- 浏览: 334039 次
- 性别:
- 来自: 北京
文章分类
最新评论
-
zqb666kkk:
有示例代码吗
WebService CXF学习(高级篇3):WS-Security -
zhujiangtaobl0505:
楼主有源码没?发下,我邮箱465971531@qq.com,我 ...
WebService CXF学习(高级篇2):CXF+Spring+Hibernate -
ssy341:
http://localhost:8080/jforum/in ...
JForum安装详解 -
songzht:
看了上面的代码,这两个类型是怎么定义的?private Bas ...
JfreeChar结合struts2展示柱状图和饼状图(已解决乱码问题) -
Getwaysun:
持久化类中使用boolean定义某个字段后,报Null val ...
null不能赋值给int类型,Integer可以。
这一节我们来探讨一下WebService安全问题,如果所有系统都运行在一个封闭的局域网内,那么可以不考虑网络攻击,拒绝服务,消息篡改,窃取等问题。但通常情况都接入互联网,那么我就得考虑信息安全问题,像前面那样直接将消息裸传,肯定不行。那么,我们就得给消息加密。CXF可以结合WSS4J来对消息安全进行管理,可以使用令牌,X.509认证对消息头或内容进行加密。这节我只对令牌加密做一个简单的描述,我们还以Demo的形式来讲解一下。
这个Demo是在CXF+Spring+Hibernate的基础修改而成。在这里我只针对修改的东西进行讲解。
Java代码
action:UsernameToken指使用用户令牌
passwordType:PasswordText指密码加密策略,这里直接文本
user:cxfServer指别名
passwordCallBackRef:serverPasswordCallback指消息验证
消息验证类:
Java代码
消息验证类通过实现CallbackHandler接口,实现handle方法来进行用户认证。
那么,客户端又怎样来验证消息是否确呢。
Java代码
客户端在发送SOAP时对消息对认证,策略跟服务端一样。但是认证类有所区别:
Java代码
客户端在发送消息,设置好用户名和密码。服务端用相应的用户名和密码进行验证。
这个Demo是在CXF+Spring+Hibernate的基础修改而成。在这里我只针对修改的东西进行讲解。
Java代码
<?xml version="1.0" encoding="UTF-8"?> <beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:jaxws="http://cxf.apache.org/jaxws" xsi:schemaLocation=" http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd http://cxf.apache.org/jaxws http://cxf.apache.org/schemas/jaxws.xsd"> <import resource="classpath:META-INF/cxf/cxf.xml" /> <import resource="classpath:META-INF/cxf/cxf-extension-soap.xml" /> <import resource="classpath:META-INF/cxf/cxf-servlet.xml" /> <jaxws:endpoint id="service" implementor="com.itdcl.service.ServiceImpl" address="/Service"> <jaxws:inInterceptors> <bean class="org.apache.cxf.interceptor.LoggingInInterceptor" /> <bean class="org.apache.cxf.binding.soap.saaj.SAAJInInterceptor" /> <bean class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor"> <constructor-arg> <map> <entry key="action" value="UsernameToken" /> <entry key="passwordType" value="PasswordText" /> <entry key="user" value="cxfServer" /> <entry key="passwordCallbackRef"> <ref bean="serverPasswordCallback" /> </entry> </map> </constructor-arg> </bean> </jaxws:inInterceptors> </jaxws:endpoint> <bean id="serverPasswordCallback" class="com.itdcl.ws.ServerPasswordCallback" /> </beans> <?xml version="1.0" encoding="UTF-8"?> <beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:jaxws="http://cxf.apache.org/jaxws" xsi:schemaLocation=" http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd http://cxf.apache.org/jaxws http://cxf.apache.org/schemas/jaxws.xsd"> <import resource="classpath:META-INF/cxf/cxf.xml" /> <import resource="classpath:META-INF/cxf/cxf-extension-soap.xml" /> <import resource="classpath:META-INF/cxf/cxf-servlet.xml" /> <jaxws:endpoint id="service" implementor="com.itdcl.service.ServiceImpl" address="/Service"> <jaxws:inInterceptors> <bean class="org.apache.cxf.interceptor.LoggingInInterceptor" /> <bean class="org.apache.cxf.binding.soap.saaj.SAAJInInterceptor" /> <bean class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor"> <constructor-arg> <map> <entry key="action" value="UsernameToken" /> <entry key="passwordType" value="PasswordText" /> <entry key="user" value="cxfServer" /> <entry key="passwordCallbackRef"> <ref bean="serverPasswordCallback" /> </entry> </map> </constructor-arg> </bean> </jaxws:inInterceptors> </jaxws:endpoint> <bean id="serverPasswordCallback" class="com.itdcl.ws.ServerPasswordCallback" /> </beans>
action:UsernameToken指使用用户令牌
