Apache CXF實戰之六 創建安全的Web Service

原創 小丫111111 2020-02-23 06:38

我們在使用Web Service的過程中,很多情況是需要對web service請求做認證的,對於運行在web容器裏的應用程序來說,可能會比較簡單一些,通常可以通過filter來做一些處理,但是其實CXF本身也提供了對web service認證的方式。下面來看一下如何實現

1. 首先是一個簡單pojo

[java] view plaincopyprint?
  1. package com.googlecode.garbagecan.cxfstudy.security; 
  2.  
  3. public class User { 
  4.     private String id; 
  5.     private String name; 
  6.     private String password; 
  7.     public String getId() { 
  8.         return id; 
  9.     } 
  10.     public void setId(String id) { 
  11.         this.id = id; 
  12.     } 
  13.     public String getName() { 
  14.         return name; 
  15.     } 
  16.     public void setName(String name) { 
  17.         this.name = name; 
  18.     } 
  19.     public String getPassword() { 
  20.         return password; 
  21.     } 
  22.     public void setPassword(String password) { 
  23.         this.password = password; 
  24.     }  
package com.googlecode.garbagecan.cxfstudy.security;

public class User {
    private String id;
    private String name;
    private String password;
    public String getId() {
        return id;
    }
    public void setId(String id) {
        this.id = id;
    }
    public String getName() {
        return name;
    }
    public void setName(String name) {
        this.name = name;
    }
    public String getPassword() {
        return password;
    }
    public void setPassword(String password) {
        this.password = password;
    }
}
2. Web Service接口

[java] view plaincopyprint?
  1. package com.googlecode.garbagecan.cxfstudy.security; 
  2.  
  3. import java.util.List; 
  4.  
  5. import javax.jws.WebMethod; 
  6. import javax.jws.WebResult; 
  7. import javax.jws.WebService; 
  8.  
  9. @WebService 
  10. public interface UserService { 
  11.     @WebMethod 
  12.     @WebResult List<User> list(); 
  13.   
package com.googlecode.garbagecan.cxfstudy.security;

import java.util.List;

import javax.jws.WebMethod;
import javax.jws.WebResult;
import javax.jws.WebService;

@WebService
public interface UserService {
    @WebMethod
    @WebResult List<User> list();

}
3. Web Service實現類

[java] view plaincopyprint?
  1. package com.googlecode.garbagecan.cxfstudy.security; 
  2.  
  3. import java.util.ArrayList; 
  4. import java.util.List; 
  5.  
  6. public class UserServiceImpl implements UserService { 
  7.  
  8.     public List<User> list() { 
  9.         List<User> users = new ArrayList<User>(); 
  10.         for (int i = 0; i < 10; i++) { 
  11.             User user = new User(); 
  12.             user.setId("" + i); 
  13.             user.setName("user_" + i); 
  14.             user.setPassword("password_" + i); 
  15.             users.add(user); 
  16.         } 
  17.         return users; 
  18.     } 
  19.   
package com.googlecode.garbagecan.cxfstudy.security;

import java.util.ArrayList;
import java.util.List;

public class UserServiceImpl implements UserService {

    public List<User> list() {
        List<User> users = new ArrayList<User>();
        for (int i = 0; i < 10; i++) {
            User user = new User();
            user.setId("" + i);
            user.setName("user_" + i);
            user.setPassword("password_" + i);
            users.add(user);
        }
        return users;
    }

}
4. Server端Handler,其中使用了一個Map來存放用戶信息,真是應用中可以使用數據庫或者其它方式獲取用戶和密碼

[java] view plaincopyprint?
  1. package com.googlecode.garbagecan.cxfstudy.security; 
  2.  
  3. import java.io.IOException; 
  4. import java.util.HashMap; 
  5. import java.util.Map; 
  6.  
  7. import javax.security.auth.callback.Callback; 
  8. import javax.security.auth.callback.CallbackHandler; 
  9. import javax.security.auth.callback.UnsupportedCallbackException; 
  10.  
  11. import org.apache.ws.security.WSPasswordCallback; 
  12.  
  13. public class ServerUsernamePasswordHandler implements CallbackHandler { 
  14.  
  15.     // key is username, value is password 
  16.     private Map<String, String> users; 
  17.  
  18.     public ServerUsernamePasswordHandler() { 
  19.         users = new HashMap<String, String>(); 
  20.         users.put("admin", "admin"); 
  21.     } 
  22.  
  23.     public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException { 
  24.         WSPasswordCallback callback = (WSPasswordCallback) callbacks[0]; 
  25.         String id = callback.getIdentifier(); 
  26.         if (users.containsKey(id)) { 
  27.             if (!callback.getPassword().equals(users.get(id))) { 
  28.                 throw new SecurityException("Incorrect password."); 
  29.             } 
  30.         } else
  31.             throw new SecurityException("Invalid user."); 
  32.         } 
  33.     }  
package com.googlecode.garbagecan.cxfstudy.security;

