posts - 28,  comments - 13,  trackbacks - 0
WebService开发笔记 3 -- 增加WebService访问的安全性

WebService开发笔记 1中我们创建了一个WebService简单实例,下面我们通过一个简单的用户口令验证机制来加强一下WebService的安全性:

1.修改WebService 服务端 spring 配置文件 ws-context.xml 
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:jaxws="http://cxf.apache.org/jaxws"
xsi:schemaLocation="http://cxf.apache.org/jaxws 

http://cxf.apache.org/schemas/jaxws.xsd 

http://www.springframework.org/schema/beans  

http://www.springframework.org/schema/beans/spring-beans.xsd"
default-autowire="byName" default-lazy-init="true">
<jaxws:endpoint id="webServiceSample"
address="/WebServiceSample" implementor="cn.org.coral.biz.examples.webservice.WebServiceSampleImpl">
<jaxws:inInterceptors>
<bean class="org.apache.cxf.binding.soap.saaj.SAAJInInterceptor" />
<bean class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
<constructor-arg>
<map>
<entry key="action" value="UsernameToken" />
<entry key="passwordType" value="PasswordText" />
<entry key="passwordCallbackClass" value="cn.org.coral.biz.examples.webservice.handler.WsAuthHandler" />
</map>
</constructor-arg>
</bean>
</jaxws:inInterceptors>
</jaxws:endpoint>
</beans>


2.服务端添加passwordCallbackClass回调类,该类进行用户口令验证: 
package cn.org.coral.biz.examples.webservice.handler;
import java.io.IOException;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.UnsupportedCallbackException;
import org.apache.ws.security.WSPasswordCallback;
public class WsAuthHandler  implements CallbackHandler{
public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException {
WSPasswordCallback pc = (WSPasswordCallback) callbacks[0];
if (pc.getIdentifer().equals("ws-client")){
if (!pc.getPassword().equals("admin")) {
throw new SecurityException("wrong password");
}
}else{
throw new SecurityException("wrong username");
}
}
}


3.客户端修改spring 配置文件 wsclient-context.xml 如下: 
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:jaxws="http://cxf.apache.org/jaxws"
xsi:schemaLocation="http://cxf.apache.org/jaxws 

http://cxf.apache.org/schemas/jaxws.xsd 

http://www.springframework.org/schema/beans  

http://www.springframework.org/schema/beans/spring-beans.xsd"
default-autowire="byName" default-lazy-init="true">
<!-- ws clinet -->
<bean id="webServiceSampleClient" class="cn.org.coral.biz.examples.webservice.WebServiceSample"
factory-bean="webServiceSampleClientFactory" factory-method="create" />
<bean id="webServiceSampleClientFactory"
class="org.apache.cxf.jaxws.JaxWsProxyFactoryBean">
<property name="serviceClass"
value="cn.org.coral.biz.examples.webservice.WebServiceSample" />
<property name="address"
value="http://88.148.29.54:8080/aio/services/WebServiceSample" />
<property name="outInterceptors">
<list>
<bean
class="org.apache.cxf.binding.soap.saaj.SAAJOutInterceptor" />
<ref bean="wss4jOutConfiguration" />
</list>
</property>
</bean>
<bean id="wss4jOutConfiguration"
class="org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor">
<property name="properties">
<map>
<entry key="action" value="UsernameToken" />
<entry key="user" value="ws-client" />
<entry key="passwordType" value="PasswordText" />
<entry>
<key>
<value>passwordCallbackRef</value>
</key>
<ref bean="passwordCallback" />
</entry>
</map>
</property>
</bean>
<bean id="passwordCallback"
class="cn.org.coral.biz.examples.webservice.handler.WsClinetAuthHandler">
</bean>
</beans>


