CXF WS-SECURITY协议对soap消息加密

<!-- 服务端代码: -->
<jaxws:endpoint id="userWebService" implementor="#userServiceImpl" 
		address="/userservice">
		<jaxws:inInterceptors>
			<bean class="org.apache.cxf.interceptor.LoggingInInterceptor"></bean>
			<bean class="org.apache.cxf.binding.soap.saaj.SAAJOutInterceptor" /> 
			<bean class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor" >
				<constructor-arg>
					<map>
						<entry key="action" value="UsernameToken Timestamp" />
						<!-- MD5加密明文密码 -->
                        <entry key="passwordType" value="PasswordDigest" />    
                        <entry key="user" value="admin" />
                        <entry key="passwordCallbackRef" >
                       		<ref bean="serverPasswordCallback" />    
                        </entry>   
					</map>
				</constructor-arg>
			</bean>
		</jaxws:inInterceptors>
		<jaxws:outInterceptors>
			<bean class="org.apache.cxf.interceptor.LoggingOutInterceptor"></bean>
		</jaxws:outInterceptors>
	</jaxws:endpoint>
	<bean id="serverPasswordCallback" class="com.cxf.webservice.callback.ServerPasswordCallback"></bean>

com.cxf.webservice.callback.ServerPasswordCallback:

package com.cxf.webservice.callback;

import java.io.IOException;
import java.util.HashMap;
import java.util.Map;

import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.UnsupportedCallbackException;

import org.apache.log4j.Logger;
import org.apache.ws.security.WSPasswordCallback;

public class ServerPasswordCallback implements CallbackHandler {
	Logger log = Logger.getLogger(ServerPasswordCallback.class);
	
	Map<String, String> user = new HashMap<String, String>();
	{
		user.put("admin", "1234");
		user.put("su", "1234");
	}
	
	@Override
	public void handle(Callback[] callbacks) throws IOException,
			UnsupportedCallbackException {
		log.debug("handler passwordcallback method....");
		WSPasswordCallback wpc = (WSPasswordCallback) callbacks[0];
		if (!user.containsKey(wpc.getIdentifier())) {
			throw new SecurityException("No Permission!");
		}
		/*
		 * 此处特别注意::
		 * WSPasswordCallback 的passwordType属性和password 属性都为null，
		 * 你只能获得用户名（identifier），
		 * 一般这里的逻辑是使用这个用户名到数据库中查询其密码，
		 * 然后再设置到password 属性，WSS4J 会自动比较客户端传来的值和你设置的这个值。
		 * 你可能会问为什么这里CXF 不把客户端提交的密码传入让我们在ServerPasswordCallbackHandler 中比较呢？
		 * 这是因为客户端提交过来的密码在SOAP 消息中已经被加密为MD5 的字符串，
		 * 如果我们要在回调方法中作比较，那么第一步要做的就是把服务端准备好的密码加密为MD5 字符串，
		 * 由于MD5 算法参数不同结果也会有差别，另外，这样的工作CXF 替我们完成不是更简单吗？
		 */
		wpc.setPassword(user.get(wpc.getIdentifier()));//如果包含用户名,就设置该用户名正确密码,由CXF验证密码
		String username = wpc.getIdentifier();
		String password = wpc.getPassword();
		log.debug("username: "+username + "    password: "+password);
		log.info("User : "+wpc.getIdentifier()+ "  login!!!!!");
	}

}

<!--客户端配置-->
<bean id="userService" class="webservice.cxf.client.UserService" factory-bean="clientFactory" factory-method="create" />
	<bean id="clientFactory" class="org.apache.cxf.jaxws.JaxWsProxyFactoryBean">
		<property name="address" value="http://127.0.0.1:8080/HSQLDB/webservice/userservice"></property>
		<property name="serviceClass" value="webservice.cxf.client.UserService"></property>
		<property name="outInterceptors">
			<list>
				<bean class="org.apache.cxf.interceptor.LoggingOutInterceptor" />
				<bean class="org.apache.cxf.binding.soap.saaj.SAAJOutInterceptor" />
				<bean class="org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor">
					<constructor-arg>
						<map>
							<entry key="action" value="UsernameToken Timestamp" />
							<!-- MD5加密明文密码 -->
							<entry key="passwordType" value="PasswordDigest" />
							<entry key="user" value="admin" />
							<entry key="passwordCallbackRef">
								<ref bean="clientPasswordCallback" />
							</entry>
						</map>
					</constructor-arg>
				</bean>
			</list>
		</property>
	</bean>
	<bean id="clientPasswordCallback" class="webservice.cxf.clientPasswordCalback.ClientPasswordCallback"></bean>

webservice.cxf.clientPasswordCalback.ClientPasswordCallback:

package webservice.cxf.clientPasswordCalback;

import java.io.IOException;

import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.UnsupportedCallbackException;

import org.apache.ws.security.WSPasswordCallback;

public class ClientPasswordCallback implements CallbackHandler {

	@Override
	public void handle(Callback[] callbacks) throws IOException,
			UnsupportedCallbackException {
		for (Callback callback : callbacks) {
			//设置用户密码,供服务端验证
			WSPasswordCallback wsc = (WSPasswordCallback)callback;
			wsc.setIdentifier("su");
			wsc.setPassword("1234");
		}
	}

}

Tset:

ApplicationContext app ;
	
	@Before
	public void initAPP(){
		app = new ClassPathXmlApplicationContext("cxf-client.xml");
	}
	
	@Test
	public void testSucruty(){
		UserService us = (UserService) app.getBean("userService");
		System.out.println(us.getAllUser().size());
	}

CXF WS-SECURITY协议对soap消息加密

继续阅读

27 Best Free Eclipse Plug-ins for Java Developer to be ProductiveCode Quality PluginsText Editor PluginsDependency ManagementVersion Control Integration PluginsFramework Development Continuous Integration Related PluginsOther Utility Plugins

Java String.format方法的简单使用

neo4j之cypher使用文档

GitHub连夜封杀！这份阿里 10W 字内部 Java 字面试手册到底有多强？

spark/scala关于【资源文件】加载方法概述外部文件加载方案测试资源文件打包入jar包中小结

NOSQL安全攻击

mybatis_入门程序Mybatis入门

AOP编程_Android优雅权限框架(1)概念基础，2021金三银四前言正文大纲正文

登录plsql 报错 the account is locked --用户被锁

Effective Java 8:通用程序设计

SequoiaDB巨杉数据库C++驱动概述

OOM三种类型

工厂模式-三种类型

【递归】高效率求2的n次幂

win10本地scala和spark安装安装scala安装spark

scala (3) Function 和 Method