webservice安全之WS-Security验证

WebService有两种安全机制，一是利用WS-Security将签名和加密头加入SOAP消息，另一个是利用数字证书和数字签

名认证。此篇文章介绍利用cxf实现WS-Security验证。

首先，服务器端配置

在利用webservice和jms实现系统间的数据同步之一介绍的项目中添加：

package com.test.auth;import java.io.IOException;import javax.security.auth.callback.Callback;import javax.security.auth.callback.CallbackHandler;import javax.security.auth.callback.UnsupportedCallbackException;import org.apache.ws.security.WSPasswordCallback;public class ServerPasswordCallback implements CallbackHandler{    public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException    {        WSPasswordCallback pc = (WSPasswordCallback)callbacks[0];                if(pc.getIdentifier().equals("admin"))        {            pc.setPassword("password");        }        else        {            throw new UnsupportedCallbackException(pc, "check failed");        }    }}

修改spring文件：

<!-- 发布ws，其中address的此ws名称 -->    <jaxws:endpoint id="user" implementor="com.test.UserServiceImpl" address="/user">        <jaxws:inInterceptors>    <bean class="org.apache.cxf.binding.soap.saaj.SAAJInInterceptor" /><bean class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor"><constructor-arg><map><entry key="action" value="UsernameToken" /><entry key="passwordType" value="PasswordText" /><entry key="user" value="cxfServer" /><entry key="passwordCallbackRef"><ref bean="serverPasswordCallback" /></entry></map></constructor-arg></bean></jaxws:inInterceptors>    </jaxws:endpoint>        <bean id="serverPasswordCallback" class="com.test.auth.ServerPasswordCallback"/>

其次，客户端配置如下，在用webservice和jms实现系统间的数据同步之二介绍的项目中添加：

增加ClientPasswordCallback类：

package com.test.auth;import java.io.IOException;import javax.security.auth.callback.Callback;import javax.security.auth.callback.CallbackHandler;import javax.security.auth.callback.UnsupportedCallbackException;import org.apache.ws.security.WSPasswordCallback;public class ClientPasswordCallback implements CallbackHandler{    public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException    {        for(Callback cb : callbacks)        {            WSPasswordCallback pc = (WSPasswordCallback)cb;            pc.setIdentifier("admin");            pc.setPassword("password");        }    }}

修改spring文件：

<!-- webserice接收客户端 --><jaxws:client id="userService"address="http://10.78.194.92:8088/webserviceserver/service/user"serviceClass="com.test.UserService"><jaxws:outInterceptors>    <bean class="org.apache.cxf.binding.soap.saaj.SAAJOutInterceptor" /><bean class="org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor"><constructor-arg><map><entry key="action" value="UsernameToken" /><entry key="passwordType" value="PasswordText" /><entry key="user" value="cxfClient" /><entry key="passwordCallbackRef">    <ref bean="clientPasswordCallback"/></entry></map></constructor-arg></bean></jaxws:outInterceptors></jaxws:client>    <bean id="clientPasswordCallback" class="com.test.auth.ClientPasswordCallback"/>

完毕。