使用 WS-Security 策略保护 Web Service

可以在 WebSphere® Application Server Liberty 中使用 WS-Security 策略来开发和保护 Java™ API for XML Web Services (JAX-WS) Web Service。通过教程提供了一些示例来说明在 Liberty 中开发和保护 Web Service 时涉及到的常规步骤。请勿在生产环境中使用这些示例。请复审您自己的安全需求,以制定 Web 服务描述语言 (WSDL) 合同和 WS-Security 策略以保护 Web Service 应用程序。

关于此任务

此任务描述如何开发简单的 JAX-WS Web Service 应用程序以及使用 WS-Security 策略来保护这些应用程序。

此任务使用两个密钥库:enc-sender.jceksenc-receiver.jceks。这些密钥库是 WebSphere Application Server 传统版中随附的 WS-Security 样本密钥库。如果您可以访问传统版安装,那么可以从以下其中一个目录获取样本密钥库:

profile_root/etc/ws-security/samples

WASHOME/profileTemplates/defaultdocuments/etc/ws-security/samples

过程

  1. 创建 WSDL 合同和 WS-Security 策略。 在此样本中,创建了一个 WSDL 合同,它包含用于 JAX-WS Web Service 提供者应用程序的 WS-Security 策略。将使用称为具有 X509Token 非对称消息保护(相互认证)的 UsernameToken 的 WS-Security 策略模板。客户机会对 SOAP 主体进行签名和加密,并对请求消息中的 UsernameToken 进行签名和加密。在响应消息中,提供者会对 SOAP 主体进行签名和加密。对于此示例中的安全性约束的完整描述,请参阅具有 X509Token 非对称消息保护(相互认证)的 UsernameToken
    1. 为您的服务创建 WSDL 合同。 以下示例显示了样本 WSDL 合同:
      <?xml version="1.0" encoding="UTF-8"?>
      <wsdl:definitions xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/"
                        xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/"
                        xmlns:tns="http://com/ibm/was/wssample/sei/echo/"
                        xmlns:xsd="http://www.w3.org/2001/XMLSchema" name="WSSampleSei"
                        targetNamespace="http://com/ibm/was/wssample/sei/echo/">
        <wsdl:types>
          <xsd:schema targetNamespace="http://com/ibm/was/wssample/sei/echo/"
                      xmlns:xsd="http://www.w3.org/2001/XMLSchema">
            <xsd:element name="echoStringResponse">
              <xsd:complexType>
                <xsd:sequence>
                  <xsd:element name="echoResponse" type="xsd:string" />
                </xsd:sequence>
              </xsd:complexType>
            </xsd:element>
            <xsd:element name="echoStringInput">
              <xsd:complexType>
                <xsd:sequence>
                  <xsd:element name="echoInput" type="xsd:string" />
                </xsd:sequence>
              </xsd:complexType>
            </xsd:element>
          </xsd:schema>
        </wsdl:types>
        <wsdl:message name="echoOperationRequest">
          <wsdl:part element="tns:echoStringInput" name="parameter" />
        </wsdl:message>
        <wsdl:message name="echoOperationResponse">
          <wsdl:part element="tns:echoStringResponse" name="parameter" />
        </wsdl:message>
        <wsdl:portType name="EchoServicePortType">
          <wsdl:operation name="echoOperation">
            <wsdl:input message="tns:echoOperationRequest" />
            <wsdl:output message="tns:echoOperationResponse" />
          </wsdl:operation>
        </wsdl:portType>
        <wsdl:binding name="Echo1SOAP" type="tns:EchoServicePortType">
          <soap:binding style="document" transport="http://schemas.xmlsoap.org/soap/http" />
          <wsdl:operation name="echoOperation">
            <soap:operation soapAction="echoOperation" style="document" />
            <wsdl:input>
              <soap:body use="literal" />
            </wsdl:input>
            <wsdl:output>
              <soap:body use="literal" />
            </wsdl:output>
          </wsdl:operation>
        </wsdl:binding>
        <wsdl:service name="Echo1Service">
          <wsdl:port binding="tns:Echo1SOAP" name="Echo1ServicePort">
            <soap:address location="http://localhost:8010/WSSampleSei/Echo1Service" />
          </wsdl:port>
        </wsdl:service>
      </wsdl:definitions>
    2. 将支持安全策略所需的名称空间添加到 WSDL 中的 wsdl:definitions 元素。 以下示例显示了所添加的名称空间:
      xmlns:wsp="http://www.w3.org/ns/ws-policy"
      	xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
      xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"
      xmlns:sp13="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200802"
      xmlns:wsaws="http://www.w3.org/2005/08/addressing"
    3. 在 WSDL 中,正好位于 wsdl:binding 元素之前的位置,添加 WS-Security 策略片段。 此示例中将使用具有 X509Token 非对称消息保护(相互认证)的 UsernameToken 中的策略模板。
    4. 将安全策略的 wsp:PolicyReference 添加到 wsdl:binding 元素。 以下示例显示了 wsp:PolicyReference:
      <wsp:PolicyReference URI="#AsymmetricX509MutualAuthenticationWithUnt" />
    5. 验证最终的 WSDL 看起来是否类似于示例。 以下示例显示了最终的 WSDL:
      <?xml version="1.0" encoding="UTF-8"?>
      <wsdl:definitions xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/"
                        xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/"
                        xmlns:tns="http://com/ibm/was/wssample/sei/echo/"
                        xmlns:xsd="http://www.w3.org/2001/XMLSchema" name="WSSampleSei"
                        xmlns:wsp="http://www.w3.org/ns/ws-policy"
                        	xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
                        xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"
                        xmlns:sp13="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200802"
                        xmlns:wsaws="http://www.w3.org/2005/08/addressing"
                        targetNamespace="http://com/ibm/was/wssample/sei/echo/">
        <wsdl:types>
          <xsd:schema targetNamespace="http://com/ibm/was/wssample/sei/echo/"
                      xmlns:xsd="http://www.w3.org/2001/XMLSchema">
            <xsd:element name="echoStringResponse">
