利用 WS-Security 原則來維護 Web 服務安全

您可以利用 IBM® WebSphere® Application Server Liberty 中的 WS-Security 原則來開發 Java™ API for XML Web Services (JAX-WS) Web 服務及維護其安全。 提供的範例是作為指導教學,用來說明在 Liberty 中開發 Web 服務及維護其安全時所涉及的一般步驟。在正式作業環境中,請勿使用這些範例。 請檢閱您自己的安全需求,以研擬「Web 服務說明語言 (WSDL)」合約及 WS-Security 原則來保護您的 Web 服務應用程式。

關於這項作業

這個作業說明如何開發簡式 JAX-WS Web 服務應用程式,以及利用 WS-Security 原則來維護應用程式安全。

這項作業使用兩個金鑰儲存庫:enc-sender.jceks and enc-receiver.jceks。 這些是 WebSphere Application Server 傳統版中隨附的 WS-Security 範例金鑰儲存庫。 如果您有權存取傳統版安裝架構,您可以從下列其中一個目錄中取得範例金鑰儲存庫:

profile_root/etc/ws-security/samples

WASHOME/profileTemplates/defaultdocuments/etc/ws-security/samples

程序

  1. 建立 WSDL 合約及 WS-Security 原則。 本例會建立一個 WSDL 合約,其中含有 JAX-WS Web 服務提供者應用程式的 WS-Security 原則。所使用的是名稱為含有 X509Token 非對稱訊息保護的 UsernameToken(交互鑑別)的 WS-Security 原則範本。用戶端會簽章及加密 SOAP 主體,並簽章及加密要求訊息中的 UsernameToken。在回應訊息中,提供者會簽章及加密 SOAP 主體。 如需本例中的安全限制的完整說明,請參閱含有 X509Token 非對稱訊息保護的 UsernameToken(交互鑑別)
    1. 建立用於服務的 WSDL 合約。 下例顯示範例 WSDL 合約:
      <?xml version="1.0" encoding="UTF-8"?>
      <wsdl:definitions xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/"
                        xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/"
                        xmlns:tns="http://com/ibm/was/wssample/sei/echo/"
                        xmlns:xsd="http://www.w3.org/2001/XMLSchema" name="WSSampleSei"
                        targetNamespace="http://com/ibm/was/wssample/sei/echo/">
        <wsdl:types>
          <xsd:schema targetNamespace="http://com/ibm/was/wssample/sei/echo/"
                      xmlns:xsd="http://www.w3.org/2001/XMLSchema">
            <xsd:element name="echoStringResponse">
              <xsd:complexType>
                <xsd:sequence>
                  <xsd:element name="echoResponse" type="xsd:string" />
                </xsd:sequence>
              </xsd:complexType>
            </xsd:element>
            <xsd:element name="echoStringInput">
              <xsd:complexType>
                <xsd:sequence>
                  <xsd:element name="echoInput" type="xsd:string" />
                </xsd:sequence>
              </xsd:complexType>
            </xsd:element>
          </xsd:schema>
        </wsdl:types>
        <wsdl:message name="echoOperationRequest">
          <wsdl:part element="tns:echoStringInput" name="parameter" />
        </wsdl:message>
        <wsdl:message name="echoOperationResponse">
          <wsdl:part element="tns:echoStringResponse" name="parameter" />
        </wsdl:message>
        <wsdl:portType name="EchoServicePortType">
          <wsdl:operation name="echoOperation">
            <wsdl:input message="tns:echoOperationRequest" />
            <wsdl:output message="tns:echoOperationResponse" />
          </wsdl:operation>
        </wsdl:portType>
        <wsdl:binding name="Echo1SOAP" type="tns:EchoServicePortType">
          <soap:binding style="document" transport="http://schemas.xmlsoap.org/soap/http" />
          <wsdl:operation name="echoOperation">
            <soap:operation soapAction="echoOperation" style="document" />
            <wsdl:input>
              <soap:body use="literal" />
            </wsdl:input>
            <wsdl:output>
              <soap:body use="literal" />
            </wsdl:output>
          </wsdl:operation>
        </wsdl:binding>
        <wsdl:service name="Echo1Service">
          <wsdl:port binding="tns:Echo1SOAP" name="Echo1ServicePort">
            <soap:address location="http://localhost:8010/WSSampleSei/Echo1Service" />
          </wsdl:port>
        </wsdl:service>
      </wsdl:definitions>
