公司專案需要，之前研究了WebService CXF 的安全機制（Security），找的資料都是自定義攔截器（如WebService(6)_CXF攔截器-許可權管理-登入驗證這篇文章）。

但其實這種方法是偽安全的，仔細看看攔截器的日誌，可以發現攔截器日誌中報文的引數都是明文傳送的，等於沒有加密...

後來發現CXF 支援數字證書加密，找了很多例子，不過釋出的CXF都是整合在Spring中的，最後找到這個，不需要整合Spring，也可以整合數字證書。

http://nogrief.iteye.com/blog/795814

只是博主寫的比較潦草，Demo寫了好幾次才跑通..現在將這個整理一下，給大家一個參考。

這裡我把Demo上傳了，有興趣的可以下載下來跑跑試試看

有網友問我，執行上面這個Demo，丟擲簽名和解密無效的錯誤，該怎麼解決...

是這樣的，上面這個Demo如果要執行的話，需要更新一下祕鑰，因為祕鑰的使用是有 有效期的，具體祕鑰怎麼生成繼續往下看就知道了...

-------更新於2017-10-03

CXF安全機制

X509

X509是一種非常通用的證書格式。所有的證書都符合ITU-TX.509國際標準，因此(理論上)為一種應用建立的證書可以用於任何其他符合X.509標準的應用。

提到X509，需要理解下面相關概念

1. Private ket
2. Public key
3. keyStore
4. TrustStore

Private key和 Public key就是字面意思，公鑰和私鑰

KeyStore和 TrustStore就是儲存私鑰和金鑰的容器，二者從結構上都是一樣的，只不過概念上有區分。

KeyStore主要用來儲存私鑰

TrustStore主要用來儲存公鑰

更多相關x509的資訊,去百度吧,暫時沒研究.

CXF與 X509

在CXF中，使用加密簽名的方式作為安全策略，配置上有些麻煩

流程圖如下

簡單解釋下

1. 客戶端傳送訊息到服務端
   1. 客戶端A使用A自己的私鑰進行簽名，使用服務端B的公鑰進行加密，然後訊息傳送到服務端B，B用自己的私鑰進行解密，用A的公鑰進行驗籤

2. 服務端返回訊息到客戶端
   1. 服務端
      B用自己的私鑰進行簽名，使用A的公鑰進行加密，然後將訊息傳送給客戶端A，A用私鑰進行解密，用B的公鑰進行驗籤。

仔細想想這個過程，理解之後，感覺不是太複雜。

實現程式碼

生成證書

生成證書的話，咱們使用JDK自帶的一個工具 -- keytool

1. 首先建立客戶端公鑰和KeyStore

建立KeyStore，檔名為Client_KeyStore.jks,裡面有一個名為clientprivatekey的私鑰。

2. 給私鑰進行簽名

簽名成功的話，無任何提示

3. 匯出私鑰

作用是將匯出的證書作為公鑰儲存到TrustStore中。

如果成功，可以看到提示："儲存在檔案<Client_PublicCert.cer>中的證書"

然後建立服務端KeyStore

1. 建立私鑰和KeyStore

2. 用私鑰進行簽名

3. 匯出私鑰

4. 接下來，將客戶端公鑰匯入到服務端的TrustStore中，將服務端公鑰匯入到客戶端TrustStore中

回車後看到提示

5. 同理，將服務端公鑰匯入到客戶端TrustStore中

同樣，出現提示，輸入y，回車即可

為了方便複製，把所有的一起貼出來

最後，在"C:\Users\CYX" (根據實際情況)目錄下會有這幾個檔案

只要字尾是'.jks'的檔案，通過名字就能看出哪些是客戶端哪些是服務端。

服務端實現

服務端程式碼結構圖

package com.cxf.security.server.inter;
import javax.jws.WebMethod;
import javax.jws.WebParam;
import javax.jws.WebService;
@WebService
public interface HelloService {
		@WebMethod
		public String sayHello(@WebParam(name = "message") String message);
}

package com.cxf.security.server.impl;
import com.cxf.security.server.inter.HelloService;
public class HelloServiceImpl implements HelloService {
		@Override
		public String sayHello(String message) {
				System.out.println("服務端接收訊息 : " + message);
				return "Hi : " + message;
		}
}