              <xsd:complexType>
                <xsd:sequence>
                  <xsd:element name="echoResponse" type="xsd:string" />
                </xsd:sequence>
              </xsd:complexType>
            </xsd:element>
            <xsd:element name="echoStringInput">
              <xsd:complexType>
                <xsd:sequence>
                  <xsd:element name="echoInput" type="xsd:string" />
                </xsd:sequence>
              </xsd:complexType>
            </xsd:element>
          </xsd:schema>
        </wsdl:types>
        <wsdl:message name="echoOperationRequest">
          <wsdl:part element="tns:echoStringInput" name="parameter" />
        </wsdl:message>
        <wsdl:message name="echoOperationResponse">
          <wsdl:part element="tns:echoStringResponse" name="parameter" />
        </wsdl:message>
        <wsdl:portType name="EchoServicePortType">
          <wsdl:operation name="echoOperation">
            <wsdl:input message="tns:echoOperationRequest" />
            <wsdl:output message="tns:echoOperationResponse" />
          </wsdl:operation>
        </wsdl:portType>
        <wsp:Policy wsu:Id="AsymmetricX509MutualAuthenticationWithUnt">
          <wsp:ExactlyOne>
            <wsp:All>
              <sp:SignedEncryptedSupportingTokens xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
                <wsp:Policy>
                  <sp:UsernameToken sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
                    <wsp:Policy>
                      <sp:WssUsernameToken10 />
                    </wsp:Policy>
                  </sp:UsernameToken>
                </wsp:Policy>
              </sp:SignedEncryptedSupportingTokens>
              <sp:AsymmetricBinding>
                <wsp:Policy>
                  <sp:InitiatorToken>
                    <wsp:Policy>
                      <sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
                        <wsp:Policy>
                          <sp:WssX509V3Token10 />
                          <sp:RequireIssuerSerialReference />
                        </wsp:Policy>
                      </sp:X509Token>
                    </wsp:Policy>
                  </sp:InitiatorToken>
                  <sp:RecipientToken>
                    <wsp:Policy>
                      <sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never">
                        <wsp:Policy>
                          <sp:WssX509V3Token10 />
                          <sp:RequireIssuerSerialReference />
                        </wsp:Policy>
                      </sp:X509Token>
                    </wsp:Policy>
                  </sp:RecipientToken>
                  <sp:Layout>
                    <wsp:Policy>
                      <sp:Strict/>
                    </wsp:Policy>
                  </sp:Layout>
                  <sp:IncludeTimestamp />
                  <sp:OnlySignEntireHeadersAndBody />
                  <sp:EncryptSignature />
                  <sp:AlgorithmSuite>
                    <wsp:Policy>
                      <sp:Basic128 />
                    </wsp:Policy>
                  </sp:AlgorithmSuite>
                </wsp:Policy>
              </sp:AsymmetricBinding>
              <sp:Wss11>
                <wsp:Policy>
                  <sp:MustSupportRefKeyIdentifier />
                  <sp:MustSupportRefIssuerSerial />
                  <sp:MustSupportRefThumbprint />
                  <sp:MustSupportRefEncryptedKey />
                  <sp:RequireSignatureConfirmation />
                </wsp:Policy>
              </sp:Wss11>
              <sp:SignedParts>
                <sp:Body/>
              </sp:SignedParts>
              <sp:EncryptedParts>
                <sp:Body/>
              </sp:EncryptedParts>
            </wsp:All>
          </wsp:ExactlyOne>
        </wsp:Policy>
        <wsdl:binding name="Echo1SOAP" type="tns:EchoServicePortType">
          <wsp:PolicyReference URI="#AsymmetricX509MutualAuthenticationWithUnt" />
          <soap:binding style="document" transport="http://schemas.xmlsoap.org/soap/http" />
          <wsdl:operation name="echoOperation">
            <soap:operation soapAction="echoOperation" style="document" />
            <wsdl:input>
              <soap:body use="literal" />
            </wsdl:input>
            <wsdl:output>
              <soap:body use="literal" />
            </wsdl:output>
          </wsdl:operation>
        </wsdl:binding>
        <wsdl:service name="Echo1Service">
          <wsdl:port binding="tns:Echo1SOAP" name="Echo1ServicePort">
            <soap:address location="http://localhost:8010/WSSampleSei/Echo1Service" />
          </wsdl:port>
        </wsdl:service>
      </wsdl:definitions>
  2. 使用 WSDL 来创建 Web Service 应用程序。 可以在将 WS-Security 策略添加到 WSDL 之前或之后完成此步骤。可以使用受支持的工具根据前一节中开发的 WSDL 来创建 JAX-WS Web Service 应用程序。
    以下示例显示使用 Rational® Application Developer (RAD) 工具从 WSDL 开发的 Web Service 应用程序:
    @javax.jws.WebService (endpointInterface="com.ibm.was.wssample.sei.echo.EchoServicePortType",
                           targetNamespace="http://com/ibm/was/wssample/sei/echo/",
                           serviceName="Echo1Service",
                           wsdlLocation = "WEB-INF/wsdl/Echo.wsdl",
                           portName="Echo1ServicePort")
    public class Echo1SOAPImpl {
    