4.客户端添加passwordCallback类,通过该类设置访问口令 
package cn.org.coral.biz.examples.webservice.handler;
import java.io.IOException;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.UnsupportedCallbackException;
import org.apache.ws.security.WSPasswordCallback;
public class WsClinetAuthHandler  implements CallbackHandler{
public void handle(Callback[] callbacks) throws IOException,
UnsupportedCallbackException {
for (int i = 0; i < callbacks.length; i++) {
WSPasswordCallback pc = (WSPasswordCallback) callbacks[0];
int usage = pc.getUsage();
System.out.println("identifier: " + pc.getIdentifer());
System.out.println("usage: " + pc.getUsage());
if (usage == WSPasswordCallback.USERNAME_TOKEN) {
// username token pwd...
pc.setPassword("admin");
} else if (usage == WSPasswordCallback.SIGNATURE) {
// set the password for client's keystore.keyPassword
pc.setPassword("keyPassword");
}
}
}
}


5.junit单元测试程序: 
package cn.org.coral.biz.examples.webservice;
import org.springframework.test.AbstractDependencyInjectionSpringContextTests;
import org.springframework.util.Assert;
public class TestWebService extends AbstractDependencyInjectionSpringContextTests {
WebServiceSample webServiceSampleClient;
@Override
protected String[] getConfigLocations() {
setAutowireMode(AUTOWIRE_BY_NAME);
return new String[] { "classpath:/cn/org/coral/biz/examples/webservice/wsclient-context.xml" };
}
/**
* @param webServiceSampleClient the webServiceSampleClient to set
*/
public void setWebServiceSampleClient(WebServiceSample webServiceSampleClient) {
this.webServiceSampleClient = webServiceSampleClient;
}
public void testSay(){
String result = webServiceSampleClient.say(" world");
Assert.hasText(result);
}
}

posted on 2008-03-19 10:10 Lib 阅读(4100) 评论(2)  编辑  收藏


FeedBack:
# re: WebService开发笔记 3 -- 增加WebService访问的安全性
2008-06-18 17:42 | ych
抛异常了,怎么才能解决

2008-6-18 17:42:06 org.apache.cxf.bus.spring.BusApplicationContext getConfigResources
信息: No cxf.xml configuration file detected, relying on defaults.
2008-6-18 17:42:09 org.apache.cxf.service.factory.ReflectionServiceFactoryBean buildServiceFromClass
信息: Creating Service {http://spring.demo/}HelloWorldService from class demo.spring.HelloWorld
2008-6-18 17:42:13 org.apache.cxf.phase.PhaseInterceptorChain doIntercept
信息: Interceptor has thrown exception, unwinding now
org.w3c.dom.DOMException: No such Localname for SOAP URI
at org.apache.axis.message.SOAPDocumentImpl.createElementNS(SOAPDocumentImpl.java:379)
at org.apache.axis.SOAPPart.createElementNS(SOAPPart.java:1109)
at org.apache.cxf.staxutils.W3CDOMStreamWriter.writeStartElement(W3CDOMStreamWriter.java:98)
at org.apache.cxf.binding.soap.interceptor.SoapOutInterceptor.writeSoapEnvelopeStart(SoapOutInterceptor.java:95)
at org.apache.cxf.binding.soap.interceptor.SoapOutInterceptor.handleMessage(SoapOutInterceptor.java:76)
at org.apache.cxf.binding.soap.interceptor.SoapOutInterceptor.handleMessage(SoapOutInterceptor.java:57)
at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:221)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:276)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:222)
at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:73)
at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:177)
at $Proxy15.sayHi(Unknown Source)
at demo.spring.client.Client.main(Client.java:38)
Exception in thread "main" java.lang.NoSuchMethodError: javax.xml.soap.SOAPFactory.createFault()Ljavax/xml/soap/SOAPFault;
at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:193)
at $Proxy15.sayHi(Unknown Source)
at demo.spring.client.Client.main(Client.java:38)  回复  更多评论
  
# re: WebService开发笔记 3 -- 增加WebService访问的安全性
2011-05-04 18:38 | aqq
qqq  回复  更多评论
  

只有注册用户登录后才能发表评论。
网站导航:
 
<2008年3月>
2425262728291
2345678
9101112131415
16171819202122
23242526272829
303112345



我的JavaEye博客
http://lib.javaeye.com


常用链接

留言簿(2)

随笔分类

文章分类

FLASH

Java

搜索

  •  

最新评论

阅读排行榜

评论排行榜