webService对外提供的服务,在验证客户端访问权限方面,最笨的验证方法应该是在业务方法上面加参数了,这也是之前的做法!发现网上通行的办法是在SOAP协议头增加对用户的验证。实验完总结如下。
客户端采用cxf+spring 配置文件如下
address="/resSync/ITReceptionAdapter">
ServerPasswordCallback相当于filter,代码如下
import java.io.IOException;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.UnsupportedCallbackException;
import org.apache.ws.security.WSPasswordCallback;
public class ServerPasswordCallback implements CallbackHandler {
public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException {
WSPasswordCallback pc = (WSPasswordCallback) callbacks[0];
String pw = pc.getPassword();
String idf = pc.getIdentifier();
System.out.println("密码是:" + pw);
System.out.println("类型是:" + idf);
if (pw.equals("test") && idf.equals("test")) {
System.out.println("成功");
} else {
throw new SecurityException("验证失败");
}
}
}
客户端采用axis2 生成客户端代码访问
ITReceptionAdapterStub adapterStub=new ITReceptionAdapterStub();
//设置超时
adapterStub._getServiceClient().getOptions().setTimeOutInMilliSeconds(600000L);
//设置header账号密码
ServiceClient serviceClient=adapterStub._getServiceClient();
SOAP11Factory factory=new SOAP11Factory();
OMNamespace SecurityElementNamespace = factory.createOMNamespace("http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd",
"wsse");
OMElement usernameTokenEl = factory.createOMElement("UsernameToken",SecurityElementNamespace);
OMElement usernameEl = factory.createOMElement("Username",SecurityElementNamespace);
OMElement passwordEl = factory.createOMElement("Password",SecurityElementNamespace);
OMElement actionEl = factory.createOMElement("Action",SecurityElementNamespace);
passwordEl.addAttribute(factory.createOMAttribute("Type",null,"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText"));
usernameEl.setText("test");
passwordEl.setText("test");
usernameTokenEl.addChild(usernameEl);
usernameTokenEl.addChild(passwordEl);
usernameTokenEl.addChild(actionEl);
SOAPHeaderBlockImpl block = new SOAP11HeaderBlockImpl("Security",SecurityElementNamespace, factory);
block.addChild(usernameTokenEl);
serviceClient.addHeader(block);
ProcessE processE=new ProcessE();
Process process=new Process();
//process.setXmldata();
process.setXmldata(jiFangXml);
process.setName("test");
process.setPassword("test");
processE.setProcess(process);
ProcessResponseE responseE=adapterStub.process(processE);
String xml=responseE.getProcessResponse().get_return();
System.out.println(xml);
好了,这样既可做到在业务方法之外验证用户的权限,对外的业务方法里面也不会出现对权限的验证,不失为一种好办法 。
ps:网上的参考,加上自己经验,记录在此,备查