      public EchoStringResponse echoOperation(EchoStringInput parameter) {
        String strInput = (parameter == null ? "input_is_null" : parameter.getEchoInput() );
        try {
          com.ibm.was.wssample.sei.echo.EchoStringResponse strOutput = new EchoStringResponse();
          strOutput.setEchoResponse( "Echo1SOAPImpl>>" + strInput );
          return strOutput;
        } catch (java.lang.Exception ex) {
          ex.printStackTrace();
        }
      }
    
    @WebService (name = "EchoServicePortType", 
                 targetNamespace = "http://com/ibm/was/wssample/sei/echo/")
    @SOAPBinding (parameterStyle = SOAPBinding.ParameterStyle.BARE)
    @XmlSeeAlso ({
        ObjectFactory.class
    })
    
    public interface EchoServicePortType {
    
      @WebMethod (action = "echoOperation")
      @WebResult (name = "echoStringResponse", targetNamespace = "http://com/ibm/was/wssample/sei/echo/", partName = "parameter")
      public  EchoStringResponse echoOperation(
        @WebParam (name = "echoStringInput", targetNamespace = "http://com/ibm/was/wssample/sei/echo/", partName = "parameter")
        EchoStringInput parameter);
    
    }
    以下代码显示了一个将调用 Web Service 提供者应用程序的受管 Web Service 客户机:
    @WebServlet("ClientServlet")
    public class ClientServlet extends HttpServlet {
    
      @WebServiceRef (value=Echo1Service.class, wsdlLocation="Echo.wsdl")
      Echo1Service echo1Service;
    
      public  ClientServlet() {
        super ();
      }
    
      protected void doGet(HttpServletRequest request,
                           HttpServletResponse response) throws ServletException, IOException {
        processRequest(request, response);
      } 
    
      protected void doPost(HttpServletRequest request,
                            HttpServletResponse response) throws ServletException, IOException {
        processRequest(request, response);
      }
    
      private void processRequest(HttpServletRequest req,
                                  HttpServletResponse resp) throws ServletException, IOException {
    
