soap webservice client使用apache cxf,用于ntlm身份验证
[英]soap webservice client using apache cxf, for ntlm authentication
问题描述
I want to develop a SOAP client using CXF to connect to SharePoint . 
我想使用CXF开发一个SOAP客户端来连接到SharePoint 。 The authentication scheme is NTLM . 身份验证方案是NTLM 。
I am blocked on a scenario where the logged-in user of a machine (on which the SOAP client is being run) has access to SharePoint. 我在一台机器的登录用户(运行SOAP客户端)可以访问SharePoint的情况下被阻止。 The CXF soap client always uses the logged-in user. CXF soap客户端始终使用登录用户。 I want to specify some other user credentials (not the logged-in). 我想指定一些其他用户凭据 (而不是登录)。
As CXF uses in-JDK HttpURLConnection ; 由于CXF使用in-JDK HttpURLConnection ; and what I have read about HttpURLConnection is, it bypasses the specified credentials when the logged-in user is NTLM authenticated. 我读到的有关HttpURLConnection是,当登录用户通过NTLM身份验证时,它会绕过指定的凭据。
Codes were tried on CXF version 2.7.11. 代码在CXF 2.7.11版上进行了尝试。
Solutions that I have tried out: 我尝试过的解决方案:
1) Setting Conduit authorization 1)设置管道授权
String username = "user";
String password = "password";
JaxWsProxyfactoryBean factory1 = new JaxWsProxyfactoryBean();
factory1.setServiceClass(WebsSoap.class);
factory1.setAddress(url);
factory1.setUsername(username);
factory1.setPassword(password);
WebsSoap service = (WebsSoap) factory1.create();
Client client = ClientProxy.getClient(service);
HTTPconduit conduit = (HTTPconduit) client.getconduit();
conduit.getAuthorization().setAuthorizationType("NTLM");
conduit.getAuthorization().setUserName(username);
conduit.getAuthorization().setPassword(password);
HTTPClientPolicy httpClientPolicy = new HTTPClientPolicy();
httpClientPolicy.setConnectionTimeout(36000);
httpClientPolicy.setAllowChunking(false);
conduit.setClient(httpClientPolicy);
service.getWeb(".");
Problem: 问题:
This does not work for the scenario specified above, as it always uses the logged-in credentials. 这不适用于上面指定的方案,因为它始终使用登录的凭据。 And when I specify invalid credentials, it does not fail. 当我指定无效凭据时,它不会失败。
2) AsyncHTTPConduit 2) AsyncHTTPConduit
Another solution is to use AsyncHTTPConduit that uses HttpAsyncClient instead of HttpURLConnection . 另一种解决方案是使用AsyncHTTPConduit ,它使用HttpAsyncClient而不是HttpURLConnection 。 This is beacuse HTTP components do not bypass specified credentials and logged-in user can be ignored (I have successfully verified this with a test client using HttpClient ). 这是因为HTTP组件没有绕过指定的凭据,可以忽略登录用户(我已经使用HttpClient成功验证了这一点)。
Below is the code snippet:: 以下是代码片段::
Bus bus = BusFactory.getDefaultBus();
bus.setProperty( "use.async.http.conduit", "true" );
Client client = ClientProxy.getClient( service );
HTTPConduit http = (HTTPConduit)client.getConduit();
if ( http instanceof AsyncHTTPConduit ) {
AsyncHTTPConduit conduit = (AsyncHTTPConduit)http;
DefaultHttpAsyncClient defaultHttpAsyncClient;
try {
defaultHttpAsyncClient = conduit.getHttpAsyncClient();
}
catch ( IOException exception ) {
throw new RuntimeException( exception );
}
defaultHttpAsyncClient.getCredentialsProvider().setCredentials( AuthScope.ANY,
new NTCredentials( "username", "password", "", "domain" ) );
conduit.getClient().setAllowChunking( false );
conduit.getClient().setAutoRedirect( true );
}
Problem: 问题:
Above code throws error: 上面的代码抛出错误:
Authorization loop detected on conduit.