package com.cxf.security.server.callback;
import java.io.IOException;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.UnsupportedCallbackException;
import org.apache.ws.security.WSPasswordCallback;
public class UTPasswordServerCallBack implements CallbackHandler {
		@Override
		public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException {
				WSPasswordCallback pc = (WSPasswordCallback) callbacks[0];
				pc.setPassword("keypass");
				System.out.println("Server Identifier=" + pc.getIdentifier());
				System.out.println("Server Password=" + pc.getPassword());
		}
}

org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin
org.apache.ws.security.crypto.merlin.keystore.type=jks
org.apache.ws.security.crypto.merlin.keystore.password=storepass
org.apache.ws.security.crypto.merlin.keystore.alias=serverprivatekey
org.apache.ws.security.crypto.merlin.file=com/cxf/security/server/cert/Server_KeyStore.jks

org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin
org.apache.ws.security.crypto.merlin.keystore.type=jks
org.apache.ws.security.crypto.merlin.keystore.password=storepass
org.apache.ws.security.crypto.merlin.keystore.alias=clientpublickey
org.apache.ws.security.crypto.merlin.file=com/cxf/security/server/cert/Server_TrustStore.jks

package com.cxf.security.server;
import java.util.HashMap;
import java.util.Map;
import javax.xml.ws.Endpoint;
import org.apache.cxf.jaxws.EndpointImpl;
import org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor;
import org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor;
import org.apache.ws.security.handler.WSHandlerConstants;
import com.cxf.security.server.callback.UTPasswordServerCallBack;
import com.cxf.security.server.impl.HelloServiceImpl;

public class CXFServer {

		private static final String ADDRESS = "http://localhost:8088/security/helloservice";

		public static void main(String[] args) {

		EndpointImpl ep = (EndpointImpl) Endpoint.publish(ADDRESS, new HelloServiceImpl());
		org.apache.cxf.endpoint.Endpoint cxfEp = ep.getServer().getEndpoint();

		Map<String, Object> inProp = new HashMap<String, Object>();
		inProp.put(WSHandlerConstants.ACTION, WSHandlerConstants.TIMESTAMP + " " + WSHandlerConstants.SIGNATURE + " " + WSHandlerConstants.ENCRYPT);
		inProp.put(WSHandlerConstants.PW_CALLBACK_CLASS, UTPasswordServerCallBack.class.getName());
		inProp.put(WSHandlerConstants.SIG_PROP_FILE, "com/cxf/security/server/cert/Server_SignVerf.properties");
		inProp.put(WSHandlerConstants.DEC_PROP_FILE, "com/cxf/security/server/cert/Server_Decrypt.properties");
		cxfEp.getInInterceptors().add(new WSS4JInInterceptor(inProp));

		Map<String, Object> outProp = new HashMap<String, Object>();
		outProp.put(WSHandlerConstants.ACTION, WSHandlerConstants.TIMESTAMP + " " + WSHandlerConstants.SIGNATURE + " " + WSHandlerConstants.ENCRYPT);
		outProp.put(WSHandlerConstants.USER, "serverprivatekey");
		outProp.put(WSHandlerConstants.PW_CALLBACK_CLASS, UTPasswordServerCallBack.class.getName());
		outProp.put(WSHandlerConstants.ENCRYPTION_USER, "clientpublickey");
		outProp.put(WSHandlerConstants.SIG_PROP_FILE, "com/cxf/security/server/cert/Server_Decrypt.properties");// 私鑰
		outProp.put(WSHandlerConstants.ENC_PROP_FILE, "com/cxf/security/server/cert/Server_SignVerf.properties");// 公鑰
		
		cxfEp.getOutInterceptors().add(new WSS4JOutInterceptor(outProp));
		
		System.out.println("CXF Running , address : " + ADDRESS);

		}
}

客戶端實現

客戶端程式碼結構圖

紅框是CXF自動生成的程式碼，如何生成，不再多少，看之前WebService的文章。

回撥函式

package com.cxf.security.callback;
import java.io.IOException;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.UnsupportedCallbackException;
import org.apache.ws.security.WSPasswordCallback;

public class UTPasswordClientCallBack implements CallbackHandler {
		@Override
		public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException {
				WSPasswordCallback pc = (WSPasswordCallback) callbacks[0];
				pc.setPassword("keypass");
				System.out.println("Client Identifier=" + pc.getIdentifier());
				System.out.println("Client Password=" + pc.getPassword());	}
}

org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin
org.apache.ws.security.crypto.merlin.keystore.type=jks
org.apache.ws.security.crypto.merlin.keystore.password=storepass
org.apache.ws.security.crypto.merlin.keystore.alias=serverpublickey
org.apache.ws.security.crypto.merlin.file=com/cxf/security/cert/Client_TrustStore.jks