        String endpointURL = "http://localhost:8010/WSSampleSei/Echo1Service";
    
        Echo1ServicePortProxy proxy = new Echo1ServicePortProxy(echo1Service);
        proxy._getDescriptor().setEndpoint(endpointURL);
    
        echoParm = new ObjectFactory().createEchoStringInput();
        echoParm.setEchoInput("Hello");
    
        String retval = proxy.echoOperation(echoParm).getEchoResponse();
    
      }
    }
    以下示例显示了 Web Service 提供者应用程序 WAR 文件的文件结构:
    WEB-INF/web.xml
    WEB-INF/wsdl/Echo.wsdl
    WEB-INF/classes/com/ibm/was/wssample/sei/echo/Echo1SOAPImpl.class
    WEB-INF/classes/com/ibm/was/wssample/sei/echo/EchoServicePortType.class
    WEB-INF/classes/com/ibm/was/wssample/sei/echo/EchoStringInput.class
    WEB-INF/classes/com/ibm/was/wssample/sei/echo/EchoStringResponse.class
    WEB-INF/classes/com/ibm/was/wssample/sei/echo/ObjectFactory.class
    WEB-INF/classes/com/ibm/was/wssample/sei/echo/package-info.class
    以下示例显示了 Web Service 客户机应用程序 WAR 文件的文件结构:
    WEB-INF/web.xml
    WEB-INF/wsdl/Echo.wsdl
    WEB-INF/classes/com/ibm/was/wssample/client/ClientServlet.class
    WEB-INF/classes/com/ibm/was/wssample/client/SampleClient.class
    WEB-INF/classes/com/ibm/was/wssample/sei/echo/Echo1Service.class
    WEB-INF/classes/com/ibm/was/wssample/sei/echo/Echo1ServicePortProxy.class
    WEB-INF/classes/com/ibm/was/wssample/sei/echo/EchoStringInput.class
    WEB-INF/classes/com/ibm/was/wssample/sei/echo/EchoStringResponse.class
    WEB-INF/classes/com/ibm/was/wssample/sei/echo/ObjectFactory.class
    WEB-INF/classes/com/ibm/was/wssample/sei/echo/package-info.class
  3. 开发回调处理程序。 您必须开发回调处理程序以检索用户名和密钥库密钥密码。当您生成 UsernameToken 时将使用用户名密码。密钥库密码用于访问密钥库中的专用密钥。回调处理程序必须返回明文密码,并且作为 Liberty 的用户功能部件来打包和安装。
    以下样本代码说明了回调处理程序:
    package com.ibm.ws.wssecurity.example.cbh;
    
    import java.util.HashMap;
    import java.util.Map;
    import javax.security.auth.callback.Callback;
    import javax.security.auth.callback.CallbackHandler;
    import org.apache.ws.security.WSPasswordCallback;
    