    2. 在 wsdl:definitions 元素中新增對 WSDL 支援安全原則所需的名稱空間。 下例顯示新增的名稱空間:
      xmlns:wsp="http://www.w3.org/ns/ws-policy"
      xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
      xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"
      xmlns:sp13="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200802"
      xmlns:wsaws="http://www.w3.org/2005/08/addressing"
    3. 將 WS-Security 原則片段新增至 WSDL,緊接在 wsdl:binding 元素前。 本例使用來自含有 X509Token 非對稱訊息保護的 UsernameToken(交互鑑別)的原則範本。
    4. 將安全原則的 wsp:PolicyReference 到 wsdl:binding 元素。 下例顯示 wsp:PolicyReference:
      <wsp:PolicyReference URI="#AsymmetricX509MutualAuthenticationWithUnt" />
    5. 驗證最後的 WSDL 看起來與範例類似。 下例顯示最後的 WSDL:
      <?xml version="1.0" encoding="UTF-8"?>
      <wsdl:definitions xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/"
                        xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/"
                        xmlns:tns="http://com/ibm/was/wssample/sei/echo/"
                        xmlns:xsd="http://www.w3.org/2001/XMLSchema" name="WSSampleSei"
                        xmlns:wsp="http://www.w3.org/ns/ws-policy"
                        xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
                        xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"
                        xmlns:sp13="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200802"
                        xmlns:wsaws="http://www.w3.org/2005/08/addressing"
                        targetNamespace="http://com/ibm/was/wssample/sei/echo/">
        <wsdl:types>
          <xsd:schema targetNamespace="http://com/ibm/was/wssample/sei/echo/"
                      xmlns:xsd="http://www.w3.org/2001/XMLSchema">
            <xsd:element name="echoStringResponse">
              <xsd:complexType>
                <xsd:sequence>
                  <xsd:element name="echoResponse" type="xsd:string" />
                </xsd:sequence>
              </xsd:complexType>
            </xsd:element>
            <xsd:element name="echoStringInput">
              <xsd:complexType>
                <xsd:sequence>
                  <xsd:element name="echoInput" type="xsd:string" />
                </xsd:sequence>
              </xsd:complexType>
            </xsd:element>
          </xsd:schema>
        </wsdl:types>
        <wsdl:message name="echoOperationRequest">
          <wsdl:part element="tns:echoStringInput" name="parameter" />
        </wsdl:message>
        <wsdl:message name="echoOperationResponse">
          <wsdl:part element="tns:echoStringResponse" name="parameter" />
        </wsdl:message>
        <wsdl:portType name="EchoServicePortType">
          <wsdl:operation name="echoOperation">
            <wsdl:input message="tns:echoOperationRequest" />
            <wsdl:output message="tns:echoOperationResponse" />
          </wsdl:operation>
        </wsdl:portType>
        <wsp:Policy wsu:Id="AsymmetricX509MutualAuthenticationWithUnt">
          <wsp:ExactlyOne>
            <wsp:All>
              <sp:SignedEncryptedSupportingTokens xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
                <wsp:Policy>
                  <sp:UsernameToken sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
                    <wsp:Policy>
                      <sp:WssUsernameToken10 />
                    </wsp:Policy>
                  </sp:UsernameToken>
                </wsp:Policy>
              </sp:SignedEncryptedSupportingTokens>
              <sp:AsymmetricBinding>
                <wsp:Policy>