org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin
org.apache.ws.security.crypto.merlin.keystore.type=jks
org.apache.ws.security.crypto.merlin.keystore.password=storepass
org.apache.ws.security.crypto.merlin.keystore.alias=clientprivatekey
org.apache.ws.security.crypto.merlin.file=com/cxf/security/cert/Client_KeyStore.jks

package com.cxf.security.client;
import java.util.HashMap;
import java.util.Map;
import org.apache.cxf.endpoint.Endpoint;
import org.apache.cxf.frontend.ClientProxy;
import org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor;
import org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor;
import org.apache.ws.security.handler.WSHandlerConstants;
import com.cxf.security.callback.UTPasswordClientCallBack;
import com.cxf.security.server.impl.HelloServiceImplService;
import com.cxf.security.server.inter.HelloService;

public class CXFClient {

		public static void main(String[] args) {

		HelloServiceImplService ss = new HelloServiceImplService();
		HelloService service = ss.getHelloServiceImplPort();

		org.apache.cxf.endpoint.Client client = ClientProxy.getClient(service);
		Endpoint cxfEp = client.getEndpoint();

		// Clint Out
		Map<String, Object> outProp = new HashMap<String, Object>();
		outProp.put(WSHandlerConstants.ACTION, WSHandlerConstants.TIMESTAMP + " " + WSHandlerConstants.SIGNATURE + " " + WSHandlerConstants.ENCRYPT);
		outProp.put(WSHandlerConstants.USER, "clientprivatekey");
		outProp.put(WSHandlerConstants.ENCRYPTION_USER, "serverpublickey");
		outProp.put(WSHandlerConstants.PW_CALLBACK_CLASS, UTPasswordClientCallBack.class.getName());
		outProp.put(WSHandlerConstants.SIG_PROP_FILE, "com/cxf/security/cert/Client_Sign.properties");
		outProp.put(WSHandlerConstants.ENC_PROP_FILE, "com/cxf/security/cert/Client_Encrypt.properties");

		cxfEp.getOutInterceptors().add(new WSS4JOutInterceptor(outProp));

		// Client In(Return)
		Map<String, Object> inProp = new HashMap<String, Object>();
		inProp.put(WSHandlerConstants.ACTION, WSHandlerConstants.TIMESTAMP + " " + WSHandlerConstants.SIGNATURE + " " + WSHandlerConstants.ENCRYPT);
		inProp.put(WSHandlerConstants.PW_CALLBACK_CLASS, UTPasswordClientCallBack.class.getName());
		inProp.put(WSHandlerConstants.DEC_PROP_FILE, "com/cxf/security/cert/Client_Sign.properties");
		inProp.put(WSHandlerConstants.SIG_PROP_FILE, "com/cxf/security/cert/Client_Encrypt.properties");

		cxfEp.getInInterceptors().add(new WSS4JInInterceptor(inProp));

		String result = service.sayHello("CYX");
		System.out.println(result);

		}
}

客戶端接收到的訊息

如果你之前使用過CXF並在裡面加入攔截器，你會發現，服務端和客戶端傳送的訊息都是明文傳送，毫無安全性。

現在，讓我們在服務端和客戶端主程式中加入CXF攔截器，再看看傳送訊息的詳細資訊

服務端程式碼

package com.cxf.security.server;
import java.util.HashMap;
import java.util.Map;
import javax.xml.ws.Endpoint;
import org.apache.cxf.interceptor.LoggingInInterceptor;
import org.apache.cxf.jaxws.EndpointImpl;
import org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor;
import org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor;
import org.apache.ws.security.handler.WSHandlerConstants;
import com.cxf.security.server.callback.UTPasswordServerCallBack;
import com.cxf.security.server.impl.HelloServiceImpl;

public class CXFServer {

	private static final String ADDRESS = "http://localhost:8088/security/helloservice";

	public static void main(String[] args) {

	EndpointImpl ep = (EndpointImpl) Endpoint.publish(ADDRESS, new HelloServiceImpl());
	org.apache.cxf.endpoint.Endpoint cxfEp = ep.getServer().getEndpoint();

