带有 Apache CXF 的 WS-Security UsernameToken [英] WS-Security UsernameToken with Apache CXF

问题描述

我有一个与 SOAP 服务交互的 Java 应用程序.我使用 WSDL 通过 CXF 生成 Java 客户端，但我需要使用 ws-security 验证我的调用.我正在寻找一种仅代码方式来执行此操作，并且我没有任何 xml 配置.这是我尝试过的:

I have a java application that interacts with a SOAP service. I used the WSDL to generate a java client via CXF, but I need to authenticate my calls using ws-security. I am looking for a code-only way to do this, and I don't have any xml configurations. This is what I have tried:

Map ctx = ((BindingProvider)port).getRequestContext();
ctx.put("ws-security.username", "joe");
ctx.put("ws-security.password", "joespassword");
port.makeSoapCall();

但我收到无效 WS-Security 标头的解析错误.这样做的正确方法是什么?

But I get a parse error for invalid WS-Security header. What is the right way to do this?

在 SOAP UI 中，我可以通过右键单击 soap 标头，单击添加 WSS 用户名令牌"，然后选择密码文本"来轻松完成此操作

In SOAP UI, I can do this easily by right-clicking the soap header, clicking "Add WSS UsernameToken", and selecting "Password Text"

推荐答案

您正在按照您共享的代码使用 WS-SecurityPolicy.仅使用 WS-Security 并使用 WSS4JOutInterceptor 跨用户名令牌发送怎么样?

You are using WS-SecurityPolicy as per the code you shared. How about using WS-Security only and sending across the usernametoken using WSS4JOutInterceptor?

在此处查看 apache cfx ws-security 指南中的通过 API 添加拦截器"部分:http://cxf.apache.org/docs/ws-security.html

Check the section "Adding the interceptors via the API" in apache cfx ws-security guide here : http://cxf.apache.org/docs/ws-security.html

这是根据上面的 apache cxf 文档需要做的事情.您可能只需要 out 拦截器路径.

This is what needs to be done as per the above apache cxf documenation above. You might only need the out interceptor path.

在客户端，您可以使用 ClientProxy 助手获取对 CXF 端点的引用:

import org.apache.cxf.frontend.ClientProxy;
...

GreeterService gs = new GreeterService();
Greeter greeter = gs.getGreeterPort();
...
org.apache.cxf.endpoint.Client client = ClientProxy.getClient(greeter);
org.apache.cxf.endpoint.Endpoint cxfEndpoint = client.getEndpoint();

现在您已准备好添加拦截器:

import org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor;
import org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor;
...

Map<String,Object> inProps = new HashMap<String,Object>();
... // how to configure the properties is outlined below;

WSS4JInInterceptor wssIn = new WSS4JInInterceptor(inProps);
cxfEndpoint.getInInterceptors().add(wssIn);

Map<String,Object> outProps = new HashMap<String,Object>();
outProps.put("action", "UsernameToken Timestamp");
outProps.put("passwordType", "PasswordDigest"); //remove this line if want to use plain text password
outProps.put("user", "abcd");
outProps.put("passwordCallbackClass", "demo.wssec.client.UTPasswordCallback");

WSS4JOutInterceptor wssOut = new WSS4JOutInterceptor(outProps);
cxfEndpoint.getOutInterceptors().add(wssOut);

您需要在上面的示例中编写密码回调类 (UTPasswordCallback).

You will need to write password callback class (UTPasswordCallback) in the example above.

Apache cxf 有一个完整的 UserName 令牌示例:http://svn.apache.org/repos/asf/cxf/trunk/distribution/src/main/release/samples/ws_security/ut/

Apache cxf has a complete sample for UserName token here: http://svn.apache.org/repos/asf/cxf/trunk/distribution/src/main/release/samples/ws_security/ut/

从上面的链接浏览到用户名令牌和 UTPasswordCallback 代码的客户端文件夹 (src/main/java/demo/wssec/client).

From the above link browse to client folder (src/main/java/demo/wssec/client) for user name token and UTPasswordCallback code.

如果您的 wsdl 期望密码为纯文本，那么只需从代码中删除这一行:outProps.put("passwordType", "PasswordDigest");

If your wsdl expects password as plain text then just remove this line from the code: outProps.put("passwordType", "PasswordDigest");

这篇关于带有 Apache CXF 的 WS-Security UsernameToken的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！