passwordType:PasswordText指密码加密策略,这里直接文本
user:cxfServer指别名
passwordCallBackRef:serverPasswordCallback指消息验证
消息验证类:
Java代码
package com.itdcl.ws; import java.io.IOException; import javax.security.auth.callback.Callback; import javax.security.auth.callback.CallbackHandler; import javax.security.auth.callback.UnsupportedCallbackException; import org.apache.ws.security.WSPasswordCallback; public class ServerPasswordCallback implements CallbackHandler { public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException { WSPasswordCallback pc = (WSPasswordCallback) callbacks[0]; String pw = pc.getPassword(); String idf = pc.getIdentifier(); System.out.println("password:"+pw); System.out.println("identifier:"+idf); if (pw.equals("josen") && idf.equals("admin")) { // 验证通过 } else { throw new SecurityException("验证失败"); } } } package com.itdcl.ws; import java.io.IOException; import javax.security.auth.callback.Callback; import javax.security.auth.callback.CallbackHandler; import javax.security.auth.callback.UnsupportedCallbackException; import org.apache.ws.security.WSPasswordCallback; public class ServerPasswordCallback implements CallbackHandler { public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException { WSPasswordCallback pc = (WSPasswordCallback) callbacks[0]; String pw = pc.getPassword(); String idf = pc.getIdentifier(); System.out.println("password:"+pw); System.out.println("identifier:"+idf); if (pw.equals("josen") && idf.equals("admin")) { // 验证通过 } else { throw new SecurityException("验证失败"); } } }
消息验证类通过实现CallbackHandler接口,实现handle方法来进行用户认证。
那么,客户端又怎样来验证消息是否确呢。
Java代码
<?xml version="1.0" encoding="UTF-8"?> <beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:jaxws="http://cxf.apache.org/jaxws" xsi:schemaLocation=" http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd http://cxf.apache.org/jaxws http://cxf.apache.org/schemas/jaxws.xsd"> <jaxws:client id="service" address="http://localhost:9999/cxf/Service" serviceClass="com.itdcl.service.IService"> <jaxws:outInterceptors> <bean class="org.apache.cxf.interceptor.LoggingOutInterceptor" /> <bean class="org.apache.cxf.binding.soap.saaj.SAAJOutInterceptor" /> <bean class="org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor"> <constructor-arg> <map> <entry key="action" value="UsernameToken" /> <entry key="passwordType" value="PasswordText" /> <entry key="user" value="cxfClient" /> <entry key="passwordCallbackRef"> <ref bean="clientPasswordCallback" /> </entry> </map> </constructor-arg> </bean> </jaxws:outInterceptors> </jaxws:client> <bean id="clientPasswordCallback" class="com.itdcl.ws.ClientPasswordCallback" /> </beans> <?xml version="1.0" encoding="UTF-8"?> <beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:jaxws="http://cxf.apache.org/jaxws" xsi:schemaLocation=" http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd http://cxf.apache.org/jaxws http://cxf.apache.org/schemas/jaxws.xsd"> <jaxws:client id="service" address="http://localhost:9999/cxf/Service" serviceClass="com.itdcl.service.IService"> <jaxws:outInterceptors> <bean class="org.apache.cxf.interceptor.LoggingOutInterceptor" /> <bean class="org.apache.cxf.binding.soap.saaj.SAAJOutInterceptor" /> <bean class="org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor"> <constructor-arg> <map> <entry key="action" value="UsernameToken" /> <entry key="passwordType" value="PasswordText" /> <entry key="user" value="cxfClient" /> <entry key="passwordCallbackRef"> <ref bean="clientPasswordCallback" /> </entry> </map> </constructor-arg> </bean> </jaxws:outInterceptors> </jaxws:client> <bean id="clientPasswordCallback" class="com.itdcl.ws.ClientPasswordCallback" /> </beans>