The above code snapshot shows the usage of DefaultHttpAsyncClient which is deprecated now and CloseableHttpAsyncClient is to be used instead. 上面的代码快照显示了现在不推荐使用的DefaultHttpAsyncClient的用法,而是使用了CloseableHttpAsyncClient 。 But CloseableHttpAsyncClient does not provide a way to specify credentials to an already existing CloseableHttpAsyncClient object. 但是, CloseableHttpAsyncClient不提供为现有的CloseableHttpAsyncClient对象指定凭据的方法 。 Not sure how to use CloseableHttpAsyncClient in this scenario. 不确定如何在此方案中使用CloseableHttpAsyncClient 。
3) Other solutions 3)其他解决方案
The other solution that I tried out is to use sun.net.www.protocol.http.ntlm.NTLMAuthenticationCallback , to bypass logged-in user authentication, as mentioned here . 我尝试了另一种解决方案是使用sun.net.www.protocol.http.ntlm.NTLMAuthenticationCallback ,绕过登录用户的身份验证,提到这里 。 Use this approach along with solution #1 mentioned above. 使用此方法以及上述解决方案#1。 This works as expected for valid/invalid credentials, and the code bypasses the logged-in credentials :). 这有效/无效凭据的预期工作,代码绕过登录的凭据:)。 But when I specify invalid credentials, I do not get HTTP 401 error, instead I get 但是当我指定无效凭据时,我没有得到HTTP 401错误,而是我得到了
Could not send message, server reached max retries 20
I am trying to avoid this solution because it uses java's internal package and there is no way to determine HTTP 401 error directly. 我试图避免这个解决方案,因为它使用java的内部包,没有办法直接确定HTTP 401错误。
What can I do to arrive at a complete solution? 我能做些什么才能找到完整的解决方案?
1 个解决方案
解决方案1
0 2015-04-15 07:18:49
Try this interceptor. 试试这个拦截器。 This will avoid automatic authentication. 这将避免自动验证。
public class DisableAutomaticNTLMAuthOutInterceptor extends AbstractPhaseInterceptor<Message>
{
private boolean isFieldsAvailable;
private Field tryTransparentNTLMProxyField;
private Field tryTransparentNTLMServerField;
public DisableAutomaticNTLMAuthOutInterceptor() {
super(Phase.PRE_STREAM);
AccessController.doPrivileged(new PrivilegedAction<Object>() {
public Void run() {
try {
DisableAutomaticNTLMAuthOutInterceptor.this.tryTransparentNTLMServerField = HttpURLConnection.class.getDeclaredField("tryTransparentNTLMServer");
DisableAutomaticNTLMAuthOutInterceptor.this.tryTransparentNTLMServerField.setAccessible(true);
DisableAutomaticNTLMAuthOutInterceptor.this.tryTransparentNTLMProxyField = HttpURLConnection.class.getDeclaredField("tryTransparentNTLMProxy");
DisableAutomaticNTLMAuthOutInterceptor.this.tryTransparentNTLMProxyField.setAccessible(true);
DisableAutomaticNTLMAuthOutInterceptor.this.isFieldsAvailable = true;
} catch (Exception e) {
e.printStackTrace();
}
return null;
}
});
}
@Override
public void handleMessage(final Message message) throws Fault {
if (this.isFieldsAvailable)
AccessController.doPrivileged(new PrivilegedAction<Object>() {
public Void run() {
try {
Object httpConnection = message.get("http.connection");
if (httpConnection != null) {
DisableAutomaticNTLMAuthOutInterceptor.this.processHttpConnection(message.get("http.connection"));
}
} catch (Throwable t) {
t.printStackTrace();
}
return null;
}
});
}
private void processHttpConnection(Object httpConnection) throws IllegalArgumentException, IllegalAccessException {
if (HttpURLConnection.class.isAssignableFrom(httpConnection.getClass())) {
tryTransparentNTLMServerField.set(httpConnection, Boolean.FALSE);
tryTransparentNTLMProxyField.set(httpConnection, Boolean.FALSE);
} else {
Field tempField = null;
for (Field field : httpConnection.getClass().getDeclaredFields()) {
if (HttpURLConnection.class.isAssignableFrom(field.getType())) {
field.setAccessible(true);
tempField = field;
break;
}
}
if (tempField != null) {
processHttpConnection(tempField.get(httpConnection));
}
}
}
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.