	Map<String, Object> inProp = new HashMap<String, Object>();
	inProp.put(WSHandlerConstants.ACTION, WSHandlerConstants.TIMESTAMP + " " + WSHandlerConstants.SIGNATURE + " " + WSHandlerConstants.ENCRYPT);
	inProp.put(WSHandlerConstants.PW_CALLBACK_CLASS, UTPasswordServerCallBack.class.getName());
	inProp.put(WSHandlerConstants.SIG_PROP_FILE, "com/cxf/security/server/cert/Server_SignVerf.properties");
	inProp.put(WSHandlerConstants.DEC_PROP_FILE, "com/cxf/security/server/cert/Server_Decrypt.properties");
	cxfEp.getInInterceptors().add(new WSS4JInInterceptor(inProp));

	Map<String, Object> outProp = new HashMap<String, Object>();
	outProp.put(WSHandlerConstants.ACTION, WSHandlerConstants.TIMESTAMP + " " + WSHandlerConstants.SIGNATURE + " " + WSHandlerConstants.ENCRYPT);
	outProp.put(WSHandlerConstants.USER, "serverprivatekey");
	outProp.put(WSHandlerConstants.PW_CALLBACK_CLASS, UTPasswordServerCallBack.class.getName());
	outProp.put(WSHandlerConstants.ENCRYPTION_USER, "clientpublickey");
	outProp.put(WSHandlerConstants.SIG_PROP_FILE, "com/cxf/security/server/cert/Server_Decrypt.properties");// 私鑰
	outProp.put(WSHandlerConstants.ENC_PROP_FILE, "com/cxf/security/server/cert/Server_SignVerf.properties");// 公鑰
	cxfEp.getOutInterceptors().add(new WSS4JOutInterceptor(outProp));

	cxfEp.getInInterceptors().add(new LoggingInInterceptor());
	cxfEp.getInInterceptors().add(new LoggingInInterceptor());

	System.out.println("CXF Running , address : " + ADDRESS);

	}
}

客戶端程式碼

package com.cxf.security.client;
import java.util.HashMap;
import java.util.Map;
import org.apache.cxf.endpoint.Endpoint;
import org.apache.cxf.frontend.ClientProxy;
import org.apache.cxf.interceptor.LoggingInInterceptor;
import org.apache.cxf.interceptor.LoggingOutInterceptor;
import org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor;
import org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor;
import org.apache.ws.security.handler.WSHandlerConstants;
import com.cxf.security.callback.UTPasswordClientCallBack;
import com.cxf.security.server.impl.HelloServiceImplService;
import com.cxf.security.server.inter.HelloService;

public class CXFClient {

	public static void main(String[] args) {

	HelloServiceImplService ss = new HelloServiceImplService();
	HelloService service = ss.getHelloServiceImplPort();

	org.apache.cxf.endpoint.Client client = ClientProxy.getClient(service);
	Endpoint cxfEp = client.getEndpoint();

	// Clint Out
	Map<String, Object> outProp = new HashMap<String, Object>();
	outProp.put(WSHandlerConstants.ACTION, WSHandlerConstants.TIMESTAMP + " " + WSHandlerConstants.SIGNATURE + " " + WSHandlerConstants.ENCRYPT);
	outProp.put(WSHandlerConstants.USER, "clientprivatekey");
	outProp.put(WSHandlerConstants.ENCRYPTION_USER, "serverpublickey");
	outProp.put(WSHandlerConstants.PW_CALLBACK_CLASS, UTPasswordClientCallBack.class.getName());
	outProp.put(WSHandlerConstants.SIG_PROP_FILE, "com/cxf/security/cert/Client_Sign.properties");
	outProp.put(WSHandlerConstants.ENC_PROP_FILE, "com/cxf/security/cert/Client_Encrypt.properties");

	cxfEp.getOutInterceptors().add(new WSS4JOutInterceptor(outProp));

	// Client In(Return)
	Map<String, Object> inProp = new HashMap<String, Object>();
	inProp.put(WSHandlerConstants.ACTION, WSHandlerConstants.TIMESTAMP + " " + WSHandlerConstants.SIGNATURE + " " + WSHandlerConstants.ENCRYPT);
	inProp.put(WSHandlerConstants.PW_CALLBACK_CLASS, UTPasswordClientCallBack.class.getName());
	inProp.put(WSHandlerConstants.DEC_PROP_FILE, "com/cxf/security/cert/Client_Sign.properties");
	inProp.put(WSHandlerConstants.SIG_PROP_FILE, "com/cxf/security/cert/Client_Encrypt.properties");

	cxfEp.getInInterceptors().add(new WSS4JInInterceptor(inProp));

	client.getInInterceptors().add(new LoggingInInterceptor());
	client.getOutInterceptors().add(new LoggingOutInterceptor());