                  <sp:InitiatorToken>
                    <wsp:Policy>
                      <sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
                        <wsp:Policy>
                          <sp:WssX509V3Token10 />
                          <sp:RequireIssuerSerialReference />
                        </wsp:Policy>
                      </sp:X509Token>
                    </wsp:Policy>
                  </sp:InitiatorToken>
                  <sp:RecipientToken>
                    <wsp:Policy>
                      <sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never">
                        <wsp:Policy>
                          <sp:WssX509V3Token10 />
                          <sp:RequireIssuerSerialReference />
                        </wsp:Policy>
                      </sp:X509Token>
                    </wsp:Policy>
                  </sp:RecipientToken>
                  <sp:Layout>
                    <wsp:Policy>
                      <sp:Strict />
                    </wsp:Policy>
                  </sp:Layout>
                  <sp:IncludeTimestamp />
                  <sp:OnlySignEntireHeadersAndBody />
                  <sp:EncryptSignature />
                  <sp:AlgorithmSuite>
                    <wsp:Policy>
                      <sp:Basic128 />
                    </wsp:Policy>
                  </sp:AlgorithmSuite>
                </wsp:Policy>
              </sp:AsymmetricBinding>
              <sp:Wss11>
                <wsp:Policy>
                  <sp:MustSupportRefKeyIdentifier />
                  <sp:MustSupportRefIssuerSerial />
                  <sp:MustSupportRefThumbprint />
                  <sp:MustSupportRefEncryptedKey />
                  <sp:RequireSignatureConfirmation />
                </wsp:Policy>
              </sp:Wss11>
              <sp:SignedParts>
                <sp:Body />
              </sp:SignedParts>
              <sp:EncryptedParts>
                <sp:Body />
              </sp:EncryptedParts>
            </wsp:All>
          </wsp:ExactlyOne>
        </wsp:Policy>
        <wsdl:binding name="Echo1SOAP" type="tns:EchoServicePortType">
          <wsp:PolicyReference URI="#AsymmetricX509MutualAuthenticationWithUnt" />
          <soap:binding style="document" transport="http://schemas.xmlsoap.org/soap/http" />
          <wsdl:operation name="echoOperation">
            <soap:operation soapAction="echoOperation" style="document" />
            <wsdl:input>
              <soap:body use="literal" />
            </wsdl:input>
            <wsdl:output>
              <soap:body use="literal" />
            </wsdl:output>
          </wsdl:operation>
        </wsdl:binding>
        <wsdl:service name="Echo1Service">
          <wsdl:port binding="tns:Echo1SOAP" name="Echo1ServicePort">
            <soap:address location="http://localhost:8010/WSSampleSei/Echo1Service" />
          </wsdl:port>
        </wsdl:service>
      </wsdl:definitions>
  2. 利用 WSDL 來建立 Web 服務應用程式。 這個步驟可以在將 WS-Security 原則新增至 WSDL 之前或之後完成。您可以利用支援的工具,從上一節所開發的 WSDL 建立 JAX-WS Web 服務應用程式。
    下例顯示使用 Rational® Application Developer (RAD) 工具從 WSDL 開發的 Web 服務應用程式:
    @javax.jws.WebService (endpointInterface="com.ibm.was.wssample.sei.echo.EchoServicePortType",
                           targetNamespace="http://com/ibm/was/wssample/sei/echo/",
                           serviceName="Echo1Service",
                           wsdlLocation = "WEB-INF/wsdl/Echo.wsdl",
                           portName="Echo1ServicePort")
    public class Echo1SOAPImpl {
    
