iteye_16761
2013-08-23 00:36 阅读 282
已采纳

CXF WebService 安全性通信

最近自己在学习CXFWebService,现在服务端发布成功,客户端也能成功调用。我没用Spring发布,通过JaxWsServerFactoryBean 发布的,现在面临的问题就是,如何保证客户端的调用安全性,只允许通过验证的客户端调用我的服务,我的问题就是这个验证应该怎么做。虚心向大家学习下,我也是刚刚接触WebService,希望大家能提供下帮助,谢谢了!

  • 点赞
  • 写回答
  • 关注问题
  • 收藏
  • 复制链接分享

2条回答 默认 最新

  • 已采纳
    Dead_Knight Dead_Knight 2013-08-23 07:33

    用WSS4J的安全handler处理即可。
    服务端定义:
    [code="java"]














    jaxws:serviceBean

    /jaxws:serviceBean
    jaxws:inInterceptors


    /jaxws:inInterceptors
    jaxws:outInterceptors

    /jaxws:outInterceptors
    /jaxws:server
    [/code]
    注意:ServerPasswordCallback实现CallbackHandler接口
    [code="java"]
    import java.io.IOException;

    import javax.security.auth.callback.Callback;
    import javax.security.auth.callback.CallbackHandler;
    import javax.security.auth.callback.UnsupportedCallbackException;

    import org.apache.ws.security.WSPasswordCallback;

    public class ServerPasswordCallback implements CallbackHandler {
    @Override
    public void handle(Callback[] callbacks) throws IOException,
    UnsupportedCallbackException {
    WSPasswordCallback pc = (WSPasswordCallback) callbacks[0];
    if("wsbs".equals(pc.getIdentifier())){
    pc.setPassword("111111");
    }
    }

    }
    [/code]

    客户端调用:
    调用时,需要增加输出的WSS4J的拦截,如:
    [code="java"]
    JaxWsProxyFactoryBean bean = new JaxWsProxyFactoryBean();

    bean.getInInterceptors().add(new LoggingInInterceptor());

    bean.getInFaultInterceptors().add(new LoggingOutInterceptor());
    bean.setServiceClass(getServiceClass());
    bean.setAddress(url + getServiceURI());
    log.info(bean.getAddress());
    Object proxy = bean.create();
    ClientProxy clientProxy = (ClientProxy)Proxy.getInvocationHandler(proxy);
    Client client = clientProxy.getClient();
    client.getOutInterceptors().add(new SAAJOutInterceptor());
    client.getOutInterceptors().add(new WSS4JOutInterceptor(environment));
    [/code]
    注意:environment为HashMap的对象,用于设置环境变量
    [code="java"]
    environment.put(WSHandlerConstants.ACTION, WSHandlerConstants.USERNAME_TOKEN);
    environment.put(WSHandlerConstants.USER, Config.getProperty(REMOTE_USER));
    environment.put(WSHandlerConstants.PASSWORD_TYPE, WSConstants.PW_TEXT);
    environment.put(WSHandlerConstants.PW_CALLBACK_CLASS, ClientPasswordHandler.class.getName());
    [/code]
    ClientPasswordHandler与ServerPasswordCallback写法类似。

    网上有一些例子,你参考一下,应该差不多

    点赞 评论 复制链接分享
  • dyccsxg dyccsxg 2013-08-25 12:09

    安全性可以通过添加一个 Interceptor 来实现,参考下面的代码:
    [code="java"]HelloWorldImpl implementor = new HelloWorldImpl();
    JaxWsServerFactoryBean svrFactory = new JaxWsServerFactoryBean();
    svrFactory.setServiceClass(HelloWorld.class);
    svrFactory.setAddress("http://localhost:9000/helloWorld");
    svrFactory.setServiceBean(implementor);
    svrFactory.getInInterceptors().add(new LoggingInInterceptor());
    svrFactory.getOutInterceptors().add(new LoggingOutInterceptor());
    svrFactory.create();[/code]

    另外可参考:
    http://dyccsxg.iteye.com/blog/1905440
    http://dyccsxg.iteye.com/blog/1905439
    http://dyccsxg.iteye.com/blog/1905438

    点赞 评论 复制链接分享

相关推荐