	String result = service.sayHello("CYX");
	System.out.println(result);

	}

}

然後在啟動執行一次

服務端接收的列印訊息

四月 09, 2017 10:28:32 下午 org.apache.cxf.services.HelloServiceImplService.HelloServiceImplPort.HelloService
資訊: Inbound Message
----------------------------
ID: 1
Address: http://localhost:8088/security/helloservice?wsdl
Encoding: UTF-8
Http-Method: GET
Content-Type: text/xml
Headers: {Accept=[*/*], Cache-Control=[no-cache], connection=[keep-alive], content-type=[text/xml], Host=[localhost:8088], Pragma=[no-cache], User-Agent=[Apache CXF 2.5.9]}
--------------------------------------
四月 09, 2017 10:28:32 下午 org.apache.cxf.services.HelloServiceImplService.HelloServiceImplPort.HelloService
資訊: Inbound Message
----------------------------
ID: 2
Address: http://localhost:8088/security/helloservice?wsdl=HelloService.wsdl
Encoding: UTF-8
Http-Method: GET
Content-Type: text/xml
Headers: {Accept=[*/*], Cache-Control=[no-cache], connection=[keep-alive], content-type=[text/xml], Host=[localhost:8088], Pragma=[no-cache], User-Agent=[Apache CXF 2.5.9]}
--------------------------------------
四月 09, 2017 10:28:34 下午 org.apache.cxf.services.HelloServiceImplService.HelloServiceImplPort.HelloService
資訊: Inbound Message
----------------------------
ID: 3
Address: http://localhost:8088/security/helloservice
Encoding: UTF-8
Http-Method: POST
Content-Type: text/xml; charset=UTF-8
Headers: {Accept=[*/*], Cache-Control=[no-cache], connection=[keep-alive], Content-Length=[4086], content-type=[text/xml; charset=UTF-8], Host=[localhost:8088], Pragma=[no-cache], SOAPAction=[""], User-Agent=[Apache CXF 2.5.9]}
Payload: <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Header><wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" soap:mustUnderstand="1"><xenc:EncryptedKey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Id="EK-33CAF81E824A212A8914917481147674"><xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><wsse:SecurityTokenReference><ds:X509Data><ds:X509IssuerSerial><ds:X509IssuerName>CN=tongtech.com,C=CN</ds:X509IssuerName><ds:X509SerialNumber>728416868</ds:X509SerialNumber></ds:X509IssuerSerial></ds:X509Data></wsse:SecurityTokenReference></ds:KeyInfo><xenc:CipherData><xenc:CipherValue>qfuopESDELeHleE5qfzUUmZkx4UQd+EgBz3Rq3WTKYQKNDd/T61yihSB/hGa/DQKMfh9yANp28P04/taMzo4Qpo96Slo5B5d9TPIyTnNkkzKGAFefLJF9xp1Bmg2Vrfnm6M3qXPBcZWZktqyTkLdabR/IPZ6pyi11XpEK40ieMz3wjYk23OIxo7ced3Ni9zKeIKbHy16SnIXrPvFiisZ9jk4ewBZGyGTC4zGOVKLshsHkcExUIxriid2ZMXxqSQCgCD3JwCehjQpNJXWhtrvKt+ntlqM/sRCKUgpl/1nb5qrRU5jWy5WtPLS7CPlffVFdiew4QwJuvUVq4nb8BcuRQ==</xenc:CipherValue></xenc:CipherData><xenc:ReferenceList><xenc:DataReference