      public EchoStringResponse echoOperation(EchoStringInput parameter) {
        String strInput = (parameter == null ? "input_is_null" : parameter.getEchoInput() );
        try {
          com.ibm.was.wssample.sei.echo.EchoStringResponse strOutput = new EchoStringResponse();
          strOutput.setEchoResponse( "Echo1SOAPImpl>>" + strInput );
          return strOutput;
        } catch (java.lang.Exception ex) {
          ex.printStackTrace();
        }
      }
    
    @WebService (name = "EchoServicePortType",
                 targetNamespace = "http://com/ibm/was/wssample/sei/echo/")
    @SOAPBinding (parameterStyle = SOAPBinding.ParameterStyle.BARE)
    @XmlSeeAlso ({
        ObjectFactory.class
    })
    
    public interface EchoServicePortType {
    
      @WebMethod (action = "echoOperation")
      @WebResult (name = "echoStringResponse", targetNamespace = "http://com/ibm/was/wssample/sei/echo/", partName = "parameter")
      public  EchoStringResponse echoOperation(
        @WebParam (name = "echoStringInput", targetNamespace = "http://com/ibm/was/wssample/sei/echo/", partName = "parameter")
        EchoStringInput parameter);
    
    }
    下列程式碼顯示呼叫 Web 服務提供者應用程式的受管理的 Web 服務用戶端:
    @WebServlet("ClientServlet")
    public class ClientServlet extends HttpServlet {
    
      @WebServiceRef (value=Echo1Service.class, wsdlLocation="Echo.wsdl")
      Echo1Service echo1Service;
    
      public  ClientServlet() {
        super();
      }
    
      protected void doGet(HttpServletRequest request,
                           HttpServletResponse response) throws ServletException, IOException {
        processRequest(request, response);
      } 
    
      protected void doPost(HttpServletRequest request,
                            HttpServletResponse response) throws ServletException, IOException {
        processRequest(request, response);
      }
    
      private void processRequest(HttpServletRequest req,
                                  HttpServletResponse resp) throws ServletException, IOException {
    
        String endpointURL = "http://localhost:8010/WSSampleSei/Echo1Service";
    
        Echo1ServicePortProxy proxy = new Echo1ServicePortProxy(echo1Service);
        proxy._getDescriptor().setEndpoint(endpointURL);
    
        echoParm = new ObjectFactory().createEchoStringInput();
        echoParm.setEchoInput("Hello");
    
        String retval = proxy.echoOperation(echoParm).getEchoResponse();
    
      }
    }
    下例顯示 Web 服務提供者應用程式 WAR 檔的檔案結構:
    WEB-INF/web.xml
    WEB-INF/wsdl/Echo.wsdl
    WEB-INF/classes/com/ibm/was/wssample/sei/echo/Echo1SOAPImpl.class
    WEB-INF/classes/com/ibm/was/wssample/sei/echo/EchoServicePortType.class
    WEB-INF/classes/com/ibm/was/wssample/sei/echo/EchoStringInput.class
    WEB-INF/classes/com/ibm/was/wssample/sei/echo/EchoStringResponse.class
    WEB-INF/classes/com/ibm/was/wssample/sei/echo/ObjectFactory.class
    WEB-INF/classes/com/ibm/was/wssample/sei/echo/package-info.class
    下例顯示 Web 服務用戶端應用程式 WAR 檔的檔案結構:
    WEB-INF/web.xml
    WEB-INF/wsdl/Echo.wsdl
    WEB-INF/classes/com/ibm/was/wssample/client/ClientServlet.class
    WEB-INF/classes/com/ibm/was/wssample/client/SampleClient.class
    WEB-INF/classes/com/ibm/was/wssample/sei/echo/Echo1Service.class
    WEB-INF/classes/com/ibm/was/wssample/sei/echo/Echo1ServicePortProxy.class
    WEB-INF/classes/com/ibm/was/wssample/sei/echo/EchoStringInput.class
    WEB-INF/classes/com/ibm/was/wssample/sei/echo/EchoStringResponse.class
    WEB-INF/classes/com/ibm/was/wssample/sei/echo/ObjectFactory.class
    WEB-INF/classes/com/ibm/was/wssample/sei/echo/package-info.class     
  3. 開發回呼處理常式。 您必須開發回呼處理常式來擷取使用者名稱和金鑰儲存庫金鑰密碼。 當您產生 UsernameToken 時,會用到使用者名稱密碼。 金鑰儲存庫密碼用來存取金鑰儲存庫中的私密金鑰。 回呼處理常式必須傳回純文字密碼,且必須包裝及安裝成一項 Liberty 使用者特性。
    下列範例程式碼說明回呼處理常式:
    package com.ibm.ws.wssecurity.example.cbh;
    
