I am using the usernameToken security policy to secure a soap webservice. I don't want the client to send the username/password on each requests. Is it possible to make the webservice statefull ? Currently the ServerPasswordCallback is called for each requests.
Here is my code :
ComputeWS.java
@WebService(
serviceName = "ComputeWS",
targetNamespace = "http://org.test/compute",
name = "ComputeWS")
@EndpointProperties(
value = { @EndpointProperty(key = "ws-security.callback-handler", value = "org.test.ServerPasswordCallback") })
@Policy(placement = Policy.Placement.BINDING, uri = "WSPolicy.xml")
public class ComputeWS {
@WebMethod
public int add(int x, int y) {
return x * y;
}
}
WSPolicy.xml
<?xml version="1.0" encoding="UTF-8" ?>
<wsp:Policy wsu:Id="WSPolicy" xmlns:wsp="http://www.w3.org/ns/ws-policy"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsp:ExactlyOne>
<wsp:All>
<sp:SupportingTokens xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:UsernameToken sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:WssUsernameToken11/>
</wsp:Policy>
</sp:UsernameToken>
</wsp:Policy>
</sp:SupportingTokens>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
ServerPasswordCallback.java
public class ServerPasswordCallback implements CallbackHandler {
@Override
public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException {
WSPasswordCallback pc = (WSPasswordCallback) callbacks[0];
if ("joe".equals(pc.getIdentifier())) {
pc.setPassword("joespassword");
}
}
}
There's no "out of the box" way of doing it. You could change the "IncludeToken" policy of the UsernameToken from "AlwaysToRecipient" to "Once". Then on the server side you'll have to implement some way of keeping track of the client, via something like Spring Security or Apache Shiro etc.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.