我正在使用Java 8和Spring Boot进行的项目中,我想在其中添加Wss4jSecurityInterceptor以用于登录。
到目前为止,这是我在WebServiceConfig类中所做的
@Bean
public AuthorizationCallBackHandler authorizationCallBackHandler(){
AuthorizationCallBackHandler callbackHandler = new AuthorizationCallBackHandler();
return callbackHandler;
}
@Bean
public Wss4jSecurityInterceptor securityInterceptor(){
Wss4jSecurityInterceptor securityInterceptor = new Wss4jSecurityInterceptor();
securityInterceptor.setValidationActions("UsernameToken");
securityInterceptor.setValidationCallbackHandler(authorizationCallBackHandler());
return securityInterceptor;
}
@Override
public void addInterceptors(List interceptors) {
interceptors.add(securityInterceptor());
//interceptors.add(endPointInterceptor());
}
因此,到达我的Web服务的每个请求都将被Wss4jSecurityInterceptor拦截,并由我的自定义回调处理,该定义如下:
public class AuthorizationCallBackHandler implements CallbackHandler{
private final Logger logger = LoggerFactory.getLogger(this.getClass());
@Autowired
VnWsCredentialRepository credentialsRepo;
@Autowired
AuthUtility authUtil;
@Override
public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException {
if (callbacks[0] instanceof WSPasswordCallback) {
WSPasswordCallback pc = (WSPasswordCallback) callbacks[0];
String username = pc.getIdentifier();
VnWsCredential credentials = credentialsRepo.findByUsername(username);
logger.info("Request of authentication for username" + username);
String p = pc.getPassword();
// set the password on the callback. This will be compared to the
// password which was sent from the client.
if (credentials == null) {
pc.setPassword(null);
}else {
// String encodedPsw = authUtil.obtaindMD5Value(credentials.getPassword());
// pc.setPassword(encodedPsw);
pc.setPassword(credentials.getPassword());
}
}
if (callbacks[0] instanceof UsernameTokenPrincipalCallback) {
UsernameTokenPrincipalCallback pc = (UsernameTokenPrincipalCallback) callbacks[0];
pc.getPrincipal();
}
}
}
这是我的问题:调用Callback时,它将收到一个仅包含1个带有“ CleanupCallback”类型的回调的数组,而我当然不能用它做任何事情。
在以下设置中我缺少什么?
这是我使用SOAP UI进行的SOAP调用
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:it="some.fancy.ws">
<soapenv:Header>
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsse:UsernameToken wsu:Id="UsernameToken-3967AEB46D733EF6E2154990461080350">
<wsse:Username>Just a user</wsse:Username>
<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">just a password</wsse:Password>
<wsse:Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">pUn8VjdpVaIamSAIwXEeXg==</wsse:Nonce>
<wsu:Created>2019-02-16T17:03:30.803Z</wsu:Created>
</wsse:UsernameToken></wsse:Security>
</soapenv:Header>
<soapenv:Body>
<it:getPOrderRequest>
<it:poNumber>2197111225-F03292</it:poNumber>
</it:getPOrderRequest>
</soapenv:Body>
</soapenv:Envelope>
答案 0 :(得分:0)
对于任何感兴趣的人,我首先通过从请求中删除标头中的内容来解决此问题。
之后,我用凭证设置了一个传出WSS,就像这样,Wss4j安全处理程序将Callback转换为我想要的实例(即WSPasswordCallback)。
经验教训:如果Wss4j在处理SOAP请求时检测到某种错误,它将生成CleanupCallback而不是WSPasswordCallback的实例