Implementing WS-Security with JSR 181 Annotations using WSS4J in XFire(转)

最新推荐文章于 2016-11-30 22:28:35 发布
最新推荐文章于 2016-11-30 22:28:35 发布
阅读量101 收藏
点赞数
文章标签: Security Web WebService Bean Spring
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/Sunny285067545/article/details/83681470
版权

The Logemann Blog really helped me out when I was trying to use JSR181 Annotations in favor of the services.xml configuration in XFire. Reading that blog entry is most likely a prerequisite for this one. Once you’ve configured your Spring beans and web.xml to use JSR181 Annotations, the next step is to implement security for your web services. The example shown implements WS-Security as specified by OASIS Web Services Security and implemented by WSS4J in XFire .

Looking at the ws-security example packaged with XFire, for a service to be security enabled, you need the following configuration in your services.xml. We are dealing with the “User Token with Hashed Password” scheme.

<service>
 <name>BookServiceUTHP</name>
 <namespace>

http://xfire.codehaus.org/BookService

 </namespace>
 <serviceClass>
  org.codehaus.xfire.demo.BookService
 </serviceClass>
 <inHandlers>
  <handler handlerClass=
    "org.codehaus.xfire.util.dom.DOMInHandler" />
  <bean class=
   "org.codehaus.xfire.security.wss4j.WSS4JInHandler">
   <property name="properties">
    <props>
     <prop key="action">UsernameToken</prop>
     <prop key="passwordCallbackClass">
      org.codehaus.xfire.demo.PasswordHandler
     </prop>
    </props>
   </property>
  </bean>
  <handler handlerClass=
   "org.codehaus.xfire.demo.ValidateUserTokenHandler"/>
 </inHandlers>
</service>

However, we want to substitute this configuration with annotations. There are three InHandlers being applied which we must specify via annotations. The problem is that when specifying handlers using annotations you may not supply any parameters to them, as we do above in the case of WSS4JInHandler. The solution is to create a custom handler which wraps the other handlers and passes in the parameters to WSS4JInHandler programmatically. Here’s a custom handler which does just that:

public class WSSecurityHandler
                  extends AbstractHandler {
 List<Handler> inHandlers;

 public WSSecurityHandler() {
  WSS4JInHandler wss4jInHandler;
  ValidateUserTokenHandler userTokenHandler;
  Properties props = new Properties();
  props.put("action", "UsernameToken");
  props.put("passwordCallbackClass",
  PasswordHandler.class.getName());

  wss4jInHandler = new WSS4JInHandler(props);
  userTokenHandler = new ValidateUserTokenHandler();
  inHandlers = new ArrayList<Handler>();
  inHandlers.add(wss4jInHandler);
  inHandlers.add(userTokenHandler);
 }

public QName[] getUnderstoodHeaders() {
  return new QName[] {
    new QName("http://docs.oasis-open.org/wss/2004/01/" +
     	      "oasis-200401-wss-wssecurity-secext-1.0.xsd",
     	      "Security")
  };
 }
 public void invoke(MessageContext messageContext)
                                   throws Exception {
  for (Handler handler : inHandlers) {
   handler.invoke(messageContext);
  }
  // User should be set by ValidateUserTokenHandler
  // You can also choose to do all your security checks in
  // ValidateUserTokenHandler which does a lot of the work for you
  if (messageContext.getProperty(
        WSHandlerConstants.ENCRYPTION_USER) == null) {
    throw new Exception("Principal not found");
  }

 }
}

The implementation is fairly straightforward. The one thing to note is the getUnderstoodHeaders() method which returns a QName. The reason this is important is that Java clients send this as part of the SOAP header and it is mandatory for the web service to recognize this as a valid header. I encountered this problem and reported it on the mailing list with no response.