URI="#ED-4"/></xenc:ReferenceList></xenc:EncryptedKey><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="SIG-3"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="soap"/></ds:CanonicalizationMethod><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><ds:Reference URI="#id-2"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList=""/></ds:Transform></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>/wPhSBQs5xeDSv823rqKZylM8LU=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>ZBAgLNymg4fAZfbS40J45IVHhCjacRnWuG0jUbvzhi9Y4GMsKY1iJ4EVkwyGnjtQfqVx4v8jDoTlCIY9/VU7gEfN8l8HOBxUIw2d7R8z96mcs6Ph1kR7k4h6EmcT4tmlZK/9kfNcLH2XE/UA33AS5vHEAqVQpnoxJWS86ixn6ojWt3h8OGqHROQBYcqJG2FMvrQjpZ1/MXr5EOmx32F3PCFIATR/9716QI/BE4vaOxQcFHO3yUJX5AbQ0c16Nm+qWTLce8Jd0d14ZPNl5otQ4A6dQNlDdllzQQJOw0EhDV7cRMabqqeCJcuo//+1NFp/xmDnOkcAd3QXjPSCpuxFBQ==</ds:SignatureValue><ds:KeyInfo Id="KI-33CAF81E824A212A8914917481145212"><wsse:SecurityTokenReference wsu:Id="STR-33CAF81E824A212A8914917481145243"><ds:X509Data><ds:X509IssuerSerial><ds:X509IssuerName>CN=tongtech.com,C=CN</ds:X509IssuerName><ds:X509SerialNumber>77579749</ds:X509SerialNumber></ds:X509IssuerSerial></ds:X509Data></wsse:SecurityTokenReference></ds:KeyInfo></ds:Signature><wsu:Timestamp wsu:Id="TS-1"><wsu:Created>2017-04-09T14:28:34.486Z</wsu:Created><wsu:Expires>2017-04-09T14:33:34.486Z</wsu:Expires></wsu:Timestamp></wsse:Security></soap:Header><soap:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="id-2"><xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Id="ED-4" Type="http://www.w3.org/2001/04/xmlenc#Content"><xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><wsse:SecurityTokenReference xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd" wsse11:TokenType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey"><wsse:Reference URI="#EK-33CAF81E824A212A8914917481147674"/></wsse:SecurityTokenReference></ds:KeyInfo><xenc:CipherData><xenc:CipherValue>PtZLFUeV+wfRAVV5x+aaakbOFC/UcyKrC1ExH/Tlka76kc5Ib3E/3Hyp+oIIAWrBB7eVTzu1196tWbcodStbGUTxLmevIWKFvjtdeZfRew909JNN/NWEREjNre+pl5RECUkCM04HWSSm3y25OOdq5S2jfUg1aCTD7LONqUWhzuc=</xenc:CipherValue></xenc:CipherData></xenc:EncryptedData></soap:Body></soap:Envelope>
--------------------------------------
log4j:WARN No appenders could be found for logger (org.apache.xml.security.Init).
log4j:WARN Please initialize the log4j system properly.
Server Identifier=serverprivatekey
Server Password=keypass
服務端接收訊息 : CYX
Server Identifier=serverprivatekey
Server Password=keypass

