Axis2 + Rampart WebService Signing and Encryption

Question

Tengo un problema con la seguridad entre un servidor web y su cliente. Utilizo Axis2 y Rampart para construir de abajo hacia abajo mi servicio web y luego crear el cliente desde el wsdl generado. Te muestro mi código y el problema concreto.

Client.java

package de.security.tutorial; 

import java.io.InputStream; 
import java.rmi.RemoteException; 

import javax.xml.stream.XMLStreamException; 
import org.apache.axiom.om.impl.builder.StAXOMBuilder; 
import org.apache.axis2.client.Options; 
import org.apache.axis2.client.ServiceClient; 
import org.apache.axis2.context.ConfigurationContext; 
import org.apache.axis2.context.ConfigurationContextFactory; 
import org.apache.neethi.Policy; 
import org.apache.neethi.PolicyEngine; 
import org.apache.rampart.RampartMessageData; 

import de.security.tutorial.ServerStub.GetWelcomeResponse; 

public class Client { 

    /** 
    * Load policy file from classpath. 
    */ 
    private static Policy loadPolicy(String name) throws XMLStreamException { 
     ClassLoader loader = new ClassLoader() {}; 
     InputStream resource = loader.getResourceAsStream(name); 
     StAXOMBuilder builder = new StAXOMBuilder(resource); 
     return PolicyEngine.getPolicy(builder.getDocumentElement()); 
    } 

    public static void main(String[] arg) throws RemoteException{ 
     String url = "http://localhost:8080/axis2/services/Server"; 
     try { 
      // get Modulrepository 
      ConfigurationContext ctx = ConfigurationContextFactory.createConfigurationContextFromFileSystem("WebContent/WEB-INF/", null); 

      // create new Stub 
      ServerStub stub = new ServerStub(ctx, url); 

      // configure and engage Rampart 
      ServiceClient client = stub._getServiceClient(); 
      Options options = client.getOptions(); 

      Policy policy = loadPolicy("policy.xml"); 
//   client.getAxisService().getPolicySubject().attachPolicy(policy); 
      options.setProperty(RampartMessageData.KEY_RAMPART_POLICY, policy); 
      options.setUserName("libuser"); 
      options.setPassword("books"); 

      client.setOptions(options);   
      client.engageModule("addressing");   
      client.engageModule("rampart"); 
      stub._setServiceClient(client); 

      // send request 
      GetWelcomeResponse response = stub.getWelcome(); 

      // print response to console 
      if(response.local_returnTracker){ 
       String string = response.get_return(); 
       System.out.println(string); 
      } 

     } catch(Exception e) { 
      System.out.println("Exception: " + e.getMessage()); 
     } 

    } 

} 

PasswordCallbackHandler.java

package de.security.tutorial; 

import org.apache.ws.security.WSPasswordCallback; 

import javax.security.auth.callback.Callback; 
import javax.security.auth.callback.CallbackHandler; 

import java.io.IOException; 

/** 
* Simple password callback handler. This just checks if the password for the private key 
* is being requested, and if so sets that value. 
*/ 
public class PWCBHandler implements CallbackHandler 
{ 
    public void handle(Callback[] callbacks) throws IOException { 
     for (int i = 0; i < callbacks.length; i++) { 
      WSPasswordCallback pwcb = (WSPasswordCallback)callbacks[i]; 
      String id = pwcb.getIdentifer(); 
      int usage = pwcb.getUsage(); 
      if (usage == WSPasswordCallback.DECRYPT || usage == WSPasswordCallback.SIGNATURE) { 

       // used to retrieve password for private key 
       if ("clientkey".equals(id)) { 
        pwcb.setPassword("clientpass"); 
       } 