    public class SamplePasswordCallback implements CallbackHandler {
      private Map<String, String> userPasswords = new HashMap<String, String>();
      private Map<String, String> keyPasswords = new HashMap<String, String>();
      public SamplePasswordCallback() {
        // some example user passwords
        userPasswords.put("user1", "user1pswd");
        userPasswords.put("admin", "adminpswd");
        // some example key passwords
        keyPasswords.put("alice", "keypwsd");
        keyPasswords.put("bob", "keypswd");
      }
      public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException {
        for (int i = 0; i < callbacks.length; i++) {
          WSPasswordCallback pwcb = (WSPasswordCallback)callbacks[i];
          String id = pwcb.getIdentifier();
          String pass = null;
          switch (pwcb.getUsage()) {
            case WSPasswordCallback.USERNAME_TOKEN_UNKNOWN:
            case WSPasswordCallback.USERNAME_TOKEN:
              pass = userPasswords.get(id);
              pwcb.setPassword(pass);
              break;
            case WSPasswordCallback.SIGNATURE:
            case WSPasswordCallback.DECRYPT:
              pass = keyPasswords.get(id);
              pwcb.setPassword(pass);
              break;
          }
        }
      }
    }
    以下示例显示了与回调处理程序打包在一起的 MANIFEST.MF 文件。
    Manifest-Version: 1.0
    Bnd-LastModified: 1359415594428
    Build-Identifier: SNAPSHOT-Mon Jan 28 17:26:34 CST 2013
    Bundle-Copyright: The Program materials contained in this file are IBM
    copyright materials. 5724-I63, 5724-J08, 5724-H89, 5724-H88, 5655-W65
    Copyright International Business Machines Corp. 1999, 2012 All Rights
    Reserved * Licensed Materials - Property of IBM US Government Users
    Restricted Rights - Use, duplication or disclosure restricted by GSA ADP
    Schedule Contract with IBM Corp.
    Bundle-Description: An PasswordCallbackHandler; version=1.0.0
    Bundle-ManifestVersion: 2
    Bundle-Name: wssecuritycbh
    Bundle-SymbolicName: com.ibm.ws.wssecurity.example.cbh
    Bundle-Vendor: IBM
    Bundle-Version: 1.0.0
    Created-By: 1.6.0 (IBM Corporation)
    Export-Package: com.ibm.ws.wssecurity.example.cbh;uses:="com.ibm.websphe
    re.ras.annotation,javax.security.auth.callback";version="1.0.0"
    Import-Package: com.ibm.websphere.ras,com.ibm.websphere.ras.annotation,c
    om.ibm.ws.ffdc,javax.security.auth.callback,org.apache.ws.security;version="[1.6,2)"
    Require-Capability: osgi.ee;filter:="(&(osgi.ee=JavaSE)(version>=1.6))"
    Tool: Bnd-2.1.0.20120920-170235
    WS-TraceGroup: WSSecurity
    1. 创建一个具有回调处理程序以及功能部件清单文件 wsseccbh-1.0.mf 的 JAR 文件。 创建一个具有下列内容的称为 SampleCbh.jar 的 JAR 文件:
      META-INF/MANIFEST.MF
      com/ibm/ws/wssecurity/example/cbh/SamplePasswordCallback.class
      以下示例显示了 wsseccbh-1.0.mf 文件:
      Subsystem-ManifestVersion: 1
      Subsystem-SymbolicName: wsseccbh-1.0; visibility:=public
      Subsystem-Version: 1.0.0
      Subsystem-Content: com.ibm.ws.wssecurity.example.cbh; version="[1,1.0.100)";    location:="lib/"; type="osgi.bundle"; start-phase:=APPLICATION_EARLY
      
      Subsystem-Type: osgi.subsystem.feature
      IBM-Feature-Version: 2
      
      IBM-API-Package: com.ibm.ws.wssecurity.example.cbh; version="1.0"; type="internal"
    2. 复制位于 Liberty 的用户目录下的回调处理程序 JAR 文件和功能部件清单文件。 以下示例显示了回调处理程序 JAR 文件和功能部件清单文件的复制位置:
      build.image/wlp/usr/extension/lib/SampleCbh.jar
      build.image/wlp/usr/extension/lib/features/wsseccbh-1.0.mf
  4. Liberty 服务器中配置 WS-Security。Liberty 服务器配置文件 server.xml 中启用 WS-Security 功能部件,并为在先前部分中开发的样本 Web Service 客户机和提供程序应用程序配置 WS-Security。
    以下示例说明如何配置 WS-Security:
    <server>
      <featureManager>
        <feature>usr:wsseccbh-1.0</feature>
        <feature>servlet-3.0</feature>
        <feature>appSecurity-2.0</feature>
        <feature>jsp-2.2</feature>
        <feature>jaxws-2.2</feature>
        <feature>wsSecurity-1.1</feature>
      </featureManager>  <basicRegistry id="basic" realm="customRealm">
        <user name="user1" password="user1pswd" />
        <user name="user2" password="user2pswd" />
      </basicRegistry>
      <wsSecurityProvider id="default"
        ws-security.callback-handler="com.ibm.ws.wssecurity.example.cbh.SamplePasswordCallback"
        ws-security.signature.username="bob">
        <signatureProperties org.apache.ws.security.crypto.merlin.keystore.type="jceks"
          org.apache.ws.security.crypto.merlin.keystore.password="storepswd"
          org.apache.ws.security.crypto.merlin.keystore.alias="bob"
          org.apache.ws.security.crypto.merlin.file="${server.config.dir}/enc-receiver.jceks" />
        <encryptionProperties org.apache.ws.security.crypto.merlin.keystore.type="jceks"
          org.apache.ws.security.crypto.merlin.keystore.password="storepswd"
          org.apache.ws.security.crypto.merlin.keystore.alias="alice"
          org.apache.ws.security.crypto.merlin.file="${server.config.dir}/enc-receiver.jceks" />
      </wsSecurityProvider>
      <wsSecurityClient id="default"
        ws-security.password="security"
        ws-security.username="user1"
        ws-security.callback-handler="com.ibm.ws.wssecurity.example.cbh.SamplePasswordCallback"
        ws-security.encryption.username="alice">
        <signatureProperties org.apache.ws.security.crypto.merlin.keystore.type="jceks"
          org.apache.ws.security.crypto.merlin.keystore.password="storepswd"
          org.apache.ws.security.crypto.merlin.keystore.alias="alice"
          org.apache.ws.security.crypto.merlin.file="${server.config.dir}/enc-sender.jceks"/>
        <encryptionProperties org.apache.ws.security.crypto.merlin.keystore.type="jceks"
          org.apache.ws.security.crypto.merlin.keystore.password="storepswd"
          org.apache.ws.security.crypto.merlin.keystore.alias="bob"
          org.apache.ws.security.crypto.merlin.file="${server.config.dir}/enc-sender.jceks" />
      </wsSecurityClient>
    </server>