SLF4J: Class path contains multiple SLF4J bindings.
SLF4J: Found binding in [jar:file:/H:/Eclipse_Code/CXF/CXF_Client_Security_x509/lib/slf4j-jdk14-1.6.2.jar!/org/slf4j/impl/StaticLoggerBinder.class]
SLF4J: Found binding in [jar:file:/H:/Eclipse_Code/CXF/CXF_Client_Security_x509/lib/slf4j-log4j12-1.7.6.jar!/org/slf4j/impl/StaticLoggerBinder.class]
SLF4J: See http://www.slf4j.org/codes.html#multiple_bindings for an explanation.
四月 09, 2017 10:28:33 下午 org.apache.cxf.service.factory.ReflectionServiceFactoryBean buildServiceFromWSDL
資訊: Creating Service {http://impl.server.security.cxf.com/}HelloServiceImplService from WSDL: http://localhost:8088/security/helloservice?wsdl
log4j:WARN No appenders could be found for logger (org.apache.xml.security.Init).
log4j:WARN Please initialize the log4j system properly.
Client Identifier=clientprivatekey
Client Password=keypass
四月 09, 2017 10:28:34 下午 org.apache.cxf.services.HelloServiceImplService.HelloServiceImplPort.HelloService
資訊: Outbound Message
---------------------------
ID: 1
Address: http://localhost:8088/security/helloservice
Encoding: UTF-8
Content-Type: text/xml
Headers: {Accept=[*/*], SOAPAction=[""]}
Payload: <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Header><wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" soap:mustUnderstand="1"><xenc:EncryptedKey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Id="EK-33CAF81E824A212A8914917481147674"><xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><wsse:SecurityTokenReference><ds:X509Data><ds:X509IssuerSerial><ds:X509IssuerName>CN=tongtech.com,C=CN</ds:X509IssuerName><ds:X509SerialNumber>728416868</ds:X509SerialNumber></ds:X509IssuerSerial></ds:X509Data></wsse:SecurityTokenReference></ds:KeyInfo><xenc:CipherData><xenc:CipherValue>qfuopESDELeHleE5qfzUUmZkx4UQd+EgBz3Rq3WTKYQKNDd/T61yihSB/hGa/DQKMfh9yANp28P04/taMzo4Qpo96Slo5B5d9TPIyTnNkkzKGAFefLJF9xp1Bmg2Vrfnm6M3qXPBcZWZktqyTkLdabR/IPZ6pyi11XpEK40ieMz3wjYk23OIxo7ced3Ni9zKeIKbHy16SnIXrPvFiisZ9jk4ewBZGyGTC4zGOVKLshsHkcExUIxriid2ZMXxqSQCgCD3JwCehjQpNJXWhtrvKt+ntlqM/sRCKUgpl/1nb5qrRU5jWy5WtPLS7CPlffVFdiew4QwJuvUVq4nb8BcuRQ==</xenc:CipherValue></xenc:CipherData><xenc:ReferenceList><xenc:DataReference URI="#ED-4"/></xenc:ReferenceList></xenc:EncryptedKey><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="SIG-3"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="soap"/></ds:CanonicalizationMethod><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><ds:Reference URI="#id-2"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList=""/></ds:Transform></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>/wPhSBQs5xeDSv823rqKZylM8LU=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>ZBAgLNymg4fAZfbS40J45IVHhCjacRnWuG0jUbvzhi9Y4GMsKY1iJ4EVkwyGnjtQfqVx4v8jDoTlCIY9/VU7gEfN8l8HOBxUIw2d7R8z96mcs6Ph1kR7k4h6EmcT4tmlZK/9kfNcLH2XE/UA33AS5vHEAqVQpnoxJWS86ixn6ojWt3h8OGqHROQBYcqJG2FMvrQjpZ1/MXr5EOmx32F3PCFIATR/9716QI/BE4vaOxQcFHO3yUJX5AbQ0c16Nm+qWTLce8Jd0d14ZPNl5otQ4A6dQNlDdllzQQJOw0EhDV7cRMabqqeCJcuo//+1NFp/xmDnOkcAd3QXjPSCpuxFBQ==</ds:SignatureValue><ds:KeyInfo Id="KI-33CAF81E824A212A8914917481145212"><wsse:SecurityTokenReference wsu:Id="STR-33CAF81E824A212A8914917481145243"><ds:X509Data><ds:X509IssuerSerial><ds:X509IssuerName>CN=tongtech.com,C=CN</ds:X509IssuerName><ds:X509SerialNumber>77579749</ds:X509SerialNumber></ds:X509IssuerSerial></ds:X509Data></wsse:SecurityTokenReference></ds:KeyInfo></ds:Signature><wsu:Timestamp wsu:Id="TS-1"><wsu:Created>2017-04-09T14:28:34.486Z</wsu:Created><wsu:Expires>2017-04-09T14:33:34.486Z</wsu:Expires></wsu:Timestamp></wsse:Security></soap:Header><soap:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="id-2"><xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Id="ED-4" Type="http://www.w3.org/2001/04/xmlenc#Content"><xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><wsse:SecurityTokenReference xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd" wsse11:TokenType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey"><wsse:Reference URI="#EK-33CAF81E824A212A8914917481147674"/></wsse:SecurityTokenReference></ds:KeyInfo><xenc:CipherData><xenc:CipherValue>PtZLFUeV+wfRAVV5x+aaakbOFC/UcyKrC1ExH/Tlka76kc5Ib3E/3Hyp+oIIAWrBB7eVTzu1196tWbcodStbGUTxLmevIWKFvjtdeZfRew909JNN/NWEREjNre+pl5RECUkCM04HWSSm3y25OOdq5S2jfUg1aCTD7LONqUWhzuc=</xenc:CipherValue></xenc:CipherData></xenc:EncryptedData></soap:Body></soap:Envelope>