      } 
     } 
    } 
} 

policy.xml

<?xml version="1.0" encoding="UTF-8"?> 

<wsp:Policy wsu:Id="SigEncr" 
    xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" 
    xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"> 
    <wsp:ExactlyOne> 
     <wsp:All> 
      <sp:AsymmetricBinding 
       xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"> 
       <wsp:Policy> 
        <sp:InitiatorToken> 
         <wsp:Policy> 
          <sp:X509Token 
           sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient"> 
           <wsp:Policy> 
            <sp:RequireThumbprintReference /> 
            <sp:WssX509V1Token10 /> 
           </wsp:Policy> 
          </sp:X509Token> 
         </wsp:Policy> 
        </sp:InitiatorToken> 
        <sp:RecipientToken> 
         <wsp:Policy> 
          <sp:X509Token 
           sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never"> 
           <wsp:Policy> 
            <sp:RequireThumbprintReference /> 
            <sp:WssX509V3Token10 /> 
           </wsp:Policy> 
          </sp:X509Token> 
         </wsp:Policy> 
        </sp:RecipientToken> 
        <sp:AlgorithmSuite> 
         <wsp:Policy> 
          <sp:TripleDesRsa15 /> 
         </wsp:Policy> 
        </sp:AlgorithmSuite> 
        <sp:Layout> 
         <wsp:Policy> 
          <sp:Strict /> 
         </wsp:Policy> 
        </sp:Layout> 
        <sp:IncludeTimestamp /> 
        <sp:OnlySignEntireHeadersAndBody /> 
       </wsp:Policy> 
      </sp:AsymmetricBinding> 
      <sp:Wss10 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"> 
       <wsp:Policy> 
        <sp:MustSupportRefKeyIdentifier /> 
        <sp:MustSupportRefIssuerSerial /> 
       </wsp:Policy> 
      </sp:Wss10> 
      <sp:SignedParts 
       xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"> 
       <sp:Body /> 
      </sp:SignedParts> 
      <sp:EncryptedParts 
       xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"> 
       <sp:Body /> 
      </sp:EncryptedParts> 
      <ramp:RampartConfig xmlns:ramp="http://ws.apache.org/rampart/policy"> 
       <ramp:user>clientkey</ramp:user> 
       <ramp:encryptionUser>serverkey</ramp:encryptionUser> 
       <ramp:passwordCallbackClass>de.security.tutorial.PWCBHandler 
       </ramp:passwordCallbackClass> 
       <ramp:signatureCypto> 
        <ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin"> 
         <ramp:property 
          name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property> 
         <ramp:property name="org.apache.ws.security.crypto.merlin.file">D:/keystore/client.keystore 
         </ramp:property> 
         <ramp:property 
          name="org.apache.ws.security.crypto.merlin.keystore.password">nosecret</ramp:property> 
        </ramp:crypto> 
       </ramp:signatureCypto> 

       <ramp:encryptionCypto> 
        <ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin"> 
         <ramp:property 
          name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property> 
         <ramp:property name="org.apache.ws.security.crypto.merlin.file">D:/keystore/client.keystore 
         </ramp:property> 
         <ramp:property 
          name="org.apache.ws.security.crypto.merlin.keystore.password">nosecret</ramp:property> 
        </ramp:crypto> 
       </ramp:encryptionCypto> 

      </ramp:RampartConfig> 

     </wsp:All> 
    </wsp:ExactlyOne> 
</wsp:Policy> 

OK . Tengo un servicio web llamado "Servidor" con una función "getWelcome" que devolvió una cadena simple. Importent es solo la seguridad.

El problema: Si ejecuto mi cliente, regresó una NullPointerException y Google No estaba conectado con el servicio. Esta línea inicia la excepción:

GetWelcomeResponse response = stub.getWelcome(); 

Pero si desactivo la Modul muralla, cuando me siento una conexión con el servicio, pero que se pierda la cabecera de seguridad. El problema es esta línea:

client.engageModule("rampart"); 

¿Alguien me puede ayudar?

Answer 1

Desde el siguiente código, diría que debe incluir la línea comentada y comentar las otras 5 debajo de eso.

//  client.getAxisService().getPolicySubject().attachPolicy(policy); 
     options.setProperty(RampartMessageData.KEY_RAMPART_POLICY, policy); 
     options.setUserName("libuser"); 
     options.setPassword("books"); 

     client.setOptions(options);   
     client.engageModule("addressing");