    import java.util.HashMap;
    import java.util.Map;
    import javax.security.auth.callback.Callback;
    import javax.security.auth.callback.CallbackHandler;
    import org.apache.ws.security.WSPasswordCallback;
    
    public class SamplePasswordCallback implements CallbackHandler {
      private Map<String, String> userPasswords = new HashMap<String, String>();
      private Map<String, String> keyPasswords = new HashMap<String, String>();
      public SamplePasswordCallback() {
        // 一些使用者密碼範例
        userPasswords.put("user1", "user1pswd");
        userPasswords.put("admin", "adminpswd");
        // 一些金鑰密碼範例
        keyPasswords.put("alice", "keypwsd");
        keyPasswords.put("bob", "keypswd");
      }
      public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException {
        for (int i = 0; i < callbacks.length; i++) {
          WSPasswordCallback pwcb = (WSPasswordCallback)callbacks[i];
          String id = pwcb.getIdentifier();
          String pass = null;
          switch (pwcb.getUsage()) {
            case WSPasswordCallback.USERNAME_TOKEN_UNKNOWN:
            case WSPasswordCallback.USERNAME_TOKEN:
              pass = userPasswords.get(id);
              pwcb.setPassword(pass);
              break;
            case WSPasswordCallback.SIGNATURE:
            case WSPasswordCallback.DECRYPT:
              pass = keyPasswords.get(id);
              pwcb.setPassword(pass);
              break;
          }
        }
      }
    }
    下列範例顯示包裝在回呼處理常式中的 MANIFEST.MF 檔:
    Manifest-Version: 1.0
    Bnd-LastModified: 1359415594428
    Build-Identifier: SNAPSHOT-Mon Jan 28 17:26:34 CST 2013
    Bundle-Copyright: The Program materials contained in this file are IBM
    copyright materials. 5724-I63, 5724-J08, 5724-H89, 5724-H88, 5655-W65
    Copyright International Business Machines Corp. 1999, 2012 All Rights
    Reserved * Licensed Materials - Property of IBM US Government Users
    Restricted Rights - Use, duplication or disclosure restricted by GSA ADP
    Schedule Contract with IBM Corp.
    Bundle-Description: An PasswordCallbackHandler; version=1.0.0
    Bundle-ManifestVersion: 2
    Bundle-Name: wssecuritycbh
    Bundle-SymbolicName: com.ibm.ws.wssecurity.example.cbh
    Bundle-Vendor: IBM
    Bundle-Version: 1.0.0
    Created-By: 1.6.0 (IBM Corporation)
    Export-Package: com.ibm.ws.wssecurity.example.cbh;uses:="com.ibm.websphe
    re.ras.annotation,javax.security.auth.callback";version="1.0.0"
    Import-Package: com.ibm.websphere.ras,com.ibm.websphere.ras.annotation,c
    om.ibm.ws.ffdc,javax.security.auth.callback,org.apache.ws.security;version="[1.6,2)"
    Require-Capability: osgi.ee;filter:="(&(osgi.ee=JavaSE)(version>=1.6))"
    Tool: Bnd-2.1.0.20120920-170235
    WS-TraceGroup: WSSecurity
    1. 建立一個含有回呼處理常式及特性資訊清單檔 (wsseccbh-1.0.mf) 的 JAR 檔。 建立一個稱為 SampleCbh.jar 且含有下列內容的 JAR 檔:
      META-INF/MANIFEST.MF
      com/ibm/ws/wssecurity/example/cbh/SamplePasswordCallback.class
      下列範例顯示 wsseccbh-1.0.mf 檔:
      Subsystem-ManifestVersion: 1
      Subsystem-SymbolicName: wsseccbh-1.0; visibility:=public
      Subsystem-Version: 1.0.0
      Subsystem-Content: com.ibm.ws.wssecurity.example.cbh; version="[1,1.0.100)";
          location:="lib/"; type="osgi.bundle"; start-phase:=APPLICATION_EARLY
      
