问题描述
我对 JAX-WS,身份验证和授权-如何?;讨论了安全级别以及用户凭证的存储位置.
I made a question about JAX-WS, Authentication and Authorization - How to?; there was a discussion about security levels, and where to store user credentials.
现在,在得出一些结论之后,我想尝试其中一种情况:
Now after some conclusions, I want to try one of those scenarios:
- SOAP Web服务-地铁
- 消息级别的安全性-相互证书认证,以认证客户端应用程序
- Soap Header中的用户凭据
如何获取凭据并进行授权?我有2个主意:
- JAAS(对此我一无所知);
- SOAP处理程序-使用WebServiceContext从消息中提取凭证并手动"进行授权.
您能帮助我确定最佳方法以及如何实施吗?
Can you help me to decide the best way, and how to implement it?
请记住,我要使用相互证书以及用户令牌.
推荐答案
JAAS 并未定义身份验证信息在SOAP中的外观,但 WS-Security 定义了在客户端-服务器交换期间可以使用哪种标准令牌(用户名+密码令牌/X.509证书/ SAML 令牌/ Kerberos 令牌).
JAAS does not define how the authentication information should look like in SOAP, but WS-Security defines what kind of standardized tokens you can use during client-server exchange (Username+password token / X.509 certificate / SAML token / Kerberos Token).
编辑:对于 Metro WebService堆栈,您需要(步骤取自此处和此处):
With respect to Metro WebService stack, you need (steps taken from here and here):
- 注入处理程序,该处理程序通过
((BindingProvider)port).getBinding().setHandlerChain(Collections.singletonList(handler))
或以编程方式通过((BindingProvider)port).getBinding().setHandlerChain(Collections.singletonList(handler))
或通过在您的WS端点接口中添加@HandlerChain(file = "handlers.xml")
批注来声明性地实现javax.xml.ws.handler.soap.SOAPHandler
到JAX-WS处理程序链. - 处理程序应使用
XWSSProcessorFactory
创建XWSSProcessor
实例,该实例将传递给实现javax.security.auth.callback.CallbackHandler
的回调处理程序. - 回调处理程序,例如在回调上定义一个验证器(取决于回调类型).
- Inject the handler, that implements
javax.xml.ws.handler.soap.SOAPHandler
to JAX-WS handler chain either programmatically via((BindingProvider)port).getBinding().setHandlerChain(Collections.singletonList(handler))
or declaratively by adding@HandlerChain(file = "handlers.xml")
annotation to your WS endpoint interface. - The handler should create
XWSSProcessor
instance usingXWSSProcessorFactory
, which is passed the callback handler that implementsjavax.security.auth.callback.CallbackHandler
. - The callback handler e.g. defines a validator on callback (depends on callback type).
这与手工完成"相同(第一步是无论如何都要与SOAP消息相交),顶部是一些WSS糖.但是WSIT(和CXF)使用JAAS API,并且它们为各种身份验证令牌提供了标准实现.启用它们需要一些配置/编码工作,但是好处是,如果您以后决定从纯文本身份验证转换为Kerberos身份验证,则无需编写太多代码.同样,手工完成"意味着您需要处理XML级别的身份验证信息,并且要做的是实现其中一种标准.
This is the same as "doing by hand" (as the 1st step is to intersect the SOAP message anyway), with some WSS sugar on top. But WSIT (and CXF) use JAAS API and they provide standard implementations for various authentication tokens. Enabling them needs some configuration / coding efforts, but the benefit is that if you later decide to switch from plainttext to Kerberos authentication, you don't need to code a lot. Also "doing by hand" means that you need to deal with authentication information on XML level and what you'll do is implementing one of the standards.
我建议使用基于 Apache CXF ="http://ws.apache.org/wss4j" rel ="nofollow noreferrer"> WSS4J –来自Apache的WS-Security实现.您可以轻松找到教程(例如,此处和此处 ,此处和此处(对于SAML)显示为定义/拦截器以验证身份验证信息. CXF的优点是它与Spring集成良好.
I suggest using Apache CXF that bases on WSS4J – the WS-Security implementation from Apache. You can easily find tutorials (e.g. here and here for Username+password, here and here for SAML) that show to define callback / interceptors to verify authentication information. The advantage of CXF is that it has nice integration with Spring.
这篇关于SOAP Web服务中的用户身份验证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!