如何在wss4j 1.6中验证没有密码的UsernameToken？

Question

如果我发送具有当前结构的标头：

<soapenv:Header>
        <wsse:Security
                xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
                xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
                soapenv:mustUnderstand="1">
            <wsse:UsernameToken wsu:Id="UsernameToken-E9505BCB2A7771EF1F14710742072404">
                <wsse:Username>Not_correct_username</wsse:Username>
            </wsse:UsernameToken>
        </wsse:Security>
    </soapenv:Header>

通过processSecurityHeader方法执行的验证是正确的。 但是我只想通过用户名对用户进行身份验证。

现在我的CallbackHandler代码是：

public class PWCallback implements CallbackHandler {
private String user;
private String password;
private String alias;
private String privateKeyPassword;

@Override
public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException {
    for (int i = 0; i < callbacks.length; i++) {

        if (callbacks[i] instanceof WSPasswordCallback) {
            WSPasswordCallback pc = (WSPasswordCallback) callbacks[i];


            if (pc.getUsage() == WSPasswordCallback.USERNAME_TOKEN) {
                if (!StringUtils.equals(user, pc.getIdentifier())) {
                    throw new IOException("unknown user: " + pc.getIdentifier());
                }
                pc.setPassword(password);

            } else {

                if (pc.getUsage() == WSPasswordCallback.SIGNATURE || pc.getUsage() == WSPasswordCallback.DECRYPT) {
                    if (StringUtils.equals(pc.getIdentifier(), alias)) {
                        pc.setPassword(privateKeyPassword);
                    } else throw new IOException("unknown user: " + pc.getIdentifier());
                }

            }

        }
    }
}

我必须添加或删除什么？

Answer 1

您需要重写默认的UsernameTokenValidator的“ verifyUnknownPassword”方法来调用您的CallbackHandler。