Axis2用户身份验证
[英]Axis2 user authentication
问题描述
Due to the ambition to keep the web services as stateless as possible, I've encountered a problem. 
由于使Web服务尽可能保持无状态的雄心,我遇到了一个问题。 I recently started to work with Axis2 and have tried to find a viable authentication solution. 我最近开始使用Axis2,并试图找到可行的身份验证解决方案。 With authentication, I mean user/password. 身份验证是指用户名/密码。 I am already using SSL in combination with WS-Policy to secure the procedure calls. 我已经将SSL与WS-Policy结合使用来保护过程调用。
However, I found some of the samples bundled with Rampart 1.6.2 to be outdated, especially the policy example named "sample-tomcat" and their WSPasswordCallback handler (found here ). 但是,我发现与Rampart 1.6.2捆绑在一起的一些示例已经过时,尤其是名为“ sample-tomcat”及其WSPasswordCallback处理程序(在此处找到)的策略示例。 WSPasswordCallback.USERNAME_TOKEN_UNKNOWN is deprecated in 1.6 and WSPasswordCallback.getPassword() always return null, even though a password is supplied within the UsernameToken element in the security headers of the message. WSPasswordCallback.USERNAME_TOKEN_UNKNOWN在1.6中已弃用,并且WSPasswordCallback.getPassword()始终返回null,即使在消息的安全标头中的UsernameToken元素中提供了密码也是如此。
So. 所以。 I'm unsure where to proceed to get a username/password check for every message. 我不确定从何处获取每封邮件的用户名/密码。 I am looking at these two options: 我正在研究以下两个选项:
Writing a module with a handler that performs username/password authentication.
用执行用户名/密码验证的处理程序编写模块。 Giving up statelessness and writing a login-service returning tokens needed by all other services.
放弃无状态,并编写一个返回所有其他服务所需的令牌的登录服务。
Are there other options? 还有其他选择吗?
1 个解决方案
解决方案1
1 已采纳 2013-02-21 09:43:50
Actually, according to WSS4J developer Colm O Heigeartaigh, it was more strange before the change to work with validator interfaces, see his first , his second and his third blog posts about the new validator design in WSS4J 1.6. 实际上,根据WSS4J开发人员Colm O Heigeartaigh的说法,在更改为使用验证器接口之前,这很奇怪,请参阅他的第一篇 , 第二篇和第三篇关于WSS4J 1.6中新的验证器设计的博客文章。
The WSPasswordCallback shouldn't handle authentication, it is thought of as bad design and against separation of concerns, and therefor they (WSS4J developers) rewrote this part of WSS4J. WSPasswordCallback不应处理身份验证,它被认为是不良的设计并避免了关注点分离,因此,他们(WSS4J开发人员)重写了WSS4J的这一部分。
However, as far as I know, Rampart dev team haven't yet implemented a way for developers to apply custom validators, nor is there a way to apply WSS4J validators such as the NoOpValidator - even though it's available in WSS4J. 但是,据我所知,Rampart开发团队尚未实现开发人员应用自定义验证器的方法,也没有实现NoOpValidator之类的WSS4J验证器的NoOpValidator -即使它在WSS4J中可用。 There is an issue registered in their (Rampart's) project JIRA ( read it here ), but it has a low priority and as of the moment this is being written; 他们的(Rampart的)项目JIRA中注册了一个问题( 请在此处阅读 ),但是该问题的优先级较低,并且截至目前为止。 that issue is not included in the next minor (1.6.3) or major (1.7.0) release. 该问题未包含在下一个次要版本(1.6.3)或主要版本(1.7.0)中。
So, you will have to do either of following three things, in order of my own preference: 因此,按照我自己的喜好,您将必须执行以下三件事之一:
- Use transport layer based authentication ,I would recommend auth headers with HTTPS transport. 使用基于传输层的身份验证,我建议使用HTTPS传输的auth标头。
- Downgrade Axis2 and Rampart to 1.5.x, which is still maintained (critical bug fixes). 将Axis2和Rampart降级到1.5.x,该版本仍保持不变(严重的错误修复)。
- Edit source of wss4j and compile a new jar. 编辑wss4j的源代码并编译一个新的jar。
- Write a module for Axis2 that solves this. 为Axis2编写一个可解决此问题的模块。
If there are additional solutions/workarounds, please feel free to comment/correct me. 如果还有其他解决方案/解决方法,请随时评论/纠正我。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.