如何增强Callback处理程序CXF Interceptor方法

时间:2016-05-03 16:10:29

标签: java spring authentication cxf interceptor

我在spring bean配置文件中创建了一个 WSS4JInInterceptor ,如下所示

    <?xml version="1.0" encoding="UTF-8"?>
    <beans xmlns="http://www.springframework.org/schema/beans"
        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:jaxws="http://cxf.apache.org/jaxws"
        xmlns:jaxrs="http://cxf.apache.org/jaxrs"
        xsi:schemaLocation="http://cxf.apache.org/jaxws 
                            http://cxf.apache.org/schemas/jaxws.xsd
                            http://www.springframework.org/schema/beans 
                            http://www.springframework.org/schema/beans/spring-beans.xsd
                            http://cxf.apache.org/jaxrs 
                            http://cxf.apache.org/schemas/jaxrs.xsd">

        <jaxws:endpoint id="book"
            implementor="net.ma.soap.ws.endpoints.IBookEndPointImpl" address="/bookAuth">
            <jaxws:inInterceptors>
                <bean class="org.apache.cxf.binding.soap.saaj.SAAJInInterceptor"></bean>
                <bean class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
                    <constructor-arg>
                        <map>
                            <entry key="action" value="UsernameToken" />
                            <entry key="passwordType" value="PasswordText" />
                            <entry key="passwordCallbackClass" value="net.ma.soap.ws.service.ServerPasswordCallback"></entry>
                        </map>
                    </constructor-arg>
                </bean>
            </jaxws:inInterceptors>
        </jaxws:endpoint>
    </beans>

ServerPasswordCallBack.java 如下所示

    package net.ma.soap.ws.service;

    import java.io.IOException;
    import java.util.ResourceBundle;
    import javax.security.auth.callback.Callback;
    import javax.security.auth.callback.CallbackHandler;
    import javax.security.auth.callback.UnsupportedCallbackException;
    import org.apache.wss4j.common.ext.WSPasswordCallback;

    public class ServerPasswordCallback implements CallbackHandler {

        private static final String BUNDLE_LOCATION = "zuth";
        private static final String PASSWORD_PROPERTY_NAME = "auth.manager.password";
        private static String password;

        static {
            final ResourceBundle bundle = ResourceBundle.getBundle(BUNDLE_LOCATION);
            password = bundle.getString(PASSWORD_PROPERTY_NAME);
        }

        @Override
        public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException {
            WSPasswordCallback pc = (WSPasswordCallback) callbacks[0];
            pc.setPassword(password);
        }
    }

通过密码验证,一切正常。

我想知道是否有任何其他方法可以增强句柄(回调)方法,使其更加复杂,因此它可以检查的不仅仅是一个参数,例如我可以让它检查一个访问令牌,它会好得多。

password属性在zuth_fr_FR.properties文件中定义如下

auth.manager.password =纳贾赫

1 个答案:

答案 0 :(得分:1)

如果您想对您的用户名和令牌进行一些自定义验证(例如使用LDAP或类似的东西验证目录服务),您可以编写自己的自定义UsernameTokenValidator,覆盖UsernameTokenValidator的verifyPlaintextPassword(UsernameToken usernameToken)并将其连接到您的WSS4JInInterceptor将以下内容添加到bean定义

<property name="wssConfig">
        <ref bean="usernameTokenWssConfig"/>
</property>

并将引用的类添加到您的代码库中:

@Component("usernameTokenWssConfig")
public class usernameTokenWssConfigWSSConfig {
    public usernameTokenWssConfig() {
        setValidator(WSSecurityEngine.USERNAME_TOKEN, new CustomUsernameTokenValidator());
        setRequiredPasswordType(WSConstants.PASSWORD_TEXT);
    }
}