如何在WebSphere Liberty

时间:2017-03-23 09:17:52

标签: web-services wsdl websphere-liberty ws-security usernametoken

我想知道如何在WebSphere Liberty中启用WS-Security

我在Liberty个人资料中的 server.xml 中创建了一个用户( soa_user )和用户组( soa_group )。下面提到的所有功能都已成功安装。

server.xml中 

<server description="new server">
  <!-- Enable features -->
  <featureManager>
    <feature>javaee-7.0</feature>
    <feature>jdbc-4.1</feature>
    <feature>localConnector-1.0</feature>
    <feature>ssl-1.0</feature>
    <feature>servlet-3.1</feature>
    <feature>wsSecurity-1.1</feature>
    <feature>appSecurity-2.0</feature>
    <feature>jaxws-2.2</feature>
  </featureManager>
  <keyStore id="defaultKeyStore" password="yourPassword" />
  <basicRegistry id="basic" realm="Authentication">
    <user name="soa_user" password="testUserPassword" />
     <group name="soa_group">
         <member name="soa_user" />
     </group>
  </basicRegistry>
  <httpEndpoint host="*" httpPort="8080" httpsPort="9443" id="defaultHttpEndpoint" />
  .....
</server>

我有两个模块,其中一个用于生成EAR(ABCServiceEAR)文件,另一个用于SOAPService(ABCSOAPService)

src \ main \ webapp \ WEB-INF \ web.xml 下的ABCSOAPService中,我创建了一个用户角色,如下所示

  <security-role id="security_role_1">
    <role-name>authenticated-user</role-name>
  </security-role>

resources \ META-INF \ ibm-application-bnd.xml 下的ABCServiceEAR中,我已将上述用户角色分配给我在liberty server.xml中创建的组< / p> 

<security-role name="authenticated-user">
        <group name="soa_group" />
    </security-role>

我的目标是检查此用户是否从服务端点实现类进行了身份验证,如下所示

@javax.jws.WebService (endpointInterface="...",
        targetNamespace="...",
        serviceName="ABCService_1_0", portName="ABCServicePort_1_0",
        wsdlLocation="WEB-INF/wsdl/ABCSOAPService.wsdl")
@HandlerChain(file = "/handlers.xml")
@DeclareRoles({ "authenticated-user" })
public class ABCSOAPServiceImpl implements ABCSOAPService {

    @Resource
    private WebServiceContext wsContext; 

public void myMethod() {
        if (!wsContext.isUserInRole("authenticated-user")) {
            //do something
        }
    }

我的SOAP标题如下所示

   <soapenv:Header>
      <wsse:Security soapenv:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
         <wsse:UsernameToken wsu:Id="UsernameToken-1314D8CB1A76EFB5F614902572284093">
            <wsse:Username>soa_user</wsse:Username>
            <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">testUserPassword</wsse:Password>
            <wsse:Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">cCdfT/hAg3p4vNwRHP/BMA==</wsse:Nonce>
            <wsu:Created>2017-03-23T08:20:28.409Z</wsu:Created>
         </wsse:UsernameToken>
      </wsse:Security>
   </soapenv:Header>

我得到的回应如下:

<faultcode>soap:MustUnderstand</faultcode>
         <faultstring>MustUnderstand headers: [{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security] are not understood.</faultstring>

即使我将soapenv:mustUnderstand设置为&#34; 0&#34;,应用程序也无法识别服务端点类中的用户(wsContext.getUserPrincipal()为null)。

我是WS Security的新手,
有人可以告诉我如何实现这个目标吗? 我应该在WSDL中添加什么内容?
或者是否有方法在不更改WSDL的情况下全局配置安全性(可能在Liberty配置文件中)

更新

我已在{ProjectLocation} \ src \ main \ webapp \ WEB-INF \ policy-attachments-server.xml中提供了ws-security策略(策略附件),如下所示。 

<attachments
        xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
        xmlns:wsp="http://www.w3.org/ns/ws-policy"
        xmlns:wsa="http://www.w3.org/2005/08/addressing"
        xmlns:sp13="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200802"
        xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
    <wsp:PolicyAttachment wsdlNamespace="com.my-service.sales.servs.MyService">
        <wsp:AppliesTo>
            <wsa:EndpointReference>
                <wsa:Address>http://localhost:9080/sales/servs/MyService_1_0</wsa:Address>
            </wsa:EndpointReference>
        </wsp:AppliesTo>
        <wsp:Policy wsu:Id="UsernameTokenwithPasswordHashoverSSL">
            <wsp:ExactlyOne>
                <wsp:All>
                    <sp:SupportingTokens>
                        <wsp:Policy>
                            <sp:UsernameToken
                                    sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
                                <wsp:Policy>
                                    <sp:WssUsernameToken10 />
                                </wsp:Policy>
                            </sp:UsernameToken>
                        </wsp:Policy>
                    </sp:SupportingTokens>
                </wsp:All>
            </wsp:ExactlyOne>
        </wsp:Policy>
    </wsp:PolicyAttachment>
</attachments>

我仍然遇到同样的问题。

2 个答案:

答案 0 :(得分:1)

您需要在服务中附加ws-security策略。您可以在WSDL中添加ws-security策略,也可以在web-inf目录(http://www.ibm.com/support/knowledgecenter/en/SSEQTP_liberty/com.ibm.websphere.wlp.zseries.doc/ae/twlp_dep_policyattach.html)中创建策略附件文件。

我们为您的方案提供了政策示例和配置选项,请参阅https://www.ibm.com/support/knowledgecenter/SSEQTP_liberty/com.ibm.websphere.wlp.nd.multiplatform.doc/ae/cwlp_wssec_utoken.html。您可以在此链接中使用该策略,并跳至&#34;在Web服务提供商中使用UsernameToken&#34;有关说明。

答案 1 :(得分:0)

在policy-attachments-server.xml中,使用wsp:URI,而不是wsa:EndpointReference

相关问题
最新问题