webservice SOAP UsernameToken CXF不会在每个请求上发送用户名/密码

时间:2016-02-29 14:39:53

标签: java web-services soap cxf usernametoken

我使用usernameToken安全策略来保护soap webservice。我不希望客户端在每个请求上发送用户名/密码。是否有可能使webservice状态良好?目前,每个请求都会调用ServerPasswordCallback。

这是我的代码:

ComputeWS.java

import ls from 'local-storage';

export default {
    get(key, defaultVal = null) {
        var val = ls(key);
        return val ? val : defaultVal;
    },

    set(key, val) {
        return ls(key, val);
    },

    remove(key) {
        return ls.remove(key);
    },
};

WSPolicy.xml

@WebService(
    serviceName = "ComputeWS",
    targetNamespace = "http://org.test/compute",
    name = "ComputeWS")
@EndpointProperties(
    value = { @EndpointProperty(key = "ws-security.callback-handler", value = "org.test.ServerPasswordCallback") })
@Policy(placement = Policy.Placement.BINDING, uri = "WSPolicy.xml")
public class ComputeWS {

@WebMethod
public int add(int x, int y) {
    return x * y;
}

}

ServerPasswordCallback.java

<?xml version="1.0" encoding="UTF-8" ?>
<wsp:Policy wsu:Id="WSPolicy" xmlns:wsp="http://www.w3.org/ns/ws-policy"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsp:ExactlyOne>
    <wsp:All>
        <sp:SupportingTokens xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
            <wsp:Policy>
                <sp:UsernameToken sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
                    <wsp:Policy>
                        <sp:WssUsernameToken11/>
                    </wsp:Policy>
                </sp:UsernameToken>
            </wsp:Policy>
        </sp:SupportingTokens>
    </wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>

1 个答案:

答案 0 :(得分:0)

没有“开箱即用”的方式。您可以将UsernameToken的“IncludeToken”策略从“AlwaysToRecipient”更改为“Once”。然后在服务器端,您将必须通过Spring Security或Apache Shiro等实现某种跟踪客户端的方式。