java SOAP Web 服务中的用户身份验证
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/7766811/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
User authentication in SOAP Webservices
提问by lpinto.eu
I made a question about JAX-WS, Authentication and Authorization - How to?; there was a discussion about security levels, and where to store user credentials.
我提出了一个关于JAX-WS,身份验证和授权 - 如何?; 有一个关于安全级别的讨论,以及在哪里存储用户凭据。
Now after some conclusions, I want to try one of those scenarios:
现在在得出一些结论后,我想尝试其中一种情况:
- SOAP web services - metro
- Message level security - Mutual certificate authentication, to authenticate the client application
- User credential in the Soap Header
- SOAP 网络服务 - 地铁
- 消息级安全 - 相互证书身份验证,对客户端应用程序进行身份验证
- Soap 标头中的用户凭据
How to get the credentials and do the authorization?I have 2 ideas:
如何获取凭据并进行授权?我有两个想法:
- JAAS (I don't know anything about this);
- SOAP handler - using the WebServiceContext to extract the credentials from the message and do the authorization "by hand".
- JAAS(我对此一无所知);
- SOAP 处理程序 - 使用 WebServiceContext 从消息中提取凭据并“手动”进行授权。
Can you help me to decide the best way, and how to implement it?
你能帮我决定最好的方法,以及如何实施吗?
Remember that I want mutual certificate, plus a user token.
请记住,我想要相互证书,以及用户令牌。
采纳答案by dma_k
JAASdoes not define how the authentication information should look like in SOAP, but WS-Securitydefines what kind of standardized tokens you can use during client-server exchange (Username+password token / X.509 certificate / SAMLtoken / KerberosToken).
JAAS没有定义身份验证信息在 SOAP 中应该是什么样子,但WS-Security定义了在客户端-服务器交换期间可以使用哪种标准化令牌(用户名+密码令牌/X.509 证书/ SAML令牌/ Kerberos令牌)。
EDIT:With respect to MetroWebService stack, you need (steps taken from hereand here):
编辑:关于MetroWebService 堆栈,您需要(从这里和这里采取的步骤):
- Inject the handler, that implements
javax.xml.ws.handler.soap.SOAPHandlerto JAX-WS handler chain either programmatically via((BindingProvider)port).getBinding().setHandlerChain(Collections.singletonList(handler))or declaratively by adding@HandlerChain(file = "handlers.xml")annotation to your WS endpoint interface. - The handler should create
XWSSProcessorinstance usingXWSSProcessorFactory, which is passed the callback handler that implementsjavax.security.auth.callback.CallbackHandler. - The callback handler e.g. defines a validator on callback (depends on callback type).
- 注入处理程序,该
javax.xml.ws.handler.soap.SOAPHandler处理程序通过向 WS 端点接口((BindingProvider)port).getBinding().setHandlerChain(Collections.singletonList(handler))添加@HandlerChain(file = "handlers.xml")注释以编程方式或声明方式实现JAX-WS 处理程序链。 - 处理程序应
XWSSProcessor使用 来创建实例XWSSProcessorFactory,该实例传递给实现 的回调处理程序javax.security.auth.callback.CallbackHandler。 - 回调处理程序例如定义回调验证器(取决于回调类型)。
This is the same as "doing by hand" (as the 1st step is to intersect the SOAP message anyway), with some WSS sugar on top. But WSIT (and CXF) use JAAS API and they provide standard implementations for various authentication tokens. Enabling them needs some configuration / coding efforts, but the benefit is that if you later decide to switch from plainttext to Kerberos authentication, you don't need to code a lot. Also "doing by hand" means that you need to deal with authentication information on XML level and what you'll do is implementing one of the standards.
这与“手工操作”相同(因为第一步是无论如何都要与 SOAP 消息相交),在顶部有一些 WSS 糖。但是 WSIT(和 CXF)使用 JAAS API,它们为各种身份验证令牌提供标准实现。启用它们需要一些配置/编码工作,但好处是如果您以后决定从纯文本切换到 Kerberos 身份验证,则不需要进行大量编码。此外,“手工操作”意味着您需要在 XML 级别处理身份验证信息,并且您将执行其中一项标准。
I suggest using Apache CXFthat bases on WSS4J– the WS-Security implementation from Apache. You can easily find tutorials (e.g. hereand herefor Username+password, hereand herefor SAML) that show to define callback/ interceptors to verify authentication information. The advantage of CXF is that it has nice integration with Spring.
我建议使用基于WSS4J 的Apache CXF——Apache 的 WS-Security 实现。您可以轻松地找到教程(如在这里和这里的用户名+密码,在这里和这里的SAML),显示定义的回调/拦截器来验证认证信息。CXF 的优点是它与 Spring 有很好的集成。
