转载

cxf + spring 的WS Security示例

WSPasswordCallback 的 passwordType 属性和 password 属性都为null，你只能获得用户名（identifier），一般这里的逻辑是使用这个用户名到数据库中查询其密码，然后再设置到 password 属性，WSS4J会自动比较客户端传来的值和你设置的这个值。你可能会问为什么这里CXF不把客户端提交的密码传入让我们在 ServerPasswordCallbackHandler 中比较呢？这是因为客户端提交过来的密码在SOAP消息中已经被加密为MD5的字符串，如果我们要在回调方法中作比较，那么第一步要做的就是把服务端准备好的密码加密为MD5字符串，由于MD5算法参数不同结果也会有差别，另外，这样的工作CXF 替我们完成不是更简单吗？

根据上面说的，我获取的 password 为 null ，所以这里就不用自己判断密码了，只要验证用户名后，在设置密码就可以自动验证了，代码如下：

public class ServerPasswordCallback implements CallbackHandler {      public void handle(Callback[] callbacks) throws IOException,        UnsupportedCallbackException {        WSPasswordCallback pc = (WSPasswordCallback) callbacks[0];        String pw = pc.getPassword();        String idf = pc.getIdentifier();        System.out.println("password:"+pw);        System.out.println("identifier:"+idf);      if(idf.endsWith("admin")){     pc.setPassword("admin");    }   }      }

以下是源代码：

HelloWorld.java

package com.mms.webservice; import javax.jws.WebService; @WebService public interface HelloWorld {      String sayHi(String text);  }

HelloWorldImpl.java

package com.mms.webservice; import javax.annotation.Resource; import javax.jws.WebService; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpSession; import javax.xml.ws.WebServiceContext; import javax.xml.ws.handler.MessageContext; import org.apache.cxf.transport.http.AbstractHTTPDestination;   @WebService public class HelloWorldImpl implements HelloWorld {      public String sayHi(String text) {  return "Hello " + text;     } }

ServerPasswordCallback.java

package com.mms.webservice.test; import java.io.IOException; import java.util.HashMap; import java.util.Map; import javax.security.auth.callback.Callback; import javax.security.auth.callback.CallbackHandler; import javax.security.auth.callback.UnsupportedCallbackException; import org.apache.ws.security.WSPasswordCallback; import org.apache.ws.security.WSSecurityException; public class ServerPasswordCallback implements CallbackHandler {  private Map<String, String> passwords = new HashMap<String, String>();  public ServerPasswordCallback() {  passwords.put("admin", "admin");  passwords.put("test", "test");  }  public void handle(Callback[] callbacks) throws IOException,   UnsupportedCallbackException {  System.out.println("server:callbacks.length-"+callbacks.length);  for (int i = 0; i < callbacks.length; i++) {   WSPasswordCallback pc = (WSPasswordCallback) callbacks[i];   if (!passwords.containsKey(pc.getIdentifier()))   try {    throw new WSSecurityException("user not match");   } catch (WSSecurityException e) {    e.printStackTrace();   }   String pass = passwords.get(pc.getIdentifier());   pc.setPassword(pass);  }  } }

ClientPasswordCallback.java

package com.mms.client; import java.io.IOException; import java.util.HashMap; import java.util.Map; import javax.security.auth.callback.Callback; import javax.security.auth.callback.CallbackHandler; import javax.security.auth.callback.UnsupportedCallbackException; import org.apache.ws.security.WSPasswordCallback; import org.apache.ws.security.WSSecurityException; public class ClientPasswordCallback implements CallbackHandler {  private Map<String, String> passwords = new HashMap<String, String>();  public ClientPasswordCallback() {  passwords.put("admin", "admin");  passwords.put("test", "test");  }  public void handle(Callback[] callbacks) throws IOException,   UnsupportedCallbackException {  System.out.println("client:callbacks.length-"+callbacks.length);  for (int i = 0; i < callbacks.length; i++) {   WSPasswordCallback pc = (WSPasswordCallback) callbacks[i];   int usage = pc.getUsage();   if (!passwords.containsKey(pc.getIdentifier()))   try {    throw new WSSecurityException("user not exists ");   } catch (WSSecurityException e) {    e.printStackTrace();   }   String pass = passwords.get(pc.getIdentifier());   if (usage == WSPasswordCallback.USERNAME_TOKEN && pass != null) {   System.out.println("client:pass"+pass);   pc.setPassword(pass);   return;   }  }  } }

web.xml

<?xml version="1.0" encoding="UTF-8"?> <web-app version="2.5"  xmlns="http://java.sun.com/xml/ns/javaee"  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"  xsi:schemaLocation="http://java.sun.com/xml/ns/javaee   http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">   <welcome-file-list>  <welcome-file>index.jsp</welcome-file>   </welcome-file-list>   <context-param>  <param-name>contextConfigLocation</param-name>  <param-value>   classpath:server.xml classpath:client.xml  </param-value>  </context-param>  <listener>  <listener-class>   org.springframework.web.context.ContextLoaderListener  </listener-class>  </listener>  <servlet>  <servlet-name>CXFServlet</servlet-name>  <servlet-class>   org.apache.cxf.transport.servlet.CXFServlet  </servlet-class>  </servlet>  <servlet-mapping>  <servlet-name>CXFServlet</servlet-name>  <url-pattern>/*</url-pattern>  </servlet-mapping> </web-app>

