![](/img/trans.png)
[英]UsernameToken WS-Security with Apache CXF Annotations (WSS4J)
[英]How to validate UsernameToken without password in wss4j 1.6?
如果我發送具有當前結構的標頭:
<soapenv:Header>
<wsse:Security
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
soapenv:mustUnderstand="1">
<wsse:UsernameToken wsu:Id="UsernameToken-E9505BCB2A7771EF1F14710742072404">
<wsse:Username>Not_correct_username</wsse:Username>
</wsse:UsernameToken>
</wsse:Security>
</soapenv:Header>
通過processSecurityHeader方法執行的驗證是正確的。 但是我只想通過用戶名對用戶進行身份驗證。
現在我的CallbackHandler代碼是:
public class PWCallback implements CallbackHandler {
private String user;
private String password;
private String alias;
private String privateKeyPassword;
@Override
public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException {
for (int i = 0; i < callbacks.length; i++) {
if (callbacks[i] instanceof WSPasswordCallback) {
WSPasswordCallback pc = (WSPasswordCallback) callbacks[i];
if (pc.getUsage() == WSPasswordCallback.USERNAME_TOKEN) {
if (!StringUtils.equals(user, pc.getIdentifier())) {
throw new IOException("unknown user: " + pc.getIdentifier());
}
pc.setPassword(password);
} else {
if (pc.getUsage() == WSPasswordCallback.SIGNATURE || pc.getUsage() == WSPasswordCallback.DECRYPT) {
if (StringUtils.equals(pc.getIdentifier(), alias)) {
pc.setPassword(privateKeyPassword);
} else throw new IOException("unknown user: " + pc.getIdentifier());
}
}
}
}
}
我必須添加或刪除什么?
您需要重寫默認的UsernameTokenValidator的“ verifyUnknownPassword”方法來調用您的CallbackHandler。
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.