120 likes | 338 Views
웹 서비스 보안을 위한 프레임워크 연구 - Implementation Document. 컴퓨터공학과 19971231 강성은 HPC Lab. 김종 교수님. Environment. Scenario. Source Site. Destination Site. 8XML Response. Web Services. Web Services. Remote Application. Authentication Authority. 7XML Request. 2Check. 4Display. 9Redirect.
E N D
웹 서비스 보안을 위한 프레임워크 연구- Implementation Document 컴퓨터공학과 19971231 강성은 HPC Lab. 김종 교수님
Scenario Source Site Destination Site 8XML Response Web Services Web Services Remote Application Authentication Authority 7XML Request 2Check 4Display 9Redirect 10view 3Login 6Redirect 1Access 5Select Browser
Web Service Overview Web Service Transport Listener (Handler,…) Application Dispatcher Service Call Transport Sender (Handler,…)
Messaging Level Security Encryption Confidentiality Signature Integrity
Deploy (WSDD) <deployment xmlns="http://xml.apache.org/axis/wsdd/" xmlns:java="http://xml.apache.org/axis/wsdd/providers/java"> <handler name=“reqHandler" type="java:security.SecurityReqHandler“ /> <handler name=“resHandler" type="java:security.SecurityResHandler“ /> <service name="http://localhost:8080/TrustService" provider="java:RPC"> <requestFlow> <handler type=“reqHandler"/> </requestFlow> <responseFlow> <handler type=“resHandler"/> </responseFlow> <parameter name="className" value=“TrustSvc"/> <parameter name="allowedMethods" value="*"/> </service> </deployment>
ReceiverSvc public static void main(String[] args) throws Exception { try { Options opts = new Options(args); Service service = new Service(); Call call = (Call) service.createCall(); call.setTargetEndpointAddress(new java.net.URL(opts.getURL())); SOAPEnvelope env = new SOAPEnvelope(); SOAPBodyElement sbe = new SOAPBodyElement(XMLUtils.StringToElement("http://localhost:8080/LogTestService", "testMethod", "")); env.addBodyElement(sbe); env = new SignedSOAPEnvelope(env, "http://xml-security"); System.out.println("\n============= Request =============="); XMLUtils.PrettyElementToStream(env.getAsDOM(), System.out); call.invoke(env); MessageContext mc = call.getMessageContext(); System.out.println("\n============= Response =============="); XMLUtils.PrettyElementToStream(mc.getResponseMessage().getSOAPEnvelope().getAsDOM(), System.out); } catch (Exception e) { e.printStackTrace(); } }
SignedSOAPEnvelope private void init(SOAPEnvelope env, String baseURI, String keystoreFile) { System.out.println("Beginning Client signing..."); env.addMapping(new Mapping(SOAPSECNS, SOAPSECprefix)); env.addAttribute(Constants.URI_SOAP11_ENV, "actor", "some-uri"); env.addAttribute(Constants.URI_SOAP11_ENV, "mustUnderstand", "1"); SOAPHeaderElement header = new SOAPHeaderElement(XMLUtils.StringToElement(SOAPSECNS, "Signature", env.addHeader(header); Document doc = getSOAPEnvelopeAsDocument(env, msgContext); KeyStore ks = KeyStore.getInstance(keystoreType); FileInputStream fis = new FileInputStream(keystoreFile); ks.load(fis, keystorePass.toCharArray()); Key privateKey = (Key) ks.getKey(privateKeyAlias, privateKeyPass.toCharArray()); Element soapHeaderElement = (Element) ((Element) doc.getFirstChild()).getElementsByTagNameNS("*", "Header").item(0); Element soapSignatureElement = (Element) soapHeaderElement.getElementsByTagNameNS("*", "Signature").item(0); XMLSignature sig = new XMLSignature(doc, baseURI, XMLSignature.ALGO_ID_SIGNATURE_DSA); soapSignatureElement.appendChild(sig.getElement()); sig.addDocument("#Body"); X509Certificate cert = (X509Certificate) ks.getCertificate(certificateAlias); sig.addKeyInfo(cert); sig.addKeyInfo(cert.getPublicKey()); sig.sign(privateKey); Canonicalizer c14n = Canonicalizer.getInstance(Canonicalizer.ALGO_ID_C14N_WITH_COMMENTS); byte[] canonicalMessage = c14n.canonicalizeSubtree(doc); InputSource is = new InputSource(new java.io.ByteArrayInputStream(canonicalMessage)); DeserializationContextImpl dser = null; if (msgContext == null) { AxisClient tmpEngine = new AxisClient(new NullProvider()); msgContext = new MessageContext(tmpEngine); } dser = new DeserializationContextImpl(is, msgContext, Message.REQUEST, this); dser.parse(); System.out.println("Client signing complete."); }
Signed SOAP Message <soapenv:Envelope soapenv:actor="some-uri" soapenv:mustUnderstand="1" xmlns:SOAP-SEC="http://schemas.xmlsoap.org/soap/security/2000-12" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <soapenv:Header> <SOAP-SEC:Signature> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1"/> <ds:Reference URI="#Body"> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <ds:DigestValue> 2jmj7l5rSw0yVb/vlWAYkK/YBwk= </ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue> IlpHUOUvL7Ehhab+IRCqxlwS2DOQfyKI+AlJibM3cDkfUjwkHxqsFQ== </ds:SignatureValue> <ds:KeyInfo> <ds:X509Data> <ds:X509Certificate> MIIC9jCCArQCBDruqiowCwYHKoZIzjgEAwUAMGExCzAJBgNVBAYTAkRFMR0wGwYDVQQKExRVbml2 ZXJzaXR5IG9mIFNpZWdlbjEQMA4GA1UECxMHRkIxMk5VRTEhMB8GA1UEAxMYQ2hyaXN0aWFuIEdl dWVyLVBvbGxtYW5uMB4XDTAxMDUwMTEyMjA1OFoXDTA2MTAyMjEyMjA1OFowYTELMAkGA1UEBhMC REUxHTAbBgNVBAoTFFVuaXZlcnNpdHkgb2YgU2llZ2VuMRAwDgYDVQQLEwdGQjEyTlVFMSEwHwYD VQQDExhDaHJpc3RpYW4gR2V1ZXItUG9sbG1hbm4wggG3MIIBLAYHKoZIzjgEATCCAR8CgYEA/X9T gR11EilS30qcLuzk5/YRt1I870QAwx4/gLZRJmlFXUAiUftZPY1Y+r/F9bow9subVWzXgTuAHTRv … </ds:X509Certificate> </ds:X509Data> <ds:KeyValue>
Signed SOAP Message(Cont.) <ds:DSAKeyValue> <ds:P> /X9TgR11EilS30qcLuzk5/YRt1I870QAwx4/gLZRJmlFXUAiUftZPY1Y+r/F9bow9subVWzXgTuA HTRv8mZgt2uZUKWkn5/oBHsQIsJPu6nX/rfGG/g7V+fGqKYVDwT7g/bTxR7DAjVUE1oWkTL2dfOu K2HXKu/yIgMZndFIAcc= </ds:P> <ds:Q> l2BQjxUjC8yykrmCouuEC/BYHPU= </ds:Q> <ds:G> 9+GghdabPd7LvKtcNrhXuXmUr7v6OuqC+VdMCz0HgmdRWVeOutRZT+ZxBxCBgLRJFnEj6EwoFhO3 zwkyjMim4TwWeotUfI0o4KOuHiuzpnWRbqN/C/ohNWLx+2J6ASQ7zKTxvqhRkImog9/hWuWfBpKL Zl6Ae1UlZAFMO/7PSSo= </ds:G> <ds:Y> Eln5/htZP51p7Y/Y1+zZOSSmoi2fQS0deniScan3990xy33RrPfF5odqEVmVYfTzFfKEz94aUXEY qY2VGVRCKrAZThk1SwoOB+UyfNSVjoqa4fppIQpTalK/JeR7uxQUr0Aeop68nr2u49GijYiLyvL3 x04lGaZ8jUYZL3gZTNI= </ds:Y> </ds:DSAKeyValue> </ds:KeyValue> </ds:KeyInfo> </ds:Signature> </SOAP-SEC:Signature> </soapenv:Header> <soapenv:Body> <ns1:getUserInfo xmlns:ns1=http://localhost:8080/TrustService”/> </soapenv:Body> </soapenv:Envelope>
SecurityHandler public class SecurityHandler extends BasicHandler { public void invoke(MessageContext msgContext) throws AxisFault { try { System.out.println("Starting Server verification"); Message inMsg = msgContext.getRequestMessage(); Message outMsg = msgContext.getResponseMessage(); // verify signed message Document doc = inMsg.getSOAPEnvelope().getAsDocument(); String BaseURI = "http://xml-security"; CachedXPathAPI xpathAPI = new CachedXPathAPI(); Element nsctx = doc.createElement("nsctx"); nsctx.setAttribute("xmlns:ds", Constants.SignatureSpecNS); Element signatureElem = (Element) xpathAPI.selectSingleNode(doc, "//ds:Signature", nsctx); // check to make sure that the document claims to have been signed if (signatureElem == null) { System.out.println("The document is not signed"); return; } XMLSignature sig = new XMLSignature(signatureElem, BaseURI); boolean verify = sig.checkSignatureValue(sig.getKeyInfo().getPublicKey()); System.out.println("Server verification complete."); System.out.println("The signature is" + (verify ? " “ : " not ") + "valid"); } catch (Exception e) { throw AxisFault.makeFault(e); } }
To do. • XML Encryption • Handler • Test JSP, servlet • Test & Debug