CXF的webService已经创建好,但没有安全可言,毕竟这是Internet服务呀。
CXF给了一个很完整的安全架构,但CXF给出的ws_security DEMO太复杂了,又是password jks X509 Timestamp。 我试了很多次都没有成功。化繁为简,只实现一个user password好了。下面开始
编写cxf.xml在原来的bean的地方声明一下就可以了
Java代码
<bean id="WSS4JInInterceptor" class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
<constructor-arg>
<map>
<entry key="action" value="UsernameToken" />
<entry key="passwordType" value="PasswordText" />
<entry key="passwordCallbackClass"
value="com.xxxx.Service.ServerPasswordCallback" />
</map>
</constructor-arg>
</bean>
<jaxws:endpoint id="chartScreen" implementor="#chartScreenService"
address="/ChartScreenService" >
<jaxws:inInterceptors>
<bean class="org.apache.cxf.binding.soap.saaj.SAAJInInterceptor" />
<ref bean="WSS4JInInterceptor" />
</jaxws:inInterceptors>
</jaxws:endpoint>
<bean id="WSS4JInInterceptor" class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
<constructor-arg>
<map>
<entry key="action" value="UsernameToken" />
<entry key="passwordType" value="PasswordText" />
<entry key="passwordCallbackClass"
value="com.mms.webservice.test.ServerPasswordCallback" />
</map>
</constructor-arg>
</bean>
<jaxws:endpoint id="helloWorld"
implementor="com.mms.webservice.HelloWorldImpl"
address="/HelloWorld">
<jaxws:inInterceptors>
<!--
<bean
class="org.apache.cxf.binding.soap.saaj.SAAJInInterceptor" />
<bean
class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
<constructor-arg>
<map>
<entry key="action" value="UsernameToken" />
<entry key="passwordType" value="PasswordText" />
<entry key="passwordCallbackClass"
value="com.mms.webservice.test.ServerPasswordCallback" />
</map>
</constructor-arg>
</bean>
-->
<ref bean="WSS4JInInterceptor" />
</jaxws:inInterceptors>
</jaxws:endpoint>
WSS4JInInterceptor就是我们要定义的东东了。CXf已经帮你写好了。设置属性就可以了。里面属性值挺多的,CXF的文档就是太简单了,opensource的弊病!属性值就查API吧。
下面需要写server端的密码回调函数,验证logic就在这里定义了。
Java代码
public class ServerPasswordCallback implements CallbackHandler {
private Map<String, String> passwords = new HashMap<String, String>();
public ServerPasswordCallback(){
passwords.put("admin", "admin");
passwords.put("test", "test");
}
@Override
public void handle(Callback[] callbacks) throws IOException,
UnsupportedCallbackException {
for (int i = 0; i < callbacks.length; i++) {
WSPasswordCallback pc = (WSPasswordCallback) callbacks[i];
if(!passwords.containsKey(pc.getIdentifier()))
throw new WSSecurityException("user not match");
String pass = passwords.get(pc.getIdentifier());
String pwd = pc.getPassword();
if (pwd == null || !pwd.equals(pass)){
throw new WSSecurityException("password not match");
}
}
}
}就此server端的验证就全部ok了。这时再调用原来的调用程序就会报ws_security错误了。
下面给出Client验证程序
其实就是在soapheader上加相应内容。也需要用到inInterceptors
Java代码
public class ClientPasswordCallback implements CallbackHandler {
private Map<String, String> passwords =
new HashMap<String, String>();
public ClientPasswordCallback(){
passwords.put("admin", "admin");
passwords.put("test", "test");
}
@Override
public void handle(Callback[] callbacks) throws IOException,
UnsupportedCallbackException {
for (int i = 0; i < callbacks.length; i++) {
WSPasswordCallback pc = (WSPasswordCallback) callbacks[i];
int usage = pc.getUsage();
if(!passwords.containsKey(pc.getIdentifier()))
throw new WSSecurityException("user not exists ");
String pass = passwords.get(pc.getIdentifier());
