stackoom
  简体   繁体   中英

webservice SOAP UsernameToken CXF not send username/password on each requests

 原文  2016-02-29 14:39:53       java/ web-services/ soap/ cxf/ usernametoken

Question

I am using the usernameToken security policy to secure a soap webservice. I don't want the client to send the username/password on each requests. Is it possible to make the webservice statefull ? Currently the ServerPasswordCallback is called for each requests.

Here is my code :

ComputeWS.java 

@WebService(
    serviceName = "ComputeWS",
    targetNamespace = "http://org.test/compute",
    name = "ComputeWS")
@EndpointProperties(
    value = { @EndpointProperty(key = "ws-security.callback-handler", value = "org.test.ServerPasswordCallback") })
@Policy(placement = Policy.Placement.BINDING, uri = "WSPolicy.xml")
public class ComputeWS {

@WebMethod
public int add(int x, int y) {
    return x * y;
}

}

WSPolicy.xml 

<?xml version="1.0" encoding="UTF-8" ?>
<wsp:Policy wsu:Id="WSPolicy" xmlns:wsp="http://www.w3.org/ns/ws-policy"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsp:ExactlyOne>
    <wsp:All>
        <sp:SupportingTokens xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
            <wsp:Policy>
                <sp:UsernameToken sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
                    <wsp:Policy>
                        <sp:WssUsernameToken11/>
                    </wsp:Policy>
                </sp:UsernameToken>
            </wsp:Policy>
        </sp:SupportingTokens>
    </wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>

ServerPasswordCallback.java 

public class ServerPasswordCallback implements CallbackHandler {

@Override
public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException {
    WSPasswordCallback pc = (WSPasswordCallback) callbacks[0];

    if ("joe".equals(pc.getIdentifier())) {
        pc.setPassword("joespassword"); 
    }
}

}

1 answers

solution1
 0  2016-03-01 10:12:02

There's no "out of the box" way of doing it. You could change the "IncludeToken" policy of the UsernameToken from "AlwaysToRecipient" to "Once". Then on the server side you'll have to implement some way of keeping track of the client, via something like Spring Security or Apache Shiro etc.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Problem authenticating SOAP usernameToken with Apache CXF SOAP security header with UsernameToken and SecurityContextToken - CXF Java Webservice requests userName and password before using it Calling soap webservice using wsdl, username and password in java Using Webservice to send username and password from PHP to JAVA Api How do I setup a CXF/SOAP client connection over https with username/password (no certificate) how can I Set username and password in SOAP request using apache cxf artifacts LinkageError whilst trying to invoke CXF/SOAP webservice Issue with marshalling of SOAP CXF webservice request Default timeout for webservice soap requests?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM