1. 首页
  2. 问答
  3. 如何防止CXF安全的web服务从浏览器访问

如何防止CXF安全的web服务从浏览器访问

2012-12-13 33 views
2

我正在开发一个基本的WebService使用CXF和Spring的例子。 这里是我的课:如何防止CXF安全的web服务从浏览器访问

public interface AuthService { 
@WebMethod 
    Person getPerson(@WebParam(name="user_id") Long userId); 
}

的WS实现如下:

public class AuthServiceImpl implements AuthService{ 

public Person getPerson(Long gid) { 
    Person p = new Person(); 
    p.setUserId(gid); 
    p.setEmail("test"+gid+"@test.de"); 
    p.setName("test"+gid); 

    return p; 
} 

}

我的web.xml情况如下:

<listener> 
    <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class> 
</listener> 
<context-param> 
    <param-name>contextConfigLocation</param-name> 
    <param-value>WEB-INF/cxf-beans.xml</param-value> 
</context-param>  
<servlet> 
    <servlet-name>CXFServlet</servlet-name> 
    <servlet-class> 
     org.apache.cxf.transport.servlet.CXFServlet 
    </servlet-class> 
    <load-on-startup>1</load-on-startup> 
</servlet> 
<servlet-mapping> 
    <servlet-name>CXFServlet</servlet-name> 
    <url-pattern>/*</url-pattern> 
</servlet-mapping>

我CXF-beans.xml文件是:

<?xml version="1.0" encoding="UTF-8"?> 
<beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:jaxws="http://cxf.apache.org/jaxws" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.5.xsd http://cxf.apache.org/jaxws http://cxf.apache.org/schemas/jaxws.xsd"> 
<import resource="classpath:META-INF/cxf/cxf.xml" /> 
<import resource="classpath:META-INF/cxf/cxf-extension-soap.xml"/> 


<bean id="logInBound" class="org.apache.cxf.interceptor.LoggingInInterceptor" /> 
<bean id="logOutBound" class="org.apache.cxf.interceptor.LoggingOutInterceptor" /> 
</beans>

这里是我的CXF-servlet.xml中:

<?xml version="1.0" encoding="UTF-8"?> 
<beans xmlns="http://www.springframework.org/schema/beans" 
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
    xmlns:jaxws="http://cxf.apache.org/jaxws" 
    xmlns:soap="http://cxf.apache.org/bindings/soap" 
    xsi:schemaLocation=" 
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd 
http://cxf.apache.org/bindings/soap http://cxf.apache.org/schemas/configuration/soap.xsd 
http://cxf.apache.org/jaxws 
http://cxf.apache.org/schemas/jaxws.xsd"> 
<jaxws:server id="jaxwsService" serviceClass="com.iptech.cxfws.service.AuthService" address="/auth_user"> 
<jaxws:serviceBean> 
    <bean class="com.iptech.cxfws.service.impl.AuthServiceImpl" /> 
</jaxws:serviceBean> 


<jaxws:inInterceptors> 
    <ref bean="interceptor"/> 
</jaxws:inInterceptors> 
</jaxws:server> 

<bean id="interceptor" class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor"> 
<constructor-arg> 
    <map> 
    <entry key="action" value="UsernameToken" /> 
    <entry key="passwordType" value="PasswordText" /> 
    <entry key="passwordCallbackRef"> 
      <ref bean="passwordCallback" /> 
    </entry> 
    </map> 
</constructor-arg> 
</bean> 
<bean id="passwordCallback" class="com.iptech.cxfws.service.callback.ServerPasswordCallback"/> 

</beans>

最后是我ServerPasswordCallback类:

public class ServerPasswordCallback implements CallbackHandler { 

public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException { 

    WSPasswordCallback pc = (WSPasswordCallback) callbacks[0]; 
    String username = pc.getIdentifier(); 
    String password = //get it from a business class 
    pc.setPassword(password); 
}

}

正如你可以看到这是一个非常简单的例子,你可以在每一个找到CXF基础教程。 现在,我有两个问题: 1)当我打电话

http://localhost:8080/cxf-ws/auth_user/getPerson?user_id=11

从互联网浏览器(Chrome浏览器)我得到回应,没有用户名/密码验证就完成了。但是,从Java客户端调用WS时,如果不在SOAP消息头中包含用户名/密码,则无法获得响应。这是正常的吗? 2)第二个问题与WS-Security无关。在将我的WS部署/发布到Tomcat时,一切都按预期工作(除了上面提到的安全问题)。但是,我有以下例外:

javax.xml.bind.UnmarshalException: unexpected element 
(URI : "http://schemas.xmlsoap.org/ws/2005/04/discovery", local : "Probe"). 
Expected elements are <{http://docs.oasis-open.org/ws-dd/ns/discovery/2009/01}AppSequence>, 
<{http://docs.oasis-open.org/ws-dd/ns/discovery/2009/01}Bye>, 
<{http://www.w3.org/2005/08/addressing}EndpointReference>, 
<{http://docs.oasis-open.org/ws-dd/ns/discovery/2009/01}Hello>, 
<{http://docs.oasis-open.org/ws-dd/ns/discovery/2009/01}MetadataVersion>, 
<{http://docs.oasis-open.org/ws-dd/ns/discovery/2009/01}Probe>, 
<{http://docs.oasis-open.org/ws-dd/ns/discovery/2009/01}ProbeMatches>, 
<{http://docs.oasis-open.org/ws-dd/ns/discovery/2009/01}Resolve>, 
<{http://docs.oasis-open.org/ws-dd/ns/discovery/2009/01}ResolveMatches>, 
<{http://docs.oasis-open.org/ws-dd/ns/discovery/2009/01}Scopes>, 
<{http://docs.oasis-open.org/ws-dd/ns/discovery/2009/01}Security>, 
<{http://docs.oasis-open.org/ws-dd/ns/discovery/2009/01}Sig>, 
<{http://docs.oasis-open.org/ws-dd/ns/discovery/2009/01}SupportedMatchingRules>, 
<{http://docs.oasis-open.org/ws-dd/ns/discovery/2009/01}Types>, 
<{http://docs.oasis-open.org/ws-dd/ns/discovery/2009/01}XAddrs>

任何帮助是非常赞赏。

来源

2012-12-13 Laabidi Raissi

回答

1

升级到CXF 2.7.1或更改为使用WS-SecurityPolicy。

来源

2012-12-13 18:16:16

+0

我实际上使用CXF 2.7.0,它是目前最新版本,因为我可以在他们的下载页面中阅读。 –

+0

2.7.1本周早些时候发布。在下载页面可用,忘记更新主要的“新闻”部分。 –

+0

@DanielKulp为了帮助其他遇到这个问题的用户,是否有一个在2.7.1中修复的特定问题,您可以指点我们? – artbristol

相关问题

 相关问题