用于CXF的WS-security(用户名令牌)-可以使用加密的密码吗? [英] WS-security (usernametoken) for CXF - encrypted passwords possible?

问题描述

我正在尝试与CXF的WS-security实现(usernametoken)结合在一起.我已经按照 http://cxf.apache.org/docs/ws的说明进行了所有操作-security.html .我的PasswordCallbackHandler似乎可以正常工作，但令我困扰的是一部分:

I'm trying to get together with CXF's WS-security implementation(usernametoken). I've done everything as said at http://cxf.apache.org/docs/ws-security.html. My PasswordCallbackHandler seems to be working, but what bothers me is a part:

    if (pc.getIdentifier().equals("joe")) {
        // set the password on the callback. This will be compared to the
        // password which was sent from the client.
        pc.setPassword("password");
    }

如上所述

请注意，对于不超过CXF 2.3.x的情况，纯文本密码(或任何其他未知密码类型)的特殊情况的密码验证将委派给回调类，请参见org.apache.ws. WSS4J项目的.security.processor.UsernameTokenProcessor#handleUsernameToken()方法javadoc.在这种情况下，ServerPasswordCallback应该类似于以下内容:

Note that for up to and including CXF 2.3.x, the password validation of the special case of a plain-text password (or any other yet unknown password type) is delegated to the callback class, see org.apache.ws.security.processor.UsernameTokenProcessor#handleUsernameToken() method javadoc of the WSS4J project. In that case, the ServerPasswordCallback should be something like the following one:

直到cxf 2.3.x都是这样

so up to cxf 2.3.x it was done like that

   if (pc.getIdentifer().equals("joe") {
       if (!pc.getPassword().equals("password")) {
            throw new IOException("wrong password");
       }
    }

我的问题是:我不想将pc.setPassword("plainTextPassword")存储在任何资源中.由于我可以手动对其进行加密，因此最新的2.3.x版设计将允许我执行此操作.是否有任何方法可以在回调中设置加密密码或对存储的加密密码进行用户名令牌身份验证?

My issue is: I don't want to pc.setPassword("plainTextPassword") as I want to store it in any resource. This up-to-2.3.x design would allow me to do this since I could encrypt it manually. Are there any ways of setting encrypted password in callback or doing usernametoken authentication for stored, encrypted passwords ?

我正在使用cxf 2.5.x

I'm using cxf 2.5.x

推荐答案

在此博客页面中找到了答案(我已经尝试过):

The answer (which I've tried) is found in this blog page:

http://coheigea.blogspot.com/2011/06/custom-token-validation-in-apache-cxf.html

本质是创建org.apache.ws.security.validate.UsernameTokenValidator的子类，并重写verifyPlaintextPassword方法.在该方法中，传递了UsernameToken(提供getName和getPassword).如果它们无效，则引发异常.

The essence is to create a subclass of org.apache.ws.security.validate.UsernameTokenValidator, and override the verifyPlaintextPassword method. In that method, the UsernameToken (which provides getName and getPassword) is passed. Throw an exception if they're not valid.

要在春季配置中安装自定义验证器，请添加例如

To install the custom validator in a spring configuration, add e.g.

  <jaxws:properties>
    <entry key="ws-security.ut.validator">
        <bean class="com.example.webservice.MyCustomUsernameTokenValidator" />
    </entry>
  </jaxws:properties>

进入< jaxws:endpoint/>.

into the <jaxws:endpoint/>.

这篇关于用于CXF的WS-security(用户名令牌)-可以使用加密的密码吗?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！