import java.io.IOException;
import java.util.HashMap;
import java.util.Map;

import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.UnsupportedCallbackException;

import org.apache.ws.security.WSPasswordCallback;

public class ServerUsernamePasswordHandler implements CallbackHandler {

    // key is username, value is password
    private Map<String, String> users;

    public ServerUsernamePasswordHandler() {
        users = new HashMap<String, String>();
        users.put("admin", "admin");
    }

    public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException {
        WSPasswordCallback callback = (WSPasswordCallback) callbacks[0];
        String id = callback.getIdentifier();
        if (users.containsKey(id)) {
            if (!callback.getPassword().equals(users.get(id))) {
                throw new SecurityException("Incorrect password.");
            }
        } else {
            throw new SecurityException("Invalid user.");
        }
    }
}
5. Client端Handler,用來設置用戶密碼,在真實應用中可以根據此類和下面的測試類來修改邏輯設置用戶名和密碼。

[java] view plaincopyprint?
  1. package com.googlecode.garbagecan.cxfstudy.security; 
  2.  
  3. import java.io.IOException; 
  4.  
  5. import javax.security.auth.callback.Callback; 
  6. import javax.security.auth.callback.CallbackHandler; 
  7. import javax.security.auth.callback.UnsupportedCallbackException; 
  8.  
  9. import org.apache.ws.security.WSPasswordCallback; 
  10.  
  11. public class ClientUsernamePasswordHandler implements CallbackHandler { 
  12.     public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException { 
  13.         WSPasswordCallback callback = (WSPasswordCallback) callbacks[0]; 
  14.         int usage = callback.getUsage(); 
  15.         System.out.println("identifier: " + callback.getIdentifier()); 
  16.         System.out.println("usage: " + callback.getUsage()); 
  17.         if (usage == WSPasswordCallback.USERNAME_TOKEN) { 
  18.             callback.setPassword("admin"); 
  19.         } 
  20.     }  
package com.googlecode.garbagecan.cxfstudy.security;

import java.io.IOException;

import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.UnsupportedCallbackException;

import org.apache.ws.security.WSPasswordCallback;

public class ClientUsernamePasswordHandler implements CallbackHandler {
    public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException {
        WSPasswordCallback callback = (WSPasswordCallback) callbacks[0];
        int usage = callback.getUsage();
        System.out.println("identifier: " + callback.getIdentifier());
        System.out.println("usage: " + callback.getUsage());
        if (usage == WSPasswordCallback.USERNAME_TOKEN) {
            callback.setPassword("admin");
        }
    }
}
6. 單元測試類,注意在Server端添加了WSS4JInInterceptor到Interceptor列表中,在Client添加了WSS4JOutInterceptor到Interceptor列表中。

