在WebService开发笔记 1中我们创建了一个WebService简单实例,下面我们通过一个简单的用户口令验证机制来加强一下WebService的安全性:
1.修改WebService 服务端 spring 配置文件 ws-context.xml
Xml代码
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:jaxws="http://cxf.apache.org/jaxws"
xsi:schemaLocation="http://cxf.apache.org/jaxws http://cxf.apache.org/schemas/jaxws.xsd http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd"
default-autowire="byName"default-lazy-init="true">
address="/WebServiceSample"implementor="cn.org.coral.biz.examples.webservice.WebServiceSampleImpl">
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:jaxws="http://cxf.apache.org/jaxws"
xsi:schemaLocation="http://cxf.apache.org/jaxws http://cxf.apache.org/schemas/jaxws.xsd http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd"
default-autowire="byName" default-lazy-init="true">
address="/WebServiceSample" implementor="cn.org.coral.biz.examples.webservice.WebServiceSampleImpl">
2.服务端添加passwordCallbackClass回调类,该类进行用户口令验证:
Java代码
packagecn.org.coral.biz.examples.webservice.handler;
importjava.io.IOException;
importjavax.security.auth.callback.Callback;
importjavax.security.auth.callback.CallbackHandler;
importjavax.security.auth.callback.UnsupportedCallbackException;
importorg.apache.ws.security.WSPasswordCallback;
publicclassWsAuthHandlerimplementsCallbackHandler{
publicvoidhandle(Callback[] callbacks)throwsIOException, UnsupportedCallbackException {
WSPasswordCallback pc = (WSPasswordCallback) callbacks[0];
if(pc.getIdentifer().equals("ws-client")){
if(!pc.getPassword().equals("admin")) {
thrownewSecurityException("wrong password");
}
}else{
thrownewSecurityException("wrong username");
}
}
}package cn.org.coral.biz.examples.webservice.handler;
import java.io.IOException;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.UnsupportedCallbackException;
import org.apache.ws.security.WSPasswordCallback;
public class WsAuthHandler implements CallbackHandler{
public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException {
WSPasswordCallback pc = (WSPasswordCallback) callbacks[0];
if (pc.getIdentifer().equals("ws-client")){
if (!pc.getPassword().equals("admin")) {
throw new SecurityException("wrong password");
}
}else{
throw new SecurityException("wrong username");
}
}
}
3.客户端修改spring 配置文件 wsclient-context.xml 如下:
Xml代码
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:jaxws="http://cxf.apache.org/jaxws"
xsi:schemaLocation="http://cxf.apache.org/jaxws http://cxf.apache.org/schemas/jaxws.xsd http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd"
default-autowire="byName"default-lazy-init="true">
factory-bean="webServiceSampleClientFactory"factory-method="create"/>
class="org.apache.cxf.jaxws.JaxWsProxyFactoryBean">
value="cn.org.coral.biz.examples.webservice.WebServiceSample"/>
value="http://88.148.29.54:8080/aio/services/WebServiceSample"/>
class="org.apache.cxf.binding.soap.saaj.SAAJOutInterceptor"/>
class="org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor">
passwordCallbackRef
class="cn.org.coral.biz.examples.webservice.handler.WsClinetAuthHandler">
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:jaxws="http://cxf.apache.org/jaxws"
xsi:schemaLocation="http://cxf.apache.org/jaxws http://cxf.apache.org/schemas/jaxws.xsd http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd"
default-autowire="byName" default-lazy-init="true">
factory-bean="webServiceSampleClientFactory" factory-method="create" />
class="org.apache.cxf.jaxws.JaxWsProxyFactoryBean">
value="cn.org.coral.biz.examples.webservice.WebServiceSample" />
value="http://88.148.29.54:8080/aio/services/WebServiceSample" />
class="org.apache.cxf.binding.soap.saaj.SAAJOutInterceptor" />
class="org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor">
passwordCallbackRef
class="cn.org.coral.biz.examples.webservice.handler.WsClinetAuthHandler">
4.客户端添加passwordCallback类,通过该类设置访问口令
Java代码
packagecn.org.coral.biz.examples.webservice.handler;
importjava.io.IOException;
importjavax.security.auth.callback.Callback;
importjavax.security.auth.callback.CallbackHandler;
importjavax.security.auth.callback.UnsupportedCallbackException;
importorg.apache.ws.security.WSPasswordCallback;
publicclassWsClinetAuthHandlerimplementsCallbackHandler{
publicvoidhandle(Callback[] callbacks)throwsIOException,
UnsupportedCallbackException {
for(inti =0; i
WSPasswordCallback pc = (WSPasswordCallback) callbacks[0];
intusage = pc.getUsage();
System.out.println("identifier: "+ pc.getIdentifer());
System.out.println("usage: "+ pc.getUsage());
if(usage == WSPasswordCallback.USERNAME_TOKEN) {
// username token pwd...
pc.setPassword("admin");
}elseif(usage == WSPasswordCallback.SIGNATURE) {
// set the password for client's keystore.keyPassword
pc.setPassword("keyPassword");
}
}
}
}package cn.org.coral.biz.examples.webservice.handler;
import java.io.IOException;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.UnsupportedCallbackException;
import org.apache.ws.security.WSPasswordCallback;
public class WsClinetAuthHandler implements CallbackHandler{
public void handle(Callback[] callbacks) throws IOException,
UnsupportedCallbackException {
for (int i = 0; i < callbacks.length; i++) {
WSPasswordCallback pc = (WSPasswordCallback) callbacks[0];
int usage = pc.getUsage();
System.out.println("identifier: " + pc.getIdentifer());
System.out.println("usage: " + pc.getUsage());
if (usage == WSPasswordCallback.USERNAME_TOKEN) {
// username token pwd...
pc.setPassword("admin");
} else if (usage == WSPasswordCallback.SIGNATURE) {
// set the password for client's keystore.keyPassword
pc.setPassword("keyPassword");
}
}
}
}
5.junit单元测试程序:
Java代码
packagecn.org.coral.biz.examples.webservice;
importorg.springframework.test.AbstractDependencyInjectionSpringContextTests;
importorg.springframework.util.Assert;
publicclassTestWebServiceextendsAbstractDependencyInjectionSpringContextTests {
WebServiceSample webServiceSampleClient;
@Override
protectedString[] getConfigLocations() {
setAutowireMode(AUTOWIRE_BY_NAME);
returnnewString[] {"classpath:/cn/org/coral/biz/examples/webservice/wsclient-context.xml"};
}
/**
* @param webServiceSampleClient the webServiceSampleClient to set
*/
publicvoidsetWebServiceSampleClient(WebServiceSample webServiceSampleClient) {
this.webServiceSampleClient = webServiceSampleClient;
}
publicvoidtestSay(){
String result = webServiceSampleClient.say(" world");
Assert.hasText(result);
}
}