结果

您已使用 WS-Security 策略来保护 Web Service。

示例

在第一步中创建的样本 WS-Security 策略将生成与下列消息相似的 SOAP 请求和响应消息。
以下示例显示了 SOAP 请求消息:
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
  <SOAP-ENV:Header xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
    <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
                   	xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
                   soap:mustUnderstand="1">
      <wsse:BinarySecurityToken 
        EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"
        ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"
        wsu:Id="X509-B1165B2A578AFFC7D613649595665924">...
      </wsse:BinarySecurityToken>
      <wsu:Timestamp wsu:Id="TS-1">
        <wsu:Created>2013-04-03T03:26:06.549Z</wsu:Created>
        <wsu:Expires>2013-04-03T03:31:06.549Z</wsu:Expires>
      </wsu:Timestamp>
      <xenc:EncryptedKey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Id="EK-B1165B2A578AFFC7D613649595666705">
        <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"></xenc:EncryptionMethod>
        <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
          <wsse:SecurityTokenReference>
            <ds:X509Data>
              <ds:X509IssuerSerial>
                <ds:X509IssuerName>CN=Bob,O=IBM,C=US</ds:X509IssuerName>
                <ds:X509SerialNumber>24054675667389</ds:X509SerialNumber>
              </ds:X509IssuerSerial>
            </ds:X509Data>
          </wsse:SecurityTokenReference>
        </ds:KeyInfo>
        <xenc:CipherData>
          <xenc:CipherValue>...</xenc:CipherValue>
        </xenc:CipherData>
        <xenc:ReferenceList>
          <xenc:DataReference URI="#ED-4"></xenc:DataReference>
          <xenc:DataReference URI="#ED-5"></xenc:DataReference>
          <xenc:DataReference URI="#ED-6"></xenc:DataReference>
        </xenc:ReferenceList>
      </xenc:EncryptedKey>
      <xenc:EncryptedData
        xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Id="ED-6" Type="http://www.w3.org/2001/04/xmlenc#Element">
        <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"></xenc:EncryptionMethod>
        <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
          				   <wsse:SecurityTokenReference
            xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
            xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd"
            wsse11:TokenType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey">
            <wsse:Reference URI="#EK-B1165B2A578AFFC7D613649595666705"></wsse:Reference>
          </wsse:SecurityTokenReference>
        </ds:KeyInfo>
        <xenc:CipherData>
          <xenc:CipherValue>...</xenc:CipherValue>
        </xenc:CipherData>
      </xenc:EncryptedData>
      <xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
                          Id="ED-5"
                          Type="http://www.w3.org/2001/04/xmlenc#Element">
        <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"></xenc:EncryptionMethod>
        <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
          				   <wsse:SecurityTokenReference
            xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
            xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd"
            wsse11:TokenType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey">
            <wsse:Reference URI="#EK-B1165B2A578AFFC7D613649595666705"></wsse:Reference>
          </wsse:SecurityTokenReference>
        </ds:KeyInfo>
        <xenc:CipherData>
          <xenc:CipherValue>...</xenc:CipherValue>
        </xenc:CipherData>
      </xenc:EncryptedData>
    </wsse:Security>
  </SOAP-ENV:Header>
  <soap:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
             wsu:Id="Id-1788936596">
    <xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
                        Id="ED-4"
                        Type="http://www.w3.org/2001/04/xmlenc#Content">
      <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"></xenc:EncryptionMethod>
      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        				   <wsse:SecurityTokenReference
          xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
          xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd"
          wsse11:TokenType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey">
          <wsse:Reference URI="#EK-B1165B2A578AFFC7D613649595666705"></wsse:Reference>
        </wsse:SecurityTokenReference>
      </ds:KeyInfo>
      <xenc:CipherData>
        <xenc:CipherValue>...</xenc:CipherValue>
      </xenc:CipherData>
    </xenc:EncryptedData>
  </soap:Body>
</soap:Envelope>
以下示例显示了 SOAP 响应消息:
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
  <SOAP-ENV:Header xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
    <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
                   	xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
                   soap:mustUnderstand="1">
      <wsu:Timestamp wsu:Id="TS-7">
        <wsu:Created>2013-04-03T03:26:07.286Z</wsu:Created>
        <wsu:Expires>2013-04-03T03:31:07.286Z</wsu:Expires>
      </wsu:Timestamp>
      <xenc:EncryptedKey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Id="EK-B1165B2A578AFFC7D613649595673129">
        <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"></xenc:EncryptionMethod>
        <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
          <wsse:SecurityTokenReference>
            <ds:X509Data>
              <ds:X509IssuerSerial>
                <ds:X509IssuerName>CN=Alice,O=IBM,C=US</ds:X509IssuerName>
                <ds:X509SerialNumber>24054530212598</ds:X509SerialNumber>
              </ds:X509IssuerSerial>
            </ds:X509Data>
          </wsse:SecurityTokenReference>
        </ds:KeyInfo>
        <xenc:CipherData>
          <xenc:CipherValue>...</xenc:CipherValue>
        </xenc:CipherData>
        <xenc:ReferenceList>
          <xenc:DataReference URI="#ED-10"></xenc:DataReference>
          <xenc:DataReference URI="#ED-11"></xenc:DataReference>
          <xenc:DataReference URI="#ED-12"></xenc:DataReference>
        </xenc:ReferenceList>
      </xenc:EncryptedKey>
      <xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
                          Id="ED-12"
                          Type="http://www.w3.org/2001/04/xmlenc#Element">
        <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"></xenc:EncryptionMethod>
        <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
          				   <wsse:SecurityTokenReference
            xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
            xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd"
            wsse11:TokenType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey">
            <wsse:Reference URI="#EK-B1165B2A578AFFC7D613649595673129"></wsse:Reference>
          </wsse:SecurityTokenReference>
        </ds:KeyInfo>
        <xenc:CipherData>
          <xenc:CipherValue>...</xenc:CipherValue>
        </xenc:CipherData>
      </xenc:EncryptedData>
      <xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
                          Id="ED-11"
                          Type="http://www.w3.org/2001/04/xmlenc#Element">
        <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"></xenc:EncryptionMethod>
        <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
          				   <wsse:SecurityTokenReference
            xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
            xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd"
            wsse11:TokenType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey">
            <wsse:Reference URI="#EK-B1165B2A578AFFC7D613649595673129"></wsse:Reference>
          </wsse:SecurityTokenReference>
        </ds:KeyInfo>
        <xenc:CipherData>
          <xenc:CipherValue>...</xenc:CipherValue>
        </xenc:CipherData>
      </xenc:EncryptedData>
    </wsse:Security>
  </SOAP-ENV:Header>
  <soap:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
             wsu:Id="Id-2035943749">
    <xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
                        Id="ED-10"
                        Type="http://www.w3.org/2001/04/xmlenc#Content">
      <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"></xenc:EncryptionMethod>
      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        				   <wsse:SecurityTokenReference
          xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
          xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd"
          wsse11:TokenType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey">
          <wsse:Reference URI="#EK-B1165B2A578AFFC7D613649595673129"></wsse:Reference>
        </wsse:SecurityTokenReference>
      </ds:KeyInfo>
      <xenc:CipherData>
        <xenc:CipherValue>...</xenc:CipherValue>
      </xenc:CipherData>
    </xenc:EncryptedData>
  </soap:Body>
</soap:Envelope>

下一步做什么

现在,可以开发您自己的 WSDL 文件,并使用匹配安全性要求的 WS-Security 策略来保护 Web Service 应用程序。

用于指示主题类型的图标 任务主题

文件名:twlp_wssec_securing.html