用户在SOAP中进行身份验证 - 如何操作？ [英] User authenticate in SOAP - How to?

问题描述

我提出了一个关于 JAX-WS，身份验证和授权 - 如何解决的问题？;讨论了安全级别以及存储用户凭据的位置。

I made a question about JAX-WS, Authentication and Authorization - How to?; there was a discussion about security levels, and where to store user credentials.

现在得出一些结论后，我想尝试其中一种方案：

Now after some conclusions, I want to try one of those scenarios:

• SOAP Web服务 - metro


• 消息级安全性 - 相互证书认证，用于认证客户端应用程序


• 肥皂头中的用户凭证

如何获取凭据并进行授权？
我有2个想法：

How to get the credentials and do the authorization? I have 2 ideas:

• JAAS（我对此一无所知）;


• SOAP处理程序 - 使用WebServiceContext从消息中提取凭据并手动执行授权。

你能帮我决定最好的方法，以及如何实现它吗？

Can you help me to decide the best way, and how to implement it?

请记住我需要共同证书和用户令牌。

推荐答案

JAAS 没有定义SOAP中的身份验证信息的样子，但 WS-Security 定义了在客户端 - 服务器交换期间可以使用哪种标准化令牌（用户名+密码令牌/ X.509证书/ SAML 令牌/ Kerberos 令牌）。

JAAS does not define how the authentication information should look like in SOAP, but WS-Security defines what kind of standardized tokens you can use during client-server exchange (Username+password token / X.509 certificate / SAML token / Kerberos Token).

编辑：关于 Metro WebService堆栈（步骤取自这里和 h ere ）：

With respect to Metro WebService stack, you need (steps taken from here and here):

• 注入实现 javax.xml.ws.handler.soap的处理程序.SOAPHandler 以编程方式通过（（BindingProvider）端口）.getBinding（）。setHandlerChain（Collections.singletonList（handler））或声明性地通过向WS端点接口添加 @HandlerChain（file =handlers.xml）注释。


• 处理程序应该使用 XWSSProcessorFactory 创建 XWSSProcessor 实例，该实例传递实现 javax.security的回调处理程序。 auth.callback.CallbackHandler 。


• 回调处理程序例如在回调上定义验证器（取决于回调类型）。

• Inject the handler, that implements javax.xml.ws.handler.soap.SOAPHandler to JAX-WS handler chain either programmatically via ((BindingProvider)port).getBinding().setHandlerChain(Collections.singletonList(handler)) or declaratively by adding @HandlerChain(file = "handlers.xml") annotation to your WS endpoint interface.
• The handler should create XWSSProcessor instance using XWSSProcessorFactory, which is passed the callback handler that implements javax.security.auth.callback.CallbackHandler.
• The callback handler e.g. defines a validator on callback (depends on callback type).

这与手工操作相同（作为第1步）无论如何都是与SOAP消息交叉），顶部有一些WSS糖。但WSIT（和CXF）使用JAAS API，它们为各种身份验证令牌提供标准实现。启用它们需要一些配置/编码工作，但好处是如果您以后决定从plainttext切换到Kerberos身份验证，则不需要编写很多代码。此外，手动执行意味着您需要处理XML级别的身份验证信息，以及您将要执行的标准之一。

This is the same as "doing by hand" (as the 1st step is to intersect the SOAP message anyway), with some WSS sugar on top. But WSIT (and CXF) use JAAS API and they provide standard implementations for various authentication tokens. Enabling them needs some configuration / coding efforts, but the benefit is that if you later decide to switch from plainttext to Kerberos authentication, you don't need to code a lot. Also "doing by hand" means that you need to deal with authentication information on XML level and what you'll do is implementing one of the standards.

我建议使用< a href =http://61.153.44.88/apache/cxf/2.0/ws-security.html\"rel =nofollow noreferrer> Apache CXF 基于 WSS4J - Apache的WS-Security实现。您可以轻松找到教程（例如此处和<用户名+密码的href =http://domagojtechtips.blogspot.com/2007/08/cxf-spring-and-ws-security-putting-it.html =nofollow noreferrer>这里 ，此处和此处（SAML）显示定义回调 /拦截器来验证身份验证信息。 CXF的优势在于它与Spring的良好集成。

I suggest using Apache CXF that bases on WSS4J – the WS-Security implementation from Apache. You can easily find tutorials (e.g. here and here for Username+password, here and here for SAML) that show to define callback / interceptors to verify authentication information. The advantage of CXF is that it has nice integration with Spring.

这篇关于用户在SOAP中进行身份验证 - 如何操作？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！