stackoom
  简体   繁体   中英

CXF Client Security

 原文  2011-07-09 17:19:10       java/ soap/ cxf/ soap-client

Question

I am creating a client to a Java soap web service, but am having trouble figuring out how to properly pass the password. Here is my "hardcoded" password example:

@Test
public void exploratorySecurityTest() {
     String username = "user";
     String password = "pwd";

    UserStoryService service = new UserStoryService();
    UserStoryServiceSoap port = service.getUserStoryServiceSoap();

    //initialize security
    org.apache.cxf.endpoint.Client client = ClientProxy.getClient(port); 
    org.apache.cxf.endpoint.Endpoint cxfEndpoint = client.getEndpoint();
    Map<String, Object> outProps = new HashMap<String, Object>();
    outProps.put(WSHandlerConstants.ACTION, WSHandlerConstants.USERNAME_TOKEN);
    outProps.put(WSHandlerConstants.USER, username);
    outProps.put(WSHandlerConstants.PASSWORD_TYPE, WSConstants.PW_TEXT);
    outProps.put(WSHandlerConstants.PW_CALLBACK_CLASS, ClientPasswordCallback.class.getName());
    WSS4JOutInterceptor wssOut = new WSS4JOutInterceptor(outProps);
    cxfEndpoint.getOutInterceptors().add(wssOut);

    int storyId = 33401;
    UserStoryDTO userStoryDTO = port.getByID(storyId);

    //success if no error
}

public class ClientPasswordCallback implements CallbackHandler {

@Override
public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException {
    WSPasswordCallback pc = (WSPasswordCallback) callbacks[0];
    pc.setPassword("pwd");
}}

What I really want to do is to pass the password into the callback handler. The examples that I have seen in the CXF documentation implement the callback either "hardcoded" (as I did in this example) or as a function of the username:

if (pc.getIdentifier().equals("user"))
   pc.setPassword("pwd");

Neither of these meet my needs. Is there a way that I can do something like the following:

@Test
public void exploratorySecurityTest() {
     String username = "user";
     String password = "pwd";

    UserStoryService service = new UserStoryService();
    UserStoryServiceSoap port = service.getUserStoryServiceSoap();

    //initialize security
    org.apache.cxf.endpoint.Client client = ClientProxy.getClient(port); 
    org.apache.cxf.endpoint.Endpoint cxfEndpoint = client.getEndpoint();
    Map<String, Object> outProps = new HashMap<String, Object>();
    outProps.put(WSHandlerConstants.ACTION, WSHandlerConstants.USERNAME_TOKEN);
    outProps.put(WSHandlerConstants.USER, username);

            //pass the password here?
            outProps.put("password", password);

    outProps.put(WSHandlerConstants.PASSWORD_TYPE, WSConstants.PW_TEXT);
    outProps.put(WSHandlerConstants.PW_CALLBACK_CLASS, ClientPasswordCallback.class.getName());
    WSS4JOutInterceptor wssOut = new WSS4JOutInterceptor(outProps);

    cxfEndpoint.getOutInterceptors().add(wssOut);
            // ...
}

4 answers

solution1
 16 ACCPTED  2012-07-09 18:46:13

Use PW_CALLBACK_REF instead PW_CALLBACK_CLASS, and pass an instantiated object, instead of the static class. You can inject the password in said object.

Something like:

    outProps.put(WSHandlerConstants.PASSWORD_TYPE, WSConstants.PW_TEXT);
    CXFClientPasswordHandler handler = new CXFClientPasswordHandler();
    handler.setPassword(password);
    outProps.put(WSHandlerConstants.PW_CALLBACK_REF, handler);

solution2
 3  2012-07-10 13:11:37

I was also able to do the following:

    org.apache.cxf.endpoint.Client client = ClientProxy.getClient(obj);
    org.apache.cxf.endpoint.Endpoint cxfEndpoint = client.getEndpoint();

    Map<String, Object> outProps = new HashMap<String, Object>();

    outProps.put(WSHandlerConstants.ACTION, WSHandlerConstants.USERNAME_TOKEN);

    System.out.println("initialize security for user " + this.username);
    outProps.put(WSHandlerConstants.USER, this.username);
    outProps.put(WSHandlerConstants.PASSWORD_TYPE, WSConstants.PW_TEXT);

    Map<String, Object> ctx = ((BindingProvider) obj).getRequestContext();
    ctx.put("password", this.password);

    WSS4JOutInterceptor wssOut = new WSS4JOutInterceptor(outProps);
    cxfEndpoint.getOutInterceptors().add(wssOut);

solution3
 1  2020-03-26 12:57:39

Your ClientPasswordCallback class may be like that, with his own pwd field and the associated setter:

class ClientPasswordCallback implements CallbackHandler {

    private String pwd;

    public void setPassword(String pwd) {
        passwd = pwd;
    }

    @Override
    public void handle(Callback[] callbacks) {
        WSPasswordCallback pc = (WSPasswordCallback) callbacks[0];
        pc.setPassword(pwd);
    }
}

Then you can instanciate it in your test, set its password and use PW_CALLBACK_REF key to add it to the outProps map:

@Test
public void exploratorySecurityTest() {
    String username = "user";
    String password = "pwd";

    // ...

    outProps.put(PASSWORD_TYPE, WSConstants.PW_TEXT);
    ClientPasswordCallback handler = new ClientPasswordCallback();
    handler.setPassword(passwd);
    outProps.put(PW_CALLBACK_REF, handler);
    WSS4JOutInterceptor wssOut = new WSS4JOutInterceptor(outProps);

    // ...
}

solution4
 0  2017-05-17 11:30:05

I have always used following way of adding properties to request context for http level authentication and CallbackHandler for adding message level username token.

org.apache.cxf.endpoint.Client client = ClientProxy.getClient(obj);
org.apache.cxf.endpoint.Endpoint cxfEndpoint = client.getEndpoint();


System.out.println("initialize security for user " + this.username);
outProps.put(WSHandlerConstants.USER, this.username);
outProps.put(WSHandlerConstants.PASSWORD_TYPE, WSConstants.PW_TEXT);

Map<String, Object> requestContext = ((BindingProvider) obj).getRequestContext();


//For message level authentication
requestContext.put("ws-security.username", "Ron");
requestContext.put("ws-security.callback-handler", "com.ws.cxf.client.callback.UTPasswordCallback");

//For endpoint level authentication, HTTP Basic/Digest
requestContext.put(BindingProvider.USERNAME_PROPERTY, username);
requestContext.put(BindingProvider.PASSWORD_PROPERTY, password);




class UTPasswordCallback implements CallbackHandler {

@Override
public void handle(Callback[] callbacks) throws IOException,
        UnsupportedCallbackException {


    for(Callback cb:callbacks){
        WSPasswordCallback pcallback = (WSPasswordCallback)cb;
         if(pcallback.getUsage()==WSPasswordCallback.USERNAME_TOKEN)
        {

            if(pcallback.getIdentifier().equals("Ron"))
                pcallback.setPassword("noR");

        }

        }


    }

}

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question CXF Client + WS-Security + MTOM = Trouble? cxf security headers for client using java Security Policy for Apache CXF Java Client Camel CXF - Security (Authentication) Apache cxf attachment security cxf client http rest Running OpenCMIS client with CXF Apache CXF Client Memory CXF client without servlet cxf client side dependencies
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM