sec策略签名的消息
<WL5G3N0:definitions xmlns:WL5G3N0="http://schemas.xmlsoap.org/wsdl/" xmlns:WL5G3N1="http://schemas.xmlsoap.org/ws/2004/09/policy" xmlns:WL5G3N2="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:WL5G3N3="http://es.xyz" xmlns:WL5G3N4="http://www.w3.org/2006/05/addressing/wsdl" xmlns:WL5G3N5="http://schemas.xmlsoap.org/wsdl/soap/" xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy" targetNamespace="http://es.xyz">
<WL5G3N0:documentation>Policy</WL5G3N0:documentation>
<WL5G3N1:Policy WL5G3N2:Id="Sign.xml">
<wssp:Integrity xmlns:wls="http://www.bea.com/wls90/security/policy/wsee#part" xmlns:wssp="http://www.bea.com/wls90/security/policy" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wssp:SignatureAlgorithm URI="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<wssp:CanonicalizationAlgorithm URI="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<wssp:Target>
<wssp:DigestAlgorithm URI="http://www.w3.org/2000/09/xmldsig#sha1"/>
<wssp:MessageParts Dialect="http://www.bea.com/wls90/security/policy/wsee#part">wls:SystemHeaders()</wssp:MessageParts>
</wssp:Target>
<wssp:Target>
<wssp:DigestAlgorithm URI="http://www.w3.org/2000/09/xmldsig#sha1"/>
<wssp:MessageParts Dialect="http://www.bea.com/wls90/security/policy/wsee#part">wls:SecurityHeader(wsu:Timestamp)</wssp:MessageParts>
</wssp:Target>
<wssp:Target>
<wssp:DigestAlgorithm URI="http://www.w3.org/2000/09/xmldsig#sha1"/>
<wssp:MessageParts Dialect="http://schemas.xmlsoap.org/2002/12/wsse#part">wsp:Body()</wssp:MessageParts>
</wssp:Target>
<wssp:SupportedTokens>
<wssp:SecurityToken IncludeInMessage="true" TokenType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3">
<wssp:TokenIssuer>
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
</wssp:TokenIssuer>
</wssp:SecurityToken>
</wssp:SupportedTokens>
</wssp:Integrity>
<wssp:MessageAge xmlns:wssp="http://www.bea.com/wls90/security/policy" Age="60"/>
</WL5G3N1:Policy>
政策
wls:SystemHeaders()
wls:SecurityHeader(wsu:Timestamp)
wsp:Body()
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
这是我们证券交易委员会的政策。我们必须使用此sec策略来响应发送出站消息
<wsp:ExactlyOne>
<wsp:All>
<sp:AsymmetricBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:InitiatorToken>
<wsp:Policy>
<sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:WssX509V3Token10/>
<!-- sp:WssX509V3Token10/ -->
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:InitiatorToken>
<sp:RecipientToken>
<wsp:Policy>
<sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never">
<wsp:Policy>
<sp:WssX509V3Token10/>
<!-- sp:WssX509V3Token10/ -->
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:RecipientToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:TripleDesRsa15/>
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Strict/>
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp/>
<sp:ProtectTokens/>
<sp:OnlySignEntireHeadersAndBody/>
</wsp:Policy>
</sp:AsymmetricBinding>
<sp:Wss10 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:MustSupportRefKeyIdentifier/>
<sp:MustSupportRefIssuerSerial/>
</wsp:Policy>
</sp:Wss10>
<sp:SignedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<sp:Body/>
</sp:SignedParts>
</wsp:All>
</wsp:ExactlyOne>
<rampart:RampartConfig xmlns:rampart="http://ws.apache.org/rampart/policy">
<rampart:user>my_private_key</rampart:user>
<rampart:encryptionUser>your_public_key</rampart:encryptionUser>
<rampart:timestampPrecisionInMilliseconds>true</rampart:timestampPrecisionInMilliseconds>
<rampart:timestampTTL>300</rampart:timestampTTL>
<rampart:timestampMaxSkew>300</rampart:timestampMaxSkew>
<rampart:timestampStrict>false</rampart:timestampStrict>
<rampart:passwordCallbackClass>es.example.wso2.PWCBHandler</rampart:passwordCallbackClass>
<rampart:tokenStoreClass>org.wso2.carbon.security.util.SecurityTokenStore</rampart:tokenStoreClass>
<rampart:nonceLifeTime>300</rampart:nonceLifeTime>
<rampart:encryptionCrypto>
<rampart:crypto cryptoKey="org.wso2.carbon.security.crypto.privatestore" provider="org.wso2.carbon.security.util.ServerCrypto">
<rampart:property name="org.wso2.carbon.security.crypto.alias">your_public_key</rampart:property>
<rampart:property name="org.wso2.carbon.security.crypto.privatestore">test.jks</rampart:property>
<rampart:property name="org.wso2.stratos.tenant.id">-1234</rampart:property>
<rampart:property name="org.wso2.carbon.security.crypto.truststores">test.jks</rampart:property>
<rampart:property name="rampart.config.user">your_public_key</rampart:property>
</rampart:crypto>
</rampart:encryptionCrypto>
<rampart:signatureCrypto>
<rampart:crypto cryptoKey="org.wso2.carbon.security.crypto.privatestore" provider="org.wso2.carbon.security.util.ServerCrypto">
<rampart:property name="org.wso2.carbon.security.crypto.alias">my_private_key</rampart:property>
<rampart:property name="org.wso2.carbon.security.crypto.privatestore">test.jks</rampart:property>
<rampart:property name="org.wso2.stratos.tenant.id">-1234</rampart:property>
<rampart:property name="org.wso2.carbon.security.crypto.truststores">test.jks</rampart:property>
<rampart:property name="rampart.config.user">my_private_key</rampart:property>
</rampart:crypto>
</rampart:signatureCrypto>
</rampart:RampartConfig>
</wsp:Policy>
我的私钥
您的\u公钥\u
真的
300
300
假的
es.example.wso2.PWCBHandler
org.wso2.carbon.security.util.SecurityTokenStore
300
您的\u公钥\u
test.jks
-1234
test.jks
您的\u公钥\u
我的私钥
test.jks
-1234
test.jks
我的私钥
我们如何才能做到这一点?欢迎任何帮助
提前感谢。此示例[1]是否有助于实现您的流程。在[2]中,您可以找到一个对传出消息同时进行签名和加密的策略,如果不需要,您可以调整删除加密部分,并从代理服务定义中引用它。() [1] -
[2] -这是我过去几年的工作政策
WSO2碳
com.apogado.wso2egov.passwordcallback.SimplePasswordCallback
JKS
repository/resources/security/wso2carbon.jks
WSO2碳
JKS
repository/resources/security/wso2carbon.jks
dkkdkvdt123
请注意,这将在响应中包括主题标识符作为令牌,而不是整个证书(二进制令牌),但一旦您使其工作,您可以使用这些选项
这是我的另一项政策:你能发布你的sec吗。还有策略文件吗?(好的,去掉密码:P)策略文件默认情况下(除非另有规定)应用于请求和响应。是的,我将编辑问题,包括sec策略。我刚刚附加了一个包含消息流的图像。首先,系统内部通过esb向系统外部发送msg01。Msg01必须签名。系统外部处理消息并发送签名请求(msg02),代理服务器必须处理msg02,如果正确,则发送cust