[java] view plaincopyprint?
  1. package com.googlecode.garbagecan.cxfstudy.security; 
  2.  
  3. import java.net.SocketTimeoutException; 
  4. import java.util.HashMap; 
  5. import java.util.List; 
  6. import java.util.Map; 
  7.  
  8. import javax.xml.ws.WebServiceException; 
  9.  
  10. import junit.framework.Assert; 
  11.  
  12. import org.apache.cxf.endpoint.Client; 
  13. import org.apache.cxf.endpoint.Endpoint; 
  14. import org.apache.cxf.frontend.ClientProxy; 
  15. import org.apache.cxf.interceptor.LoggingInInterceptor; 
  16. import org.apache.cxf.interceptor.LoggingOutInterceptor; 
  17. import org.apache.cxf.jaxws.JaxWsProxyFactoryBean; 
  18. import org.apache.cxf.jaxws.JaxWsServerFactoryBean; 
  19. import org.apache.cxf.transport.http.HTTPConduit; 
  20. import org.apache.cxf.transports.http.configuration.HTTPClientPolicy; 
  21. import org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor; 
  22. import org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor; 
  23. import org.apache.ws.security.WSConstants; 
  24. import org.apache.ws.security.handler.WSHandlerConstants; 
  25. import org.junit.BeforeClass; 
  26. import org.junit.Test; 
  27.  
  28. public class UserServiceTest { 
  29.  
  30.     private static final String address = "http://localhost:9000/ws/security/userService"
  31.      
  32.     @BeforeClass 
  33.     public static void setUpBeforeClass() throws Exception { 
  34.         JaxWsServerFactoryBean factoryBean = new JaxWsServerFactoryBean(); 
  35.         factoryBean.getInInterceptors().add(new LoggingInInterceptor()); 
  36.         factoryBean.getOutInterceptors().add(new LoggingOutInterceptor()); 
  37.  
  38.         Map<String, Object> props = new HashMap<String, Object>(); 
  39.         props.put("action", "UsernameToken"); 
  40.         props.put("passwordType", "PasswordText"); 
  41.         props.put("passwordCallbackClass", ServerUsernamePasswordHandler.class.getName()); 
  42.         WSS4JInInterceptor wss4JInInterceptor = new WSS4JInInterceptor(props); 
  43.         factoryBean.getInInterceptors().add(wss4JInInterceptor); 
  44.          
  45.         factoryBean.setServiceClass(UserServiceImpl.class); 
  46.         factoryBean.setAddress(address); 
  47.         factoryBean.create(); 
  48.     } 
  49.  
  50.     @Test 
  51.     public void testList() { 
  52.         JaxWsProxyFactoryBean factoryBean = new JaxWsProxyFactoryBean(); 
  53.         factoryBean.setAddress(address); 
  54.         factoryBean.setServiceClass(UserService.class); 
  55.         Object obj = factoryBean.create(); 
  56.          
  57.         Client client = ClientProxy.getClient(obj); 
  58.         Endpoint endpoint = client.getEndpoint(); 
  59.          
  60.         Map<String,Object> props = new HashMap<String,Object>(); 
  61.         props.put(WSHandlerConstants.ACTION, WSHandlerConstants.USERNAME_TOKEN); 
  62.         props.put(WSHandlerConstants.USER, "admin"); 
  63.         props.put(WSHandlerConstants.PASSWORD_TYPE, WSConstants.PW_TEXT); 
  64.         props.put(WSHandlerConstants.PW_CALLBACK_CLASS, ClientUsernamePasswordHandler.class.getName()); 
  65.         WSS4JOutInterceptor wss4JOutInterceptor = new WSS4JOutInterceptor(props); 
  66.         endpoint.getOutInterceptors().add(wss4JOutInterceptor); 
  67.          
  68.         HTTPConduit conduit = (HTTPConduit) client.getConduit(); 
  69.         HTTPClientPolicy policy = new HTTPClientPolicy(); 
  70.         policy.setConnectionTimeout(5 * 1000); 
  71.         policy.setReceiveTimeout(5 * 1000); 
  72.         conduit.setClient(policy); 
  73.          
  74.         UserService service = (UserService) obj; 
  75.         try
  76.             List<User> users = service.list(); 
  77.             Assert.assertNotNull(users); 
  78.             Assert.assertEquals(10, users.size()); 
  79.         } catch(Exception e) { 
  80.             if (e instanceof WebServiceException  
  81.                     && e.getCause() instanceof SocketTimeoutException) { 
  82.                 System.err.println("This is timeout exception."); 
  83.             } else
  84.                 e.printStackTrace(); 
  85.             } 
  86.         } 
  87.     } 
  88.   
package com.googlecode.garbagecan.cxfstudy.security;

import java.net.SocketTimeoutException;
import java.util.HashMap;
import java.util.List;
import java.util.Map;

import javax.xml.ws.WebServiceException;

import junit.framework.Assert;

import org.apache.cxf.endpoint.Client;
import org.apache.cxf.endpoint.Endpoint;
import org.apache.cxf.frontend.ClientProxy;
import org.apache.cxf.interceptor.LoggingInInterceptor;
import org.apache.cxf.interceptor.LoggingOutInterceptor;
import org.apache.cxf.jaxws.JaxWsProxyFactoryBean;
import org.apache.cxf.jaxws.JaxWsServerFactoryBean;
import org.apache.cxf.transport.http.HTTPConduit;
import org.apache.cxf.transports.http.configuration.HTTPClientPolicy;
import org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor;
import org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor;
import org.apache.ws.security.WSConstants;
import org.apache.ws.security.handler.WSHandlerConstants;
import org.junit.BeforeClass;
import org.junit.Test;

public class UserServiceTest {

    private static final String address = "http://localhost:9000/ws/security/userService";
    