if (usage == WSPasswordCallback.USERNAME_TOKEN && pass != null) {
pc.setPassword(pass);
return;
}
}
}
}
JaxWsProxyFactoryBean factory = new JaxWsProxyFactoryBean();
Map<String, Object> outProps = new HashMap<String, Object>();
outProps.put(WSHandlerConstants.ACTION,
WSHandlerConstants.USERNAME_TOKEN);
outProps.put(WSHandlerConstants.USER, "admin");
outProps.put(WSHandlerConstants.PASSWORD_TYPE, WSConstants.PW_TEXT);
outProps.put(WSHandlerConstants.PW_CALLBACK_CLASS,
ClientPasswordCallback.class.getName());
WSS4JOutInterceptor wssOut = new WSS4JOutInterceptor(outProps);
factory.getOutInterceptors().add(wssOut);
factory.getOutInterceptors().add(new SAAJOutInterceptor());
factory.setServiceClass(IChartScreenService.class);
factory.setAddress("http://localhost:8080/ECFlight/service/ChartScreenService");
IChartScreenService service = (IChartScreenService) factory.create();
也可采用spring 配置:
<!-- wssecurity -->
<bean id="clientPasswordCallback" class="com.evermoresw.megp.utilities.ClientPasswordCallback" />
<bean id="wsOutInterceptor" class="org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor">
<constructor-arg>
<map>
<entry key="action" value="UsernameToken" />
<entry key="passwordType" value="PasswordText" />
<entry key="user" value="admin" />
<entry key="passwordCallbackRef">
<ref bean="clientPasswordCallback" />
</entry>
</map>
</constructor-arg>
</bean>
<jaxws:client id="client_testService" serviceClass="com.evermore.moa.service.Test"
address="http://localhost:8080/cxfTestServer/service/testService">
<jaxws:outInterceptors>
<bean class="org.apache.cxf.binding.soap.saaj.SAAJInInterceptor" />
<ref bean="wsOutInterceptor"/>
</jaxws:outInterceptors>
</jaxws:client>
问题:Exception in thread "main" java.lang.NoClassDefFoundError: org/apache/xml/security/Init
加上:xmlsec-1.4.3.jar包
For WS-Security support:
- bcprov-jdk15.jar
- xalan.jar
- serializer.jar
- wss4j.jar
- xmlsec.jar
分享到:
相关推荐
Apache Cxf 安全认证,includes some source code to test
包含服务器端和客户端,自己写的,能成功的运行,
Spring集成CXF实例(包含WSS4J安全认证)
cxf 实现小例子,客户端和服务端都已经做好了,下载下来即可使用,还包含cxf所有的jar
CXF实现SSL安全验证,实现https的WebService
CXF V3.2.4 实现的WebService调用(带安全认证),项目下载后只需调整代码中服务器地址、用户名+密码后即可运行。
NULL 博文链接:https://wangwengcn.iteye.com/blog/1881535
NULL 博文链接:https://wangwengcn.iteye.com/blog/1879381
WebService详细解析(axis,xfire,cxf,授权认证加密解密) 很详细,有很多例子,学习必备。
2. 调用安全性: 使用简单的USERNAME_TOKEN 3. 服务程序中取得调用者身份 ------------------------- 接口 ------------------------- intf.TrialService ------------------------- 服务端 ----------------------...
代码是我一行行敲的,直接部署就能用,service,client端实现了:(cxf用的是3.0最新的) 1维数组, 2维数组, 3维数组, List, List , Map(adapter方式实现的), 直接返回bean, ...做了header的安全认证校验.
NULL 博文链接:https://hailong-qin.iteye.com/blog/1995017
CXF的webservice,密码校验、安全认证、日志处理。
基于WS-Security的证据服务系统安全方案的实现,平野,高强 ,证据服务系统的核心和关键是交互的安全性。本文从身份认证、保密性、完整性和不可抵赖性方面提出基于WS-Security的证据服务系统安全�
cxf结合ws-security实现webservice 用户名/密码身份认证安全调用,依赖包
cxf学习笔记.详细的描述了我学习cxf的过程.服务端采用 cxf+spring的方式;客户端采用spring+struts的方法。内容如下 1:最简单的hello world 2:集合类的传输 3:大数据的传输(上传下载) ... 4.4:混合认证
APDPlat提供了应用容器、多模块架构、代码生成、安装程序、认证授权、备份恢复、数据字典、web service、系统监控、操作审计、统计图、报表、机器绑定、防止破解、数据安全、内置搜索、数据转换、maven支持、WEB...
基础组件包括: Spring基础组件库,报表引擎,数据库访问模块,短信模块,后台定时任务调用组件,短信访问组件,搜索引擎组件,JMS消息组件,Activiti工作流组件,Cas统一用户认证组件,Spring安全认证组件。...
四、CXF框架可以与spring无缝连接,就不用我们自己Endpoint了。它还能记录日志之类的 五、我们还可以使用Idea下的webservice,能够使用图形画面的方式获取本地代理和生成WSDL文件。 Activiti 介绍 ...