The last piece of the puzzle is that we must annotate our web service class with our custom handler. Here’s an example:

@WebService
@InHandlers(handlers={
 "my.package.WSSecurityHandler",
 "org.codehaus.xfire.util.dom.DOMInHandler"
})
public class BookService {
 // methods go here
}

The DOMInHandler must be configured via an annotation. The client code for calling a web service configured using services.xml is the same as when configured via annotations:

Service serviceModel = new ObjectServiceFactory().
				create(IBook.class,
				 "BookService",
				 SERVICE_NAMESPACE,
				 null);
IBook service = (IBook) new XFireProxyFactory().
create(serviceModel, SERVICE_URL);

Client client = ((XFireProxy)
     Proxy.getInvocationHandler(service)).getClient();
client.addOutHandler(new DOMOutHandler());
Properties p = new Properties();
// Action to perform : user token
p.setProperty(WSHandlerConstants.ACTION,
		WSHandlerConstants.USERNAME_TOKEN);
// Set password type to hashed
p.setProperty(WSHandlerConstants.PASSWORD_TYPE,
				WSConstants.PW_DIGEST);
// Username in keystore
p.setProperty(WSHandlerConstants.USER, "serveralias");
// Used do retrive password for given user name
p.setProperty(WSHandlerConstants.PW_CALLBACK_CLASS,
	          PasswordHandler.class.getName());

client.addOutHandler(new WSS4JOutHandler(p));
Book b = service.findBook("0123456789");

That’s all it takes.