      Subsystem-Type: osgi.subsystem.feature
      IBM-Feature-Version: 2
      
      IBM-API-Package: com.ibm.ws.wssecurity.example.cbh; version="1.0"; type="internal"
    2. 在 Liberty 的使用者目錄之下,複製回呼處理常式 JAR 檔及特性資訊清單檔。 下列範例顯示回呼處理常式 JAR 檔及特性資訊清單檔的複製位置:
      build.image/wlp/usr/extension/lib/SampleCbh.jar
      build.image/wlp/usr/extension/lib/features/wsseccbh-1.0.mf
  4. 在 Liberty 伺服器中配置 WS-Security。 在 Liberty 伺服器配置檔 server.xml 中啟用 WS-Security 特性,配置前面幾節所開發之 Web 服務用戶端和提供者應用程式範例的 WS-Security。
    下列範例顯示如何配置 WS-Security:
    <server>
      <featureManager>
        <feature>usr:wsseccbh-1.0</feature>
        <feature>servlet-3.0</feature>
        <feature>appSecurity-2.0</feature>
        		<feature>jsp-2.2</feature>
        <feature>jaxws-2.2</feature>
        <feature>wsSecurity-1.1</feature>
      </featureManager>
      <basicRegistry id="basic" realm="customRealm">
        <user name="user1" password="user1pswd" />
        <user name="user2" password="user2pswd" />
      </basicRegistry>
      <wsSecurityProvider id="default"
        ws-security.callback-handler="com.ibm.ws.wssecurity.example.cbh.SamplePasswordCallback"
        ws-security.signature.username="bob">
        <signatureProperties org.apache.ws.security.crypto.merlin.keystore.type="jceks"
          org.apache.ws.security.crypto.merlin.keystore.password="storepswd"
          org.apache.ws.security.crypto.merlin.keystore.alias="bob"
          org.apache.ws.security.crypto.merlin.file="${server.config.dir}/enc-receiver.jceks" />
        <encryptionProperties org.apache.ws.security.crypto.merlin.keystore.type="jceks"
          org.apache.ws.security.crypto.merlin.keystore.password="storepswd"
          org.apache.ws.security.crypto.merlin.keystore.alias="alice"
          org.apache.ws.security.crypto.merlin.file="${server.config.dir}/enc-receiver.jceks" />
      </wsSecurityProvider>
      <wsSecurityClient id="default"
        ws-security.password="security"
        ws-security.username="user1"
        ws-security.callback-handler="com.ibm.ws.wssecurity.example.cbh.SamplePasswordCallback"
        ws-security.encryption.username="alice">
        <signatureProperties org.apache.ws.security.crypto.merlin.keystore.type="jceks"
          org.apache.ws.security.crypto.merlin.keystore.password="storepswd"
          org.apache.ws.security.crypto.merlin.keystore.alias="alice"
          org.apache.ws.security.crypto.merlin.file="${server.config.dir}/enc-sender.jceks"/>
        <encryptionProperties org.apache.ws.security.crypto.merlin.keystore.type="jceks"
          org.apache.ws.security.crypto.merlin.keystore.password="storepswd"
          org.apache.ws.security.crypto.merlin.keystore.alias="bob"
          org.apache.ws.security.crypto.merlin.file="${server.config.dir}/enc-sender.jceks"/>
      </wsSecurityClient>
    </server>