--------------------------------------
四月 09, 2017 10:28:35 下午 org.apache.cxf.services.HelloServiceImplService.HelloServiceImplPort.HelloService
資訊: Inbound Message
----------------------------
ID: 1
Response-Code: 200
Encoding: UTF-8
Content-Type: text/xml;charset=UTF-8
Headers: {Content-Length=[4106], content-type=[text/xml;charset=UTF-8], Server=[Jetty(7.5.4.v20111024)]}
Payload: <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Header><wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" soap:mustUnderstand="1"><xenc:EncryptedKey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Id="EK-A7A647358089463ACE14917481159194"><xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><wsse:SecurityTokenReference><ds:X509Data><ds:X509IssuerSerial><ds:X509IssuerName>CN=tongtech.com,C=CN</ds:X509IssuerName><ds:X509SerialNumber>77579749</ds:X509SerialNumber></ds:X509IssuerSerial></ds:X509Data></wsse:SecurityTokenReference></ds:KeyInfo><xenc:CipherData><xenc:CipherValue>CoxciTUONCQlxKP6Wgdpo9J4aEAy+8BNVAf4yATpDiuOi67GskkX7CRGUx3D2lFSC7e/HwvQ/HJw20G+79J8D1j9YgdgQxjTtUhEnseYtcPPlUbJVMPqnTm58kOy8CRHc+aTeR7S7DOQElFYrId+JPO46Bnf7t2JS74266lPFXHDcj/j4dwuw77nK4LJmeQmhol1+O8eFtQTIIu7hjHyHBfW4vkaVs4UT7nslxq93m4GGPfYv/DJnGGzOcEBlZX76T/jjb5oqmXtiMKCyLEgOZaohocZyBA+hYoHGfHSo7pUsyG1Jo/ThWyFOqxYZcSkxda/0QQwfh6Yid/+NqG57w==</xenc:CipherValue></xenc:CipherData><xenc:ReferenceList><xenc:DataReference URI="#ED-4"/></xenc:ReferenceList></xenc:EncryptedKey><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="SIG-3"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="soap"/></ds:CanonicalizationMethod><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><ds:Reference URI="#id-2"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList=""/></ds:Transform></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>EYP0DsA4OdS9/Mw8P13Ql0Y6pZY=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>jDFId2cqkEQnYSxlGdChFWveUXxNp4BIio/AR2SOnqtu+RwDiZMy2izQLNvR0UEufVeYiiG8Avw67v4DGGizrmrNQ7qBGOJeh4As68xzHOovq2CaCoOMwIV6VfN0uHmQAkHjr6WT5vjhPg6poADs10cedD9Jw+y1plLdYfwiJ/jevIiv8JkO47JC8pId2DMZDMj3Ts8vHZSPA9tU2gFIi1wjR9zG+qU0+znFZcNgWq2bzaeeDvoqXvX2srQIeuxcPUFi/3kgk/WgVw8/Ht2m12t41LxGNRlvFcKbK2fbxDjKAd9FKHAa+pm/F5d6qe1DJ77yAkORKebQUiv/kTCa9w==</ds:SignatureValue><ds:KeyInfo Id="KI-A7A647358089463ACE14917481158862"><wsse:SecurityTokenReference wsu:Id="STR-A7A647358089463ACE14917481158863"><ds:X509Data><ds:X509IssuerSerial><ds:X509IssuerName>CN=tongtech.com,C=CN</ds:X509IssuerName><ds:X509SerialNumber>728416868</ds:X509SerialNumber></ds:X509IssuerSerial></ds:X509Data></wsse:SecurityTokenReference></ds:KeyInfo></ds:Signature><wsu:Timestamp wsu:Id="TS-1"><wsu:Created>2017-04-09T14:28:35.878Z</wsu:Created><wsu:Expires>2017-04-09T14:33:35.878Z</wsu:Expires></wsu:Timestamp></wsse:Security></soap:Header><soap:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="id-2"><xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Id="ED-4" Type="http://www.w3.org/2001/04/xmlenc#Content"><xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><wsse:SecurityTokenReference xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd" wsse11:TokenType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey"><wsse:Reference URI="#EK-A7A647358089463ACE14917481159194"/></wsse:SecurityTokenReference></ds:KeyInfo><xenc:CipherData><xenc:CipherValue>WzRMoJiEQdSxtdsMB07au6AJTE8F4yYFAlHF0+QAiQbpHlb8Uu5TDnvUAWFKrSCBTtnWDR1BlqmR15SnxVuHcJnKdyZ7ZzJjPhMIEmuGaksbzpQ2B1tSSRFa9sRy4f6ARfeOEQVSW/2IblyCtqkiafqnwRJT29WreVmIhhK4nbyz8dubsixq5DhTORZb7td9</xenc:CipherValue></xenc:CipherData></xenc:EncryptedData></soap:Body></soap:Envelope>
--------------------------------------
Client Identifier=clientprivatekey
Client Password=keypass
Hi : CYX

Body中的資訊全部加密了....

這裡我不再對非加密的進行對比，按照之前的攔截器那篇文章，動手寫寫看就知道了....