passwordCallback在CXF中 [英] passwordCallback in CXF

问题描述

我为现有的Web服务开发Web服务客户端。我使用Apache CXF 2.2。该服务需要安全的用户名和纯文本密码，我这样配置：

I develop a webservice client for an existing webservice. I am using Apache CXF 2.2. The service requires security with Username and plain text password, which I configured like this:

<bean id="myPasswordCallback"
    class="com.kraemer_imd.mobilized.m2m_adapter.ClientPasswordCallback"/>

<jaxws:client id="m2mClientService"
              serviceClass="de.vodafone.easypu.ws.EasyPUOrderServicePortType"
              address="http://m2m.vodafone.de/speasy/services/EasyPUOrderService"
              bindingId="http://www.w3.org/2003/05/soap/bindings/HTTP/">

  <jaxws:outInterceptors>
    <bean class="org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor">
      <constructor-arg>
        <map>
            <entry key="action" value="UsernameToken Timestamp"/>
          <entry key="passwordType" value="PasswordText"/>
          <entry key="user" value="myusername"/>
          <entry key="passwordCallbackRef">
            <ref bean="myPasswordCallback"/>
          </entry>
        </map>
      </constructor-arg>
    </bean>
  </jaxws:outInterceptors>

</jaxws:client>

这样工作得很好。但我不明白为什么我必须通过回调处理程序而不是通过配置提供密码提供。文档说，这是为了安全的原因，但我不明白为什么这应该更安全，有一个回调处理程序从属性文件读取（或更糟的是它硬编码在回调）。

That works quite well. But I did not understand why I have to provide the password via a callback handler instead of just providing it via configuration. The documentation says it is for security reasons, but I don´t see why this should be more secure to have a callback handler that reads it from a property file (or worse has it hard coded in the callback).

那么，有人可以向我解释一下吗？

So, could somebody explain this to me? Maybe the callback is intended for some magic stuff that I missed..

感谢
Michel

Thanks Michel

推荐答案

密码回调由Apache CXF提供，作为客户端应用程序检索目标Web服务的凭据的机制，该服务在运行时可能存储在数据库中，配置文件，LDAP或一些其他商店。此回调钩为应用程序提供了从应用程序特定配置检索凭据的灵活性。

The password callback is provided by Apache CXF as a mechanism for the client application to retrieve the credentials for the targeted webservice, which at runtime is likely to be stored in the database, configuration fiels, LDAP or some other store. This callback hook provides the flexibility to the application to retrieve the credentials from application specific configuration.

这篇关于passwordCallback在CXF中的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！