WebService CXF学习(高级篇3):WS-Security
来源:互联网 发布:溺水数据 编辑:程序博客网 时间:2024/05/08 11:31
这一节我们来探讨一下WebService安全问题,如果所有系统都运行在一个封闭的局域网内,那么可以不考虑网络攻击,拒绝服务,消息篡改,窃取等问题。但通常情况都接入互联网,那么我就得考虑信息安全问题,像前面那样直接将消息裸传,肯定不行。那么,我们就得给消息加密。CXF可以结合WSS4J来对消息安全进行管理,可以使用令牌,X.509认证对消息头或内容进行加密。这节我只对令牌加密做一个简单的描述,我们还以Demo的形式来讲解一下。
这个Demo是在CXF+Spring+Hibernate的基础修改而成。在这里我只针对修改的东西进行讲解。
action:UsernameToken指使用用户令牌
passwordType:PasswordText指密码加密策略,这里直接文本
user:cxfServer指别名
passwordCallBackRef:serverPasswordCallback指消息验证
消息验证类:
消息验证类通过实现CallbackHandler接口,实现handle方法来进行用户认证。
那么,客户端又怎样来验证消息是否确呢。
客户端在发送SOAP时对消息对认证,策略跟服务端一样。但是认证类有所区别:
客户端在发送消息,设置好用户名和密码。服务端用相应的用户名和密码进行验证。
令牌验证就如此简单。
这个Demo是在CXF+Spring+Hibernate的基础修改而成。在这里我只针对修改的东西进行讲解。
Java代码 
- <?xml version="1.0" encoding="UTF-8"?>
- <beans xmlns="http://www.springframework.org/schema/beans"
- xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
- xmlns:jaxws="http://cxf.apache.org/jaxws"
- xsi:schemaLocation="
- http://www.springframework.org/schema/beans
- http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
- http://cxf.apache.org/jaxws
- http://cxf.apache.org/schemas/jaxws.xsd">
- <import resource="classpath:META-INF/cxf/cxf.xml" />
- <import resource="classpath:META-INF/cxf/cxf-extension-soap.xml" />
- <import resource="classpath:META-INF/cxf/cxf-servlet.xml" />
- <jaxws:endpoint id="service"
- implementor="com.itdcl.service.ServiceImpl" address="/Service">
- <jaxws:inInterceptors>
- <bean
- class="org.apache.cxf.interceptor.LoggingInInterceptor" />
- <bean
- class="org.apache.cxf.binding.soap.saaj.SAAJInInterceptor" />
- <bean
- class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
- <constructor-arg>
- <map>
- <entry key="action" value="UsernameToken" />
- <entry key="passwordType"
- value="PasswordText" />
- <entry key="user" value="cxfServer" />
- <entry key="passwordCallbackRef">
- <ref bean="serverPasswordCallback" />
- </entry>
- </map>
- </constructor-arg>
- </bean>
- </jaxws:inInterceptors>
- </jaxws:endpoint>
- <bean id="serverPasswordCallback"
- class="com.itdcl.ws.ServerPasswordCallback" />
- </beans>
<?xml version="1.0" encoding="UTF-8"?><beans xmlns="http://www.springframework.org/schema/beans"xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"xmlns:jaxws="http://cxf.apache.org/jaxws"xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsdhttp://cxf.apache.org/jaxws http://cxf.apache.org/schemas/jaxws.xsd"><import resource="classpath:META-INF/cxf/cxf.xml" /><import resource="classpath:META-INF/cxf/cxf-extension-soap.xml" /><import resource="classpath:META-INF/cxf/cxf-servlet.xml" /><jaxws:endpoint id="service"implementor="com.itdcl.service.ServiceImpl" address="/Service"><jaxws:inInterceptors><beanclass="org.apache.cxf.interceptor.LoggingInInterceptor" /><beanclass="org.apache.cxf.binding.soap.saaj.SAAJInInterceptor" /><beanclass="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor"><constructor-arg><map><entry key="action" value="UsernameToken" /><entry key="passwordType"value="PasswordText" /><entry key="user" value="cxfServer" /><entry key="passwordCallbackRef"><ref bean="serverPasswordCallback" /></entry></map></constructor-arg></bean></jaxws:inInterceptors></jaxws:endpoint><bean id="serverPasswordCallback"class="com.itdcl.ws.ServerPasswordCallback" /></beans>
