如何在wss4j 1.6中驗證沒有密碼的UsernameToken？

Question

如果我發送具有當前結構的標頭：

<soapenv:Header>
        <wsse:Security
                xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
                xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
                soapenv:mustUnderstand="1">
            <wsse:UsernameToken wsu:Id="UsernameToken-E9505BCB2A7771EF1F14710742072404">
                <wsse:Username>Not_correct_username</wsse:Username>
            </wsse:UsernameToken>
        </wsse:Security>
    </soapenv:Header>

通過processSecurityHeader方法執行的驗證是正確的。 但是我只想通過用戶名對用戶進行身份驗證。

現在我的CallbackHandler代碼是：

public class PWCallback implements CallbackHandler {
private String user;
private String password;
private String alias;
private String privateKeyPassword;

@Override
public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException {
    for (int i = 0; i < callbacks.length; i++) {

        if (callbacks[i] instanceof WSPasswordCallback) {
            WSPasswordCallback pc = (WSPasswordCallback) callbacks[i];


            if (pc.getUsage() == WSPasswordCallback.USERNAME_TOKEN) {
                if (!StringUtils.equals(user, pc.getIdentifier())) {
                    throw new IOException("unknown user: " + pc.getIdentifier());
                }
                pc.setPassword(password);

            } else {

                if (pc.getUsage() == WSPasswordCallback.SIGNATURE || pc.getUsage() == WSPasswordCallback.DECRYPT) {
                    if (StringUtils.equals(pc.getIdentifier(), alias)) {
                        pc.setPassword(privateKeyPassword);
                    } else throw new IOException("unknown user: " + pc.getIdentifier());
                }

            }

        }
    }
}

我必須添加或刪除什么？

Answer 1

您需要重寫默認的UsernameTokenValidator的“ verifyUnknownPassword”方法來調用您的CallbackHandler。