SOAP Web 服务中的用户身份验证 [英] User authentication in SOAP Webservices

问题描述

我提出了一个关于 JAX-WS，身份验证和授权 - 如何?;讨论了安全级别以及用户凭据的存储位置.

I made a question about JAX-WS, Authentication and Authorization - How to?; there was a discussion about security levels, and where to store user credentials.

现在在得出一些结论后，我想尝试其中一种情况:

Now after some conclusions, I want to try one of those scenarios:

• SOAP 网络服务 - 地铁
• 消息级安全 - 相互证书身份验证，对客户端应用程序进行身份验证
• Soap 标头中的用户凭据

如何获取凭据并进行授权?我有两个想法:

• JAAS(我对此一无所知)；
• SOAP 处理程序 - 使用 WebServiceContext 从消息中提取凭据并手动"进行授权.

你能帮我决定最好的方法，以及如何实施吗?

Can you help me to decide the best way, and how to implement it?

记住，我想要相互证书，加上一个用户令牌.

推荐答案

JAAS 没有定义身份验证信息在 SOAP 中的样子，但是 WS-Security 定义了在客户端-服务器交换期间可以使用的标准化令牌类型(用户名+密码令牌/X.509 证书/SAML 令牌/Kerberos 令牌).

JAAS does not define how the authentication information should look like in SOAP, but WS-Security defines what kind of standardized tokens you can use during client-server exchange (Username+password token / X.509 certificate / SAML token / Kerberos Token).

关于 Metro WebService 堆栈，您需要(步骤取自这里和这里):

With respect to Metro WebService stack, you need (steps taken from here and here):

• 通过 ((BindingProvider)port).getBinding() 以编程方式将实现 javax.xml.ws.handler.soap.SOAPHandler 的处理程序注入 JAX-WS 处理程序链.setHandlerChain(Collections.singletonList(handler)) 或通过向您的 WS 端点接口添加 @HandlerChain(file = "handlers.xml") 注释来声明.
• 处理程序应使用 XWSSProcessorFactory 创建 XWSSProcessor 实例，该实例传递实现 javax.security.auth.callback.CallbackHandler 的回调处理程序.
• 回调处理程序，例如定义回调验证器(取决于回调类型).

• Inject the handler, that implements javax.xml.ws.handler.soap.SOAPHandler to JAX-WS handler chain either programmatically via ((BindingProvider)port).getBinding().setHandlerChain(Collections.singletonList(handler)) or declaratively by adding @HandlerChain(file = "handlers.xml") annotation to your WS endpoint interface.
• The handler should create XWSSProcessor instance using XWSSProcessorFactory, which is passed the callback handler that implements javax.security.auth.callback.CallbackHandler.
• The callback handler e.g. defines a validator on callback (depends on callback type).

这与手工操作"相同(因为第一步是无论如何都要与 SOAP 消息相交)，在顶部添加一些 WSS 糖.但是 WSIT(和 CXF)使用 JAAS API，它们为各种身份验证令牌提供标准实现.启用它们需要一些配置/编码工作，但好处是如果您以后决定从纯文本切换到 Kerberos 身份验证，则不需要进行大量编码.此外，手工操作"意味着您需要在 XML 级别处理身份验证信息，并且您将执行其中一项标准.

This is the same as "doing by hand" (as the 1st step is to intersect the SOAP message anyway), with some WSS sugar on top. But WSIT (and CXF) use JAAS API and they provide standard implementations for various authentication tokens. Enabling them needs some configuration / coding efforts, but the benefit is that if you later decide to switch from plainttext to Kerberos authentication, you don't need to code a lot. Also "doing by hand" means that you need to deal with authentication information on XML level and what you'll do is implementing one of the standards.

我建议使用基于 Apache CXF="http://ws.apache.org/wss4j" rel="nofollow noreferrer">WSS4J – 来自 Apache 的 WS-Security 实现.您可以轻松找到教程(例如 此处 和 此处 用于用户名+密码, 这里 和 此处 用于 SAML) 显示定义 callback/拦截器来验证身份验证信息.CXF 的优势在于它与 Spring 有很好的集成.

I suggest using Apache CXF that bases on WSS4J – the WS-Security implementation from Apache. You can easily find tutorials (e.g. here and here for Username+password, here and here for SAML) that show to define callback / interceptors to verify authentication information. The advantage of CXF is that it has nice integration with Spring.

这篇关于SOAP Web 服务中的用户身份验证的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！