客户端在发送SOAP时对消息对认证,策略跟服务端一样。但是认证类有所区别:
Java代码
package com.itdcl.ws; import java.io.IOException; import javax.security.auth.callback.Callback; import javax.security.auth.callback.CallbackHandler; import javax.security.auth.callback.UnsupportedCallbackException; import org.apache.ws.security.WSPasswordCallback; public class ClientPasswordCallback implements CallbackHandler { public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException { for(int i=0;i<callbacks.length;i++) { WSPasswordCallback pc = (WSPasswordCallback)callbacks[i]; pc.setPassword("josen"); pc.setIdentifier("admin"); } } } package com.itdcl.ws; import java.io.IOException; import javax.security.auth.callback.Callback; import javax.security.auth.callback.CallbackHandler; import javax.security.auth.callback.UnsupportedCallbackException; import org.apache.ws.security.WSPasswordCallback; public class ClientPasswordCallback implements CallbackHandler { public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException { for(int i=0;i<callbacks.length;i++) { WSPasswordCallback pc = (WSPasswordCallback)callbacks[i]; pc.setPassword("josen"); pc.setIdentifier("admin"); } } }
客户端在发送消息,设置好用户名和密码。服务端用相应的用户名和密码进行验证。
发表评论
-
WebService CXF学习(高级篇2):CXF+Spring+Hibernate
2011-03-21 10:13 1855前一节仅仅只讲了与Spring整合,没有涉及到数据库,而且 ... -
WebService CXF学习(进阶篇4):JAXB剖析
2011-03-21 10:08 2066前面几节我们讲解对象传递,但是通常情况下我们不直接传对象,因为 ... -
WebService CXF学习(高级篇1):整合Spring框架
2011-03-21 10:05 1996通过前面两节的讲解,相信你对CXF框架开始有一些认识了。在当今 ... -
WebService CXF学习(进阶篇3):对象传递
2011-03-21 10:03 1886前面几节都是讲一些理论知识,现在又用一个例子来说明一下,这一节 ... -
WebService CXF学习(进阶篇2):JAX-WS讲解
2011-03-21 10:00 1357JAX-WS规范是一组XML web services的 ... -
WebService CXF学习(进阶篇1):SOAP讲解
2011-03-21 09:49 1546SOAP 是基于 XML 的简易协 ... -
WebService CXF学习(入门篇3):WSDL描述
2011-03-21 09:42 1791由于网上有很多相关这 ... -
WebService CXF学习(入门篇2):HelloWorld
2011-03-21 09:37 2015理论联系实际,单单只讲理论那就成了纸上谈兵,用一个HelloW ... -
WebService CXF学习(入门篇1):CXF由来
2011-03-21 09:35 1808WebService介绍 WebServi ...
相关推荐
纯java调用ws-security+CXF实现的webservice安全接口
CXF使用WSS4J实现WS-Security规范,本例的配置是Timestamp Signature Encrypt,具体使用可以参考我的博客http://blog.csdn.net/wangchsh2008/article/details/6708270
cxf结合ws-security实现webservice 用户名/密码身份认证安全调用,依赖包
做开发时,查了大量资料,发现一比较全面的资料,分享一下!...WebService CXF学习——高级篇(一)(二) 1.整合Spring框架 2.CXF+Spring+Hibernate 3.WS-Security WebService CXF学习——JAXB剖析
cxf ws-Security的实现 WS-SecurityPolicy 安全配置指定在客户机和服务之间交换的消息所需的安全处理。在大多数情况下,Web 服务堆栈还需要更多信息,才能对消息交换应用安全措施。 里面有2个project,分别server ...
经过了几天的努力与查询不少的资料与调试,头都大了,终于给CXF加上了一把密码锁,希望进步;
jetty-security-7.5.4.v20111024.jar jetty-server-7.5.4.v20111024.jar jetty-util-7.5.4.v20111024.jar joda-time-1.6.2.jar js-1.7R2.jar json-lib-2.4-jdk15.jar jsr311-api-1.1.1.jar mimepull-1.7.jar msv-...
1. 支持 Web Services 标准:CXF 支持多种 Web Services 标准,包含 SOAP、Basic Profile、WS-Addressing、WS-Policy、WS-ReliableMessaging 和 WS-Security。 2. Frontends:CXF 支持多种“Frontend”编程模型,...
CXF 包含了大量的功能特性,但是主要集中在以下几个方面: 支持 Web Services 标准:CXF 支持多种 Web Services 标准,包含 SOAP、Basic Profile、WS-Addressing、WS-Policy、WS-ReliableMessaging 和 WS-Security。...
cxf用户封装webService,调用webservice, 支持多种 Web Services 标准,包含 SOAP、Basic Profile、WS-Addressing、WS-Policy、WS-ReliableMessaging 和 WS-Security
cxf框架做webservice数字证书验证 bat文件直接生成服务端与客户端的密钥, 外加相关配置文件,如有不详可联系我 qq1332090606