Apache cxf 附件安全
Apache cxf attachment security
我尝试让我的 apache cxf 客户端对附件进行签名和加密。因为我现在有我的解决方案,所以它确实对邮件正文进行了签名和加密,但它忽略了附件。
我有以下代码:
Map<String, Object> props = new HashMap<>();
props.put("action", "Signature Encrypt");
props.put("signaturePropFile", "client.properties");
props.put("passwordCallbackClass", "******.KeystorePasswordCallback");
props.put("user", "node1");
props.put("signatureKeyIdentifier", "DirectReference");
props.put("signatureParts",
"{Element}{http://www.w3.org/2003/05/soap-envelope}Body;" +
"{}cid:Attachments;");
props.put("encryptionParts",
"{Content}{http://www.w3.org/2003/05/soap-envelope}Body;" +
"{Element}cid:Attachments;" );
props.put("encryptionPropFile", "client.properties");
props.put("encryptionKeyIdentifier", "IssuerSerial");
props.put("encryptionKeyTransportAlgorithm",
"http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p");
WSS4JOutInterceptor wss4jOut = new WSS4JOutInterceptor(props);
client.getOutInterceptors().add(wss4jOut);
我正在关注 this example 来编写我的代码。
而{}cid:Attachments部分来自this apache page。
问题是 Apache CXF 出于某种原因在向消息添加附件的拦截器之前运行 sign/enrypt 拦截器。
简单的解决方法是添加您自己的 WSS4J out/in 拦截器(问题是双向的 - incoming/outgoing 消息),在 encryption/decryption/signature(check) 完成之前添加附件。
基本上,您可以打开添加附件的 SAAJ 拦截器,并将部分代码从 handleMessage 方法复制粘贴到您的拦截器。
对于 out incerceptor:
@Override
public void handleMessage(SoapMessage mc) throws Fault {
super.handleMessage(mc);
SOAPMessage soapMessage = mc.getContent(SOAPMessage.class);
if (soapMessage != null) {
if (soapMessage.countAttachments() > 0) {
if (mc.getAttachments() == null) {
mc.setAttachments(new ArrayList<Attachment>(soapMessage
.countAttachments()));
}
Iterator<AttachmentPart> it = CastUtils.cast(soapMessage.getAttachments());
while (it.hasNext()) {
AttachmentPart part = it.next();
String id = AttachmentUtil.cleanContentId(part.getContentId());
AttachmentImpl att = new AttachmentImpl(id);
try {
att.setDataHandler(part.getDataHandler());
} catch (SOAPException e) {
throw new Fault(e);
}
Iterator<MimeHeader> it2 = CastUtils.cast(part.getAllMimeHeaders());
while (it2.hasNext()) {
MimeHeader header = it2.next();
att.setHeader(header.getName(), header.getValue());
}
mc.getAttachments().add(att);
it.remove();
}
}
}
}
对于拦截器:
@Override
public void handleMessage(SoapMessage msg) throws Fault {
super.handleMessage(msg);
SOAPMessage soapMessage = msg.getContent(SOAPMessage.class);
soapMessage.removeAllAttachments();
Collection<Attachment> atts = msg.getAttachments();
if (atts != null) {
for (Attachment a : atts) {
if (a.getDataHandler().getDataSource() instanceof AttachmentDataSource) {
try {
((AttachmentDataSource) a.getDataHandler().getDataSource()).cache(msg);
} catch (IOException e) {
throw new Fault(e);
}
}
AttachmentPart ap = soapMessage.createAttachmentPart(a.getDataHandler());
Iterator<String> i = a.getHeaderNames();
while (i != null && i.hasNext()) {
String h = i.next();
String val = a.getHeader(h);
ap.addMimeHeader(h, val);
}
if (StringUtils.isEmpty(ap.getContentId())) {
ap.setContentId(a.getId());
}
soapMessage.addAttachmentPart(ap);
}
}
msg.setAttachments(Collections.<Attachment>emptyList());
msg.setContent(SOAPMessage.class, soapMessage);