結果

您已利用 WS-Security 原則來維護 Web 服務安全。

範例

首要步驟所建立的 WS-Security 原則範例會產生 SOAP 要求和類似下列訊息的回應訊息。
下列範例顯示 SOAP 要求訊息:
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
  <SOAP-ENV:Header xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
    <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
                   xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
                   soap:mustUnderstand="1">
      <wsse:BinarySecurityToken
        EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"
        ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"
        wsu:Id="X509-B1165B2A578AFFC7D613649595665924">...
      </wsse:BinarySecurityToken>
      <wsu:Timestamp wsu:Id="TS-1">
        <wsu:Created>2013-04-03T03:26:06.549Z</wsu:Created>
        <wsu:Expires>2013-04-03T03:31:06.549Z</wsu:Expires>
      </wsu:Timestamp>
      <xenc:EncryptedKey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Id="EK-B1165B2A578AFFC7D613649595666705">
        <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"></xenc:EncryptionMethod>
        <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
          <wsse:SecurityTokenReference>
            <ds:X509Data>
              <ds:X509IssuerSerial>
                <ds:X509IssuerName>CN=Bob,O=IBM,C=US</ds:X509IssuerName>
                <ds:X509SerialNumber>24054675667389</ds:X509SerialNumber>
              </ds:X509IssuerSerial>
            </ds:X509Data>
          </wsse:SecurityTokenReference>
        </ds:KeyInfo>
        <xenc:CipherData>
          <xenc:CipherValue>...</xenc:CipherValue>
        </xenc:CipherData>
        <xenc:ReferenceList>
          <xenc:DataReference URI="#ED-4"></xenc:DataReference>
          <xenc:DataReference URI="#ED-5"></xenc:DataReference>
          <xenc:DataReference URI="#ED-6"></xenc:DataReference>
        </xenc:ReferenceList>
      </xenc:EncryptedKey>
      <xenc:EncryptedData
        xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Id="ED-6" Type="http://www.w3.org/2001/04/xmlenc#Element">
        <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"></xenc:EncryptionMethod>
        <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
          <wsse:SecurityTokenReference
            xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
            xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd"
            wsse11:TokenType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey">
            <wsse:Reference URI="#EK-B1165B2A578AFFC7D613649595666705"></wsse:Reference>
          </wsse:SecurityTokenReference>
        </ds:KeyInfo>
        <xenc:CipherData>
          <xenc:CipherValue>...</xenc:CipherValue>
        </xenc:CipherData>
      </xenc:EncryptedData>
      <xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
                          Id="ED-5"
                          Type="http://www.w3.org/2001/04/xmlenc#Element">
        <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"></xenc:EncryptionMethod>
        <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
          <wsse:SecurityTokenReference
            xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
            xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd"
            wsse11:TokenType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey">
            <wsse:Reference URI="#EK-B1165B2A578AFFC7D613649595666705"></wsse:Reference>
          </wsse:SecurityTokenReference>
        </ds:KeyInfo>
        <xenc:CipherData>
          <xenc:CipherValue>...</xenc:CipherValue>
        </xenc:CipherData>
      </xenc:EncryptedData>
    </wsse:Security>
  </SOAP-ENV:Header>
  <soap:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
             wsu:Id="Id-1788936596">
    <xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
                        Id="ED-4"
                        Type="http://www.w3.org/2001/04/xmlenc#Content">
      <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"></xenc:EncryptionMethod>
      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <wsse:SecurityTokenReference
          xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
          xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd"
          wsse11:TokenType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey">
          <wsse:Reference URI="#EK-B1165B2A578AFFC7D613649595666705"></wsse:Reference>
        </wsse:SecurityTokenReference>
      </ds:KeyInfo>
      <xenc:CipherData>
        <xenc:CipherValue>...</xenc:CipherValue>
      </xenc:CipherData>
    </xenc:EncryptedData>
