SOAP Web 服务上的 XACML 应用程序
[英]XACML application on SOAP Web Services
问题描述
I'm new to web-services and i would like to know the answer to some questions.
我是网络服务的新手,我想知道一些问题的答案。
First, i know that REST APIS can be consumed just by having the URL of the rest endpoint, on the other side ( SOAP ), you can't consume any distant SOAP WS unless you develop a client.首先,我知道REST APIS 可以通过拥有其余端点的 URL 来使用,另一方面( SOAP ),除非您开发客户端,否则您不能使用任何远程SOAP WS 。 Is it correct?这是正确的吗? And if it is, is it the only difference between the 2 big families ?如果是,这是两大家族之间的唯一区别吗?
Second, i would like to apply XACML on some SOAP Web Services for security purpose of course.其次,出于安全目的,我想在某些SOAP Web 服务上应用XACML 。 I made a figure that resumes the entire process of XACML.我做了一个图,恢复了XACML的整个过程。
I developed some basic SOAP web services with simple 2 methods, and i don't know from where should i start the XACML code and configuration.我用简单的 2 种方法开发了一些基本的SOAP Web 服务,但我不知道应该从哪里开始XACML代码和配置。 I'm asking you guys for some good and helpful links to apply the XACML security filter.我要求你们提供一些有用且有用的链接来应用XACML安全过滤器。
1 个解决方案
解决方案1
1 2016-11-23 15:04:35
You can find an example of CXF interceptor doing XACML-based (XACML 3.0) authorization on Colm O hEigeartaigh's blog (Colm is one of the main CXF developers).您可以在Colm O hEigeartaigh 的博客(Colm 是主要的 CXF 开发人员之一)上找到执行基于 XACML (XACML 3.0) 授权的 CXF 拦截器示例。 The actual source code of the CXF Interceptor: XACML3AuthorizingInterceptor . CXF 拦截器的实际源代码: XACML3AuthorizingInterceptor 。 It is using OpenAZ as XACML implementation, but you can adapt it to use another XACML implementation, such as Axiomatics mentioned here by David Brossard, or AuthzForce (supporting embedded or remote RESTful PDP modes), or other implementations mentioned at the end of the XACML TC's page .它使用 OpenAZ 作为 XACML 实现,但您可以调整它以使用另一个 XACML 实现,例如 David Brossard 在这里提到的 Axiomatics,或 AuthzForce(支持嵌入式或远程 RESTful PDP 模式),或XACML末尾提到的其他实现TC 的页面。
The first important part of the CXF Interceptor is at the beginning of the handleMessage(Message message) method: CXF 拦截器的第一个重要部分是在handleMessage(Message message)方法的开头:
SecurityContext sc = message.get(SecurityContext.class);
The SecurityContext gives you information about the authenticated user such as the user roles, which you can use as XACML subject attributes in the XACML request. SecurityContext为您提供有关经过身份验证的用户的信息,例如用户角色,您可以将这些信息用作 XACML 请求中的 XACML 主题属性。
The code further creates the XACML Request using the DefaultXACML3RequestBuilder class , that extracts other information from the CXF Message using CXFMessageParser - that you can find in the cxf-rt-security-saml library - such as the SOAP service name, operation name (as defined in the WSDL), and the endpoint URI:该代码使用DefaultXACML3RequestBuilder 类进一步创建 XACML 请求, 该类使用CXFMessageParser从 CXF Message中提取其他信息 - 您可以在cxf-rt-security-saml库中找到 - 例如 SOAP 服务名称、操作名称(如定义在 WSDL 中)和端点 URI:
CXFMessageParser messageParser = new CXFMessageParser(message);
...
String actionToUse = messageParser.getAction(action);
...
QName serviceName = messageParser.getWSDLService();
QName operationName = messageParser.getWSDLOperation();
...
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.