}
我尝试让我的 apache cxf 客户端对附件进行签名和加密。因为我现在有我的解决方案,所以它确实对邮件正文进行了签名和加密,但它忽略了附件。
我有以下代码:
Map<String, Object> props = new HashMap<>();
props.put("action", "Signature Encrypt");
props.put("signaturePropFile", "client.properties");
props.put("passwordCallbackClass", "******.KeystorePasswordCallback");
props.put("user", "node1");
props.put("signatureKeyIdentifier", "DirectReference");
props.put("signatureParts",
"{Element}{http://www.w3.org/2003/05/soap-envelope}Body;" +
"{}cid:Attachments;");
props.put("encryptionParts",
"{Content}{http://www.w3.org/2003/05/soap-envelope}Body;" +
"{Element}cid:Attachments;" );
props.put("encryptionPropFile", "client.properties");
props.put("encryptionKeyIdentifier", "IssuerSerial");
props.put("encryptionKeyTransportAlgorithm",
"http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p");
WSS4JOutInterceptor wss4jOut = new WSS4JOutInterceptor(props);
client.getOutInterceptors().add(wss4jOut);
我正在关注 this example 来编写我的代码。
而{}cid:Attachments部分来自this apache page。
问题是 Apache CXF 出于某种原因在向消息添加附件的拦截器之前运行 sign/enrypt 拦截器。
简单的解决方法是添加您自己的 WSS4J out/in 拦截器(问题是双向的 - incoming/outgoing 消息),在 encryption/decryption/signature(check) 完成之前添加附件。 基本上,您可以打开添加附件的 SAAJ 拦截器,并将部分代码从 handleMessage 方法复制粘贴到您的拦截器。 对于 out incerceptor:
@Override
public void handleMessage(SoapMessage mc) throws Fault {
super.handleMessage(mc);
SOAPMessage soapMessage = mc.getContent(SOAPMessage.class);
if (soapMessage != null) {
if (soapMessage.countAttachments() > 0) {
if (mc.getAttachments() == null) {
mc.setAttachments(new ArrayList<Attachment>(soapMessage
.countAttachments()));
}
Iterator<AttachmentPart> it = CastUtils.cast(soapMessage.getAttachments());
while (it.hasNext()) {
AttachmentPart part = it.next();
String id = AttachmentUtil.cleanContentId(part.getContentId());
AttachmentImpl att = new AttachmentImpl(id);
try {
att.setDataHandler(part.getDataHandler());
} catch (SOAPException e) {
throw new Fault(e);
}
Iterator<MimeHeader> it2 = CastUtils.cast(part.getAllMimeHeaders());
while (it2.hasNext()) {
MimeHeader header = it2.next();
att.setHeader(header.getName(), header.getValue());
}
mc.getAttachments().add(att);
it.remove();
}
}
}
}
对于拦截器:
@Override
public void handleMessage(SoapMessage msg) throws Fault {
super.handleMessage(msg);
SOAPMessage soapMessage = msg.getContent(SOAPMessage.class);
soapMessage.removeAllAttachments();
Collection<Attachment> atts = msg.getAttachments();
if (atts != null) {
for (Attachment a : atts) {
if (a.getDataHandler().getDataSource() instanceof AttachmentDataSource) {
try {
((AttachmentDataSource) a.getDataHandler().getDataSource()).cache(msg);
} catch (IOException e) {
throw new Fault(e);
}
}
AttachmentPart ap = soapMessage.createAttachmentPart(a.getDataHandler());
Iterator<String> i = a.getHeaderNames();
while (i != null && i.hasNext()) {
String h = i.next();
String val = a.getHeader(h);
ap.addMimeHeader(h, val);
}
if (StringUtils.isEmpty(ap.getContentId())) {
ap.setContentId(a.getId());
}
soapMessage.addAttachmentPart(ap);
}
}
msg.setAttachments(Collections.<Attachment>emptyList());
msg.setContent(SOAPMessage.class, soapMessage);
}