WebService如果涉及到安全保密或者使用权限的时候,WS-Security通常是最优选择。WS-Security (Web服务安全)
包含了关于如何在WebService消息上保证完整性和机密性的规约,如何将签名和加密头加入SOAP消息。
不过WS-Security也有一些性能上的损耗,在信息保密要求不是很高的情况下,可以通过在SOAPHeader中添加简单的校验信息实现。
具体思路是客户端调用需要认证的服务时,在SOAPHeader中添加授权信息(如用户名、密码或者序列号等)。
服务端收到请求,在SOAPHeader中校验授权信息,校验通过则执行请求,校验不通过则返回错误提示。
客户端发起请求在SOAPHeader中添加的授权数据格式如下
admin
admin
服务端
服务端授权校验 Handler
importjava.util.Iterator;importjava.util.Set;importjavax.xml.namespace.QName;importjavax.xml.soap.SOAPBody;importjavax.xml.soap.SOAPConstants;importjavax.xml.soap.SOAPElement;importjavax.xml.soap.SOAPEnvelope;importjavax.xml.soap.SOAPException;importjavax.xml.soap.SOAPFault;importjavax.xml.soap.SOAPHeader;importjavax.xml.soap.SOAPMessage;importjavax.xml.ws.handler.MessageContext;importjavax.xml.ws.handler.soap.SOAPHandler;importjavax.xml.ws.handler.soap.SOAPMessageContext;importorg.apache.cxf.interceptor.Fault;importorg.w3c.dom.NodeList;/***
*@author
*/
public class JaxServerAuthValidateHeader implements SOAPHandler{
@Overridepublic voidclose(MessageContext context) {
}
@Overridepublic booleanhandleFault(SOAPMessageContext context) {return true;
}
@Overridepublic booleanhandleMessage(SOAPMessageContext context) {//判断消息是输入还是输出
boolean isRequest =(Boolean) context.get(MessageContext.MESSAGE_OUTBOUND_PROPERTY);
SOAPMessage soapMessage=context.getMessage();if (!isRequest) {
SOAPHeader soapHeader= null;try{
SOAPEnvelope soapEnv=soapMessage.getSOAPPart().getEnvelope();
soapHeader=soapEnv.getHeader();
}catch(SOAPException e) {throw new Fault(new Exception("服务器异常!"));
}if (soapHeader == null) {
validateFail(soapMessage,"无 Soap Header 头信息!");return false;
}//add an node named "auth"
QName qname = new QName(SOAPConstants.URI_SOAP_ACTOR_NEXT, "auth");
Iterator> iterator =soapHeader.getChildElements(qname);
SOAPElement auth= null;if(iterator.hasNext()) {//获取auth
auth =(SOAPElement) iterator.next();
}//如果授权信息元素不存在,提示错误
if (auth == null) {
validateFail(soapMessage,"无授权信息!");return false;
}
NodeList nameList= auth.getElementsByTagName("username");
NodeList pwdList= auth.getElementsByTagName("password");if (nameList == null || nameList.getLength() <= 0 || pwdList &