action:UsernameToken指使用用户令牌
passwordType:PasswordText指密码加密策略,这里直接文本
user:cxfServer指别名
passwordCallBackRef:serverPasswordCallback指消息验证
消息验证类:
Java代码
- package com.itdcl.ws;
- import java.io.IOException;
- import javax.security.auth.callback.Callback;
- import javax.security.auth.callback.CallbackHandler;
- import javax.security.auth.callback.UnsupportedCallbackException;
- import org.apache.ws.security.WSPasswordCallback;
- public class ServerPasswordCallback implements CallbackHandler {
- public void handle(Callback[] callbacks) throws IOException,
- UnsupportedCallbackException {
- WSPasswordCallback pc = (WSPasswordCallback) callbacks[0];
- String pw = pc.getPassword();
- String idf = pc.getIdentifier();
- System.out.println("password:"+pw);
- System.out.println("identifier:"+idf);
- if (pw.equals("josen") && idf.equals("admin")) {
- // 验证通过
- } else {
- throw new SecurityException("验证失败");
- }
- }
- }
package com.itdcl.ws;import java.io.IOException;import javax.security.auth.callback.Callback;import javax.security.auth.callback.CallbackHandler;import javax.security.auth.callback.UnsupportedCallbackException;import org.apache.ws.security.WSPasswordCallback;public class ServerPasswordCallback implements CallbackHandler {public void handle(Callback[] callbacks) throws IOException,UnsupportedCallbackException {WSPasswordCallback pc = (WSPasswordCallback) callbacks[0];String pw = pc.getPassword();String idf = pc.getIdentifier();System.out.println("password:"+pw);System.out.println("identifier:"+idf);if (pw.equals("josen") && idf.equals("admin")) {// 验证通过} else {throw new SecurityException("验证失败");}}}消息验证类通过实现CallbackHandler接口,实现handle方法来进行用户认证。
那么,客户端又怎样来验证消息是否确呢。
Java代码
- <?xml version="1.0" encoding="UTF-8"?>
- <beans xmlns="http://www.springframework.org/schema/beans"
- xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
- xmlns:jaxws="http://cxf.apache.org/jaxws"
- xsi:schemaLocation="
- http://www.springframework.org/schema/beans
- http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
- http://cxf.apache.org/jaxws
- http://cxf.apache.org/schemas/jaxws.xsd">
- <jaxws:client id="service"
- address="http://localhost:9999/cxf/Service"
- serviceClass="com.itdcl.service.IService">
- <jaxws:outInterceptors>
- <bean
- class="org.apache.cxf.interceptor.LoggingOutInterceptor" />
- <bean
- class="org.apache.cxf.binding.soap.saaj.SAAJOutInterceptor" />
- <bean
- class="org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor">
- <constructor-arg>
- <map>
- <entry key="action" value="UsernameToken" />
- <entry key="passwordType"
- value="PasswordText" />
- <entry key="user" value="cxfClient" />
- <entry key="passwordCallbackRef">
- <ref bean="clientPasswordCallback" />
- </entry>
- </map>
- </constructor-arg>
- </bean>
- </jaxws:outInterceptors>
- </jaxws:client>
- <bean id="clientPasswordCallback"
- class="com.itdcl.ws.ClientPasswordCallback" />
- </beans>