Sunny285067545
关注
  • 0
    点赞
  • 0
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
RPA for Implementing New Technologies: A Guide to Using RPA to Automation New workflows
禅与计算机程序设计艺术
06-30 5786
作者:禅与计算机程序设计艺术 RPA for Implementing New Technologies: A Guide to Using RPA to
Coursera-Software-Security-week4-quiz
khan0517的博客
03-16 2512
Week4 quiz Why is waiting to think about security until after the software is built a bad idea? You might make critical mistakes in the software’s design Fixing problems once the software is built is ...
Web Service修炼之四WS-Security
开源技术
01-22 202
1.服务器实现    将serverStore.jks拷贝到&lt;工程目录&gt;/src/META-INF/xfire的目录下  1、insecurity.properties文件,放在META-INF/xfire/下 org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypt...
在JAVA中通过WSS4J实现WS-Security
显斌的技术Blog
12-08 5756
Implementing WS-Security with Java and WSS4J Many organizations have now implemented solutions based on the promise of Web services, exposing t
XFire中实现WS-Security完整编
小茗的专栏
03-18 2103
  自:http://docs.codehaus.org/pages/viewpage.action?pageId=59451  Added by qiujiayu, last edited by qiujiayu on Aug 04, 2006  (view change)
Xfire and JSR 181 Annotations
03-05 920
JSR 181 Annotations We are working on adding JSR 181 2.0 support for annotations in XFire via Java 5 and commons-attributes. The Java 5
WS-Security官方 demo
cocojiji5的专栏
12-23 1443
  WS-Securityprovides means to secure your services above and beyond transport levelprotocols such as HTTPS. Through a number of standards such asXML-Encryption, and headers
Webservices with Spring, XFire and jsr181
黄瓜和土豆的专栏
01-06 2243
Just wanted to share my experiences i made yesterday while implementing webservices via XFire. Since i migrated to Java5 yesterday, i thought its a good idea to use its strengths in form of using anno
slf4j.jar日志使用详解--项目开发中经常使用
hins
07-29 5056
What about Maven transitive dependencies? As an author of a library built with Maven, you might want to test your application using a binding, say slf4j-log4j12 or logback-classic, without forcing
理解try-with-resources语句及示例
热门推荐
PeacefulWinter的博客
11-30 2万+
try-with-resources语句可以对需要关闭的资源实现自动化管理,从而优化代码。
全国计算机三级(网络技术)做题技巧
07-22
全国计算机三级(网络技术)做题技巧
记录 cocos 开发问题 ,微信 wx.xxx函数 报找不到名称“wx”
07-22
wx api 文件
20231108-173536 时间箭贴板
07-22
时间粘贴小工具 启动后点击回车 可以得到时间字符串 直接粘贴可用
毕业设计javajsp西饼点心店收费系统(ssh)-qrp源码含文档工具包
07-22
毕业设计javajsp西饼点心店收费系统(ssh)-qrp源码含文档工具包 后台是ssh框架,页面是jsp,数据库mysql,jdk1.8,开发工具用ecplise、myecplise、sts、idea都可以 点心店管理系统是针对点心店内部而设计的,应用于点心店的局域网,这样可以使得点心店内部管理更有效的联系起来。系统的主要功能包括:供货商信息管理、点心信息管理、采购申请管理与物品采购管理。 包含:源码、数据库脚本、论文、开题报告、环境工具包、相同框架项目的安装教程(在说明文档中)
275、基于stm32的电压可调、电流智能检测系统设计(原理图、PCB图、源代码)
最新发布
07-22
275、基于stm32的电压可调、电流智能检测系统设计(原理图、PCB图、源代码) 功能:系统使用stm32单片机设计,USB 5V供电,实现3.3V——12V可调输出,电流测量范围1uA——500mA,液晶LCD12864显示,通过串口上传信息和串口修改输出电压;各功能如下: 1、使用stm32为核心,keil编程; 2、输出3.3V-12V可调电压; 3、输出电流显示在LCD12864上,输出电流检测范围是1uA——500mA; 4、串口同步上传电压和电流信息; 5、支持串口指令修改输出电压值;
C++《使用NeuroSky和摄像头实现的简易脑波控制的图片拍摄并且识别单词或图片中的植物》+源代码+文档说明
07-22
<项目介绍> - 使用NeuroSky和摄像头实现的简易脑波控制的图片拍摄并且识别单词或图片中的植物 - 不懂运行,下载完可以私聊问,可远程教学 该资源内项目源码是个人的毕设,代码都测试ok,都是运行成功后才上传资源,答辩评审平均分达到96分,放心下载使用! 1、该资源内项目代码都经过测试运行成功,功能ok的情况下才上传的,请放心下载使用! 2、本项目适合计算机相关专业(如计科、人工智能、通信工程、自动化、电子信息等)的在校学生、老师或者企业员工下载学习,也适合小白学习进阶,当然也可作为毕设项目、课程设计、作业、项目初期立项演示等。 3、如果基础还行,也可在此代码基础上进行修改,以实现其他功能,也可用于毕设、课设、作业等。 下载后请首先打开README.md文件(如有),仅供学习参考, 切勿用于商业用途。 --------
ABB字迹书写技术文档
07-22
内容概要:包含指导使用ABB机器人完成“毅”字在写字板上书写的技术文档。在执行过程中将提供更多可能错误、其他路径,并引导读者在此基础上完成微量调整。会介绍部分原理,使读者在学习后增进对ABB仿真功能的了解,例如:RAPID的使用、仿真中碰撞监控的设置等 适合人群:适合ABB RobotStudio6.18.01仿真软件初学者 应用场景:应用于汇博机器人教学工作台,可以引导未接触过相关领域的人群实现仿真软件的编写直至最终烧录 能学到什么:①ABB RobotStudio6.18.01使用技巧;②ABB机器人运行过程;3、烧录方法;4、ABB机器人运行的弊端 阅读建议:此资源以开发ABB RobotStudio6.18.01RAPID程序学习其原理和内核,不仅是代码编写实现也更注重内容上的需求分析和方案设计,所以在学习的过程要结合这些内容一起来实践,并调试对应的代码。
英语四六级四大题型分类总结资料/笔记(2):听力
07-22
资料包含:掌握预读技巧,听力需注意14类关键词,听力九大技巧,听力长对话6大边听边记技能,听力五大杀绝,常见场景词汇归纳高频词组,词汇精讲技巧,听力短对话、长对话考试技巧,听力讲义综合笔记(具体和复合,替换题,段子,人物关系,责备场景题,场景题,but题,等),听力技巧等等。
毕业设计javajsp宿舍管理系统ssh源码含文档工具包
07-22
毕业设计javajsp宿舍管理系统ssh源码含文档工具包 后台是ssh框架,页面是jsp,数据库mysql,jdk1.8,开发工具用ecplise、myecplise、sts、idea都可以 宿舍信息系统应该便于院系的宿舍管理,提高工作效率。能有效地对数据进行更新查询,并能在一定程度上实现自动化。 1)本系统的主要功能:学生管理,宿舍公告信息管理,宿舍管理,来访者信息管理,卫生检查信息管理以及保修审批管理。 2)系统性能:应方便快捷地完成宿舍管理的各项工作,数据查询速度快,查询安全、准确,数据合法性检验度高。 3)系统输入:学生的各种信息,包括学号、班级等。 包含:源码、数据库脚本、论文、答辩ppt、开题报告、环境工具包、相同框架项目的安装教程(在说明文档中)
code examples online to help you get started with implementing Reed-Solomon coding in Python
04-22
Sure, there are several code examples available online to help you get started with implementing Reed-Solomon coding in Python. Here are a few resources you can refer to: 1. GitHub repository: ...

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值