    @BeforeClass
    public static void setUpBeforeClass() throws Exception {
        JaxWsServerFactoryBean factoryBean = new JaxWsServerFactoryBean();
        factoryBean.getInInterceptors().add(new LoggingInInterceptor());
        factoryBean.getOutInterceptors().add(new LoggingOutInterceptor());

        Map<String, Object> props = new HashMap<String, Object>();
        props.put("action", "UsernameToken");
        props.put("passwordType", "PasswordText");
        props.put("passwordCallbackClass", ServerUsernamePasswordHandler.class.getName());
        WSS4JInInterceptor wss4JInInterceptor = new WSS4JInInterceptor(props);
        factoryBean.getInInterceptors().add(wss4JInInterceptor);
        
        factoryBean.setServiceClass(UserServiceImpl.class);
        factoryBean.setAddress(address);
        factoryBean.create();
    }

    @Test
    public void testList() {
        JaxWsProxyFactoryBean factoryBean = new JaxWsProxyFactoryBean();
        factoryBean.setAddress(address);
        factoryBean.setServiceClass(UserService.class);
        Object obj = factoryBean.create();
        
        Client client = ClientProxy.getClient(obj);
        Endpoint endpoint = client.getEndpoint();
        
        Map<String,Object> props = new HashMap<String,Object>();
        props.put(WSHandlerConstants.ACTION, WSHandlerConstants.USERNAME_TOKEN);
        props.put(WSHandlerConstants.USER, "admin");
        props.put(WSHandlerConstants.PASSWORD_TYPE, WSConstants.PW_TEXT);
        props.put(WSHandlerConstants.PW_CALLBACK_CLASS, ClientUsernamePasswordHandler.class.getName());
        WSS4JOutInterceptor wss4JOutInterceptor = new WSS4JOutInterceptor(props);
        endpoint.getOutInterceptors().add(wss4JOutInterceptor);
        
        HTTPConduit conduit = (HTTPConduit) client.getConduit();
        HTTPClientPolicy policy = new HTTPClientPolicy();
        policy.setConnectionTimeout(5 * 1000);
        policy.setReceiveTimeout(5 * 1000);
        conduit.setClient(policy);
        
        UserService service = (UserService) obj;
        try {
            List<User> users = service.list();
            Assert.assertNotNull(users);
            Assert.assertEquals(10, users.size());
        } catch(Exception e) {
            if (e instanceof WebServiceException 
                    && e.getCause() instanceof SocketTimeoutException) {
                System.err.println("This is timeout exception.");
            } else {
                e.printStackTrace();
            }
        }
    }

}
最後運行上面的測試類來測試結果,也可以修改測試方法中的密碼,看看錯誤結果,這裏就不在寫錯誤密碼的測試用例了,因爲我是一懶人。
發表評論
所有評論
還沒有人評論,想成為第一個評論的人麼? 請在上方評論欄輸入並且點擊發布.
相關文章

Linux 運維高級指令04

Linux 運維高級指令04 du -sh指令(重點) 作用: 查看目錄的大小。 語法格式:du  -sh  目錄路徑 選項含義: -s: 只顯示彙總的大小 表示以高可讀性的形式進行顯示。 案例1: find 指令(重點)

原創 2024-04-12 22:51:31

寶塔 supervisord.service: Control process exited, code=exited status=203

[root@SHD-SVR-V3 bin]# getenforce #查看selinux狀態 Enforcing [root@SHD-SVR-V3 bin]# setenforce 0 #臨時關閉selinux [r

原創 2024-04-04 21:22:18

時序數據庫集成-opentsdb

pom: <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boo

原創 2024-04-02 00:39:01

MogoDB 集成

1pom:   StringBoot 的項目引入:  <!--引入 springdata mongodb 的依賴--> <dependency> <groupId>org.springframework.boot</groupId>