<?xml version="1.0" encoding="UTF-8"?><beans xmlns="http://www.springframework.org/schema/beans"xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"xmlns:jaxws="http://cxf.apache.org/jaxws"xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsdhttp://cxf.apache.org/jaxws http://cxf.apache.org/schemas/jaxws.xsd"><jaxws:client id="service"address="http://localhost:9999/cxf/Service"serviceClass="com.itdcl.service.IService"><jaxws:outInterceptors><beanclass="org.apache.cxf.interceptor.LoggingOutInterceptor" /><beanclass="org.apache.cxf.binding.soap.saaj.SAAJOutInterceptor" /><beanclass="org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor"><constructor-arg><map><entry key="action" value="UsernameToken" /><entry key="passwordType"value="PasswordText" /><entry key="user" value="cxfClient" /><entry key="passwordCallbackRef"><ref bean="clientPasswordCallback" /></entry></map></constructor-arg></bean></jaxws:outInterceptors></jaxws:client><bean id="clientPasswordCallback"class="com.itdcl.ws.ClientPasswordCallback" /></beans>
客户端在发送SOAP时对消息对认证,策略跟服务端一样。但是认证类有所区别:
Java代码
- package com.itdcl.ws;
- import java.io.IOException;
- import javax.security.auth.callback.Callback;
- import javax.security.auth.callback.CallbackHandler;
- import javax.security.auth.callback.UnsupportedCallbackException;
- import org.apache.ws.security.WSPasswordCallback;
- public class ClientPasswordCallback implements CallbackHandler {
- public void handle(Callback[] callbacks) throws IOException,
- UnsupportedCallbackException {
- for(int i=0;i<callbacks.length;i++)
- {
- WSPasswordCallback pc = (WSPasswordCallback)callbacks[i];
- pc.setPassword("josen");
- pc.setIdentifier("admin");
- }
- }
- }
package com.itdcl.ws;import java.io.IOException;import javax.security.auth.callback.Callback;import javax.security.auth.callback.CallbackHandler;import javax.security.auth.callback.UnsupportedCallbackException;import org.apache.ws.security.WSPasswordCallback;public class ClientPasswordCallback implements CallbackHandler {public void handle(Callback[] callbacks) throws IOException,UnsupportedCallbackException {for(int i=0;i<callbacks.length;i++) { WSPasswordCallback pc = (WSPasswordCallback)callbacks[i]; pc.setPassword("josen"); pc.setIdentifier("admin"); }}}客户端在发送消息,设置好用户名和密码。服务端用相应的用户名和密码进行验证。
令牌验证就如此简单。
- WebService CXF学习(高级篇3):WS-Security
- WebService CXF学习(高级篇3):WS-Security
- WebService CXF学习(进阶篇2):JAX-WS讲解
- WebService CXF学习(进阶篇2):JAX-WS讲解
- CXF学习二(WS-Security)
- webservice cxf+spring+WS-security配置示例
- WebService CXF学习(高级篇2):CXF+Spring+Hibernate
- WebService CXF学习(高级篇2):CXF+Spring+Hibernate
- WebService CXF学习(进阶篇1):JAX-WS讲解
- CXF+WS-Security+Spring WebService服务器端+客户端及注意问题
- 浅谈spingmvc 整合CXF +ws-security 实现webservice安全验证
- 浅谈spingmvc 整合CXF +ws-security 实现webservice安全验证
- WebService CXF学习(高级篇1):整合Spring框架
- WebService CXF学习(高级篇1):整合Spring框架
- CXF ws security 案例
- jax-ws之webservice security(安全)3
- Cxf+wss4j的WS-Security实现(异常解决续篇)
- cxf + spring 的WS-Security示例(一)
- 某人有8角的邮票5张,1元的邮票4张,1元8角的邮票6张,用这些邮票中的一张
- 前缀、中缀、后缀表达式与二叉树的前序、中序、后序遍历
- UML基础知识总结
- 6 款非常值得一试的Chrome Web应用
- Linux strace 命令 说明
- WebService CXF学习(高级篇3):WS-Security
- Toolkit修改JFrame图标
- dogtail: Linux下的GUI自动化测试框架
- 10个顶级Web移动开发JavaScript框架
- Linux 各文件夹的作用
- Eclipse选中变量名,相同变量都变色显示 的设置
- FPGA 按键去抖
- 虚拟蜜罐honeyd安装使用
- struts2 filter设置字符编码不起作用之傻瓜式解决方案