  </soap:Body>
</soap:Envelope>
下列範例顯示 SOAP 回應訊息:
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
  <SOAP-ENV:Header xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
    <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
                   xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
                   soap:mustUnderstand="1">
      <wsu:Timestamp wsu:Id="TS-7">
        <wsu:Created>2013-04-03T03:26:07.286Z</wsu:Created>
        <wsu:Expires>2013-04-03T03:31:07.286Z</wsu:Expires>
      </wsu:Timestamp>
      <xenc:EncryptedKey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Id="EK-B1165B2A578AFFC7D613649595673129">
        <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"></xenc:EncryptionMethod>
        <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
          <wsse:SecurityTokenReference>
            <ds:X509Data>
              <ds:X509IssuerSerial>
                <ds:X509IssuerName>CN=Alice,O=IBM,C=US</ds:X509IssuerName>
                <ds:X509SerialNumber>24054530212598</ds:X509SerialNumber>
              </ds:X509IssuerSerial>
            </ds:X509Data>
          </wsse:SecurityTokenReference>
        </ds:KeyInfo>
        <xenc:CipherData>
          <xenc:CipherValue>...</xenc:CipherValue>
        </xenc:CipherData>
        <xenc:ReferenceList>
          <xenc:DataReference URI="#ED-10"></xenc:DataReference>
          <xenc:DataReference URI="#ED-11"></xenc:DataReference>
          <xenc:DataReference URI="#ED-12"></xenc:DataReference>
        </xenc:ReferenceList>
      </xenc:EncryptedKey>
      <xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
                          Id="ED-12"
                          Type="http://www.w3.org/2001/04/xmlenc#Element">
        <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"></xenc:EncryptionMethod>
        <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
          <wsse:SecurityTokenReference
            xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
            xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd"
            wsse11:TokenType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey">
            <wsse:Reference URI="#EK-B1165B2A578AFFC7D613649595673129"></wsse:Reference>
          </wsse:SecurityTokenReference>
        </ds:KeyInfo>
        <xenc:CipherData>
          <xenc:CipherValue>...</xenc:CipherValue>
        </xenc:CipherData>
      </xenc:EncryptedData>
      <xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
                          Id="ED-11"
                          Type="http://www.w3.org/2001/04/xmlenc#Element">
        <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"></xenc:EncryptionMethod>
        <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
          <wsse:SecurityTokenReference
            xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
            xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd"
            wsse11:TokenType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey">
            <wsse:Reference URI="#EK-B1165B2A578AFFC7D613649595673129"></wsse:Reference>
          </wsse:SecurityTokenReference>
        </ds:KeyInfo>
        <xenc:CipherData>
          <xenc:CipherValue>...</xenc:CipherValue>
        </xenc:CipherData>
      </xenc:EncryptedData>
    </wsse:Security>
  </SOAP-ENV:Header>
  <soap:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
             wsu:Id="Id-2035943749">
    <xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
                        Id="ED-10"
                        Type="http://www.w3.org/2001/04/xmlenc#Content">
      <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"></xenc:EncryptionMethod>
      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <wsse:SecurityTokenReference
          xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
          xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd"
          wsse11:TokenType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey">
          <wsse:Reference URI="#EK-B1165B2A578AFFC7D613649595673129"></wsse:Reference>
        </wsse:SecurityTokenReference>
      </ds:KeyInfo>
      <xenc:CipherData>
        <xenc:CipherValue>...</xenc:CipherValue>
      </xenc:CipherData>
    </xenc:EncryptedData>
  </soap:Body>
</soap:Envelope>

下一步

現在,您可以利用符合您的安全需求的 WS-Security 原則來開發您自己的 WSDL 檔和 Web 服務應用程式。

指示主題類型的圖示 作業主題



「時間戳記」圖示 前次更新: 2016 年 11 月 30 日
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=cord&product=was-nd-mp&topic=twlp_wssec_securing
檔名:twlp_wssec_securing.html