原創 2024-04-02 00:39:00

tp5命令行報 [BadFunctionCallException] not support: redis

tp5命令行報 [BadFunctionCallException] not support: redis 芝麻開門2015 於 2018-09-30 18:29:49 發佈 閱讀量1.3w  收藏 1 點贊數 分類專欄: php 版權 p

原創 2024-04-17 00:27:13

【安裝部署】Apache SeaTunnel 和 Web快速安裝詳解

版本說明 由於作者目前接觸當前最新版本爲2.3.4 但是官方提供的web版本未1.0.0,不兼容2.3.4,因此這裏仍然使用2.3.3版本。 可以自定義兼容處理,官方提供了文檔:https://mp.weixin.qq.com/s/Al1V

原創 2024-04-16 12:22:36

dubbo3.0 服務導入導出原理

不管是服務導出還是服務引入,都發生在應用啓動過程中,比如:在啓動類上加上 @EnableDubbo 時,該註解上有一個 @DubboComponentScan 註解,@DubboComponentScan 註解 Import 了一個 D

原創 2024-04-09 23:17:11

技術分享-日誌鏈路追蹤

1.背景簡述 在技術運維過程中,很難從某服務龐雜的日誌中,單獨找尋出某次API調用的全部日誌。 爲提高排查問題的效率,在多個系統及應用內根據 統一的TraceId 查找同一次請求鏈路上的日誌,根據日誌快速定位問題,同時需對業務代碼無侵入,

原創 2024-04-01 11:15:56

在 kubernetes 環境下如何優雅擴縮容 Pulsar

背景 在整個大環境的降本增效的薰陶下,我們也不得不做好應對方案。 根據對線上流量、存儲以及系統資源的佔用,發現我們的 Pulsar 集羣有許多的冗餘,所以考慮進行縮容從而減少資源浪費,最終也能省一些費用。 不過在縮容之前很有必要先聊聊擴容,

原創 2024-03-29 12:22:15

【乾貨】Apache DolphinScheduler2.0升級3.0版本方案

升級背景 因項目需要使用數據質量模塊功能,可以爲數倉提供良好的數據質量監控功能。故要對已有2.0版本升級到3.0版本以上,此次選擇測試了3.0.1 和 3.1.1 兩個版本,對進行同數據等任務調度暫停等操作測試,最後選擇3.0.1 版本 原

原創 2024-03-26 12:04:31

基於Redis實現基本搶紅包算法

簡介: 搶紅包是我們生活常用的社交功能, 這個功能最主要的特點就是用戶的併發請求高, 在系統設計上, 可以使用非常多的辦法來扛住用戶的高併發請求, 在本文中簡要介紹使用Redis緩存中間件來實現搶紅包算法, Redis是一個在內存中基

原創 2024-04-17 11:18:19

Java中拼接字符串方式(+、StringBuilder/StringBuffer)分析

字符串是 Java 程序中最常用的數據結構之一。在 Java 中 String 類已經重載了"+",字符串可以直接使用"+"進行連接,也可以用StringBuilder/StringBuffer(StringBuilder是J2SE5 及以

原創 2024-04-09 21:31:20

Java中String 、StringBuilder 、StringBuffer 的區別

Java 平臺提供了兩種類型的字符串操作方式:String 和 StringBuffer/StringBuilder,它們都可以儲存和操作字符串,區別如下: String 是隻讀字符串,也就意味着 String 引用的字符串內容是不能被改

原創 2024-04-08 09:31:31

JPA不識別MySQL的枚舉類型

1 枚舉好用嗎? 數據字典型字段,枚舉比Integer好: 限定值,只能賦值枚舉的那幾個實例,不能像Integer隨便輸,保存和查詢的時候特別有用 含義明確,使用時不需要去查數據字典 顯示值跟存儲值直接映射,不需要手動轉換,比如1在頁面上

原創 2024-04-02 01:07:56

go-Channel

1 概述 通道是Golang提供的一種基本類型,它可以實現在協程之間的單向通信和雙向通信、發送和接收數據、以及協程同步。 channel的本質是一個隊列,遵循先進先出原則。channel是線程安全的,在任何給定時間,一個數據被設計爲只有一

原創 2024-03-24 00:10:06