客户端spring配置文件：client.xml

<?xml version="1.0" encoding="UTF-8"?> <beans xmlns="http://www.springframework.org/schema/beans"  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:jaxws="http://cxf.apache.org/jaxws"  xsi:schemaLocation="       http://www.springframework.org/schema/beans       http://www.springframework.org/schema/beans/spring-beans.xsd       http://cxf.apache.org/jaxws http://cxf.apache.org/schemas/jaxws.xsd">  <!-- 定义客户端的拦截器对象  -->  <bean id="logIn" class="org.apache.cxf.interceptor.LoggingInInterceptor" />  <bean id="logOut" class="org.apache.cxf.interceptor.LoggingOutInterceptor" />  <bean id="saajOut" class="org.apache.cxf.binding.soap.saaj.SAAJOutInterceptor" />  <!-- <bean id="soapheaderOut" class="com.mms.client.writeSOAPHeaderInterceptor" /> -->  <bean id="wss4jOut" class="org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor">  <constructor-arg>   <map>   <entry key="action" value="UsernameToken" />   <entry key="passwordType" value="PasswordText" />   <entry key="user" value="admin" />   <entry key="passwordCallbackClass" value="com.mms.client.ClientPasswordCallback" />   </map>  </constructor-arg>  </bean>  <!-- 客户端的配置 -->  <jaxws:client id="client" serviceClass="com.mms.webservice.HelloWorld" address="http://127.0.0.1:8080/CXFSecurity/HelloWorld">  <jaxws:inInterceptors>   <ref bean="logIn" />  </jaxws:inInterceptors>  <jaxws:outInterceptors>   <ref bean="logOut" />   <ref bean="saajOut" />   <!--<ref bean="soapheaderOut" /> -->   <ref bean="wss4jOut" />  </jaxws:outInterceptors>  </jaxws:client> </beans>

服务器spring配置文件：server.xml

<beans xmlns="http://www.springframework.org/schema/beans"  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:jaxws="http://cxf.apache.org/jaxws"  xsi:schemaLocation="  http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd  http://cxf.apache.org/jaxws http://cxf.apache.org/schemas/jaxws.xsd">  <!-- jar包中自带的cxf文件夹下的*.xml文件 -->  <import resource="classpath:META-INF/cxf/cxf.xml" />  <import resource="classpath:META-INF/cxf/cxf-extension-soap.xml" />  <import resource="classpath:META-INF/cxf/cxf-servlet.xml" />  <!-- 定义服务端的拦截器对象 -->  <bean id="logIn" class="org.apache.cxf.interceptor.LoggingInInterceptor" />  <bean id="logOut" class="org.apache.cxf.interceptor.LoggingOutInterceptor" />  <bean id="saajIn" class="org.apache.cxf.binding.soap.saaj.SAAJInInterceptor" />  <!-- <bean id="soapheaderIn" class="com.mms.webservice.test.readSOAPHeaderInterceptor" /> -->  <bean id="wss4jIn" class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">  <constructor-arg>   <map>   <entry key="action" value="UsernameToken" />   <entry key="passwordType" value="PasswordText" />   <entry key="passwordCallbackClass" value="com.mms.webservice.test.ServerPasswordCallback" />   </map>  </constructor-arg>  </bean>  <jaxws:endpoint id="helloWorld" implementor="com.mms.webservice.HelloWorldImpl"  address="/HelloWorld">  <jaxws:inInterceptors>   <ref bean="logIn" />   <ref bean="saajIn" />   <!--<ref bean="soapheaderIn" /> -->   <ref bean="wss4jIn" />  </jaxws:inInterceptors>  <jaxws:outInterceptors>   <ref bean="logOut" />  </jaxws:outInterceptors>  </jaxws:endpoint> </beans>

测试Client.java

package com.mms.client; import org.springframework.context.ApplicationContext; import org.springframework.context.support.ClassPathXmlApplicationContext; import com.mms.webservice.HelloWorld; public final class Client {  private Client() {  }  public static void main(String args[]) throws Exception {   ApplicationContext  context = new ClassPathXmlApplicationContext(   new String[] { "client.xml" });  HelloWorld client = (HelloWorld) context.getBean("client");  String response = client.sayHi("hello test!");  System.out.println("Response: " + response);  } }

正文到此结束