我正在尝试使用SubjectCreatingInterceptor在我的CXF入站端点中使用WS-Security UsernameToken实现身份验证和授权。
我已将我的用户名,密码和角色信息存储在JBoss EAP服务器的应用程序属性中。
Bean配置如下。
endpoints.xml:
<bean id="authenticationInterceptor" class="org.jboss.wsf.stack.cxf.security.authentication.SubjectCreatingInterceptor">
<constructor-arg>
<map>
<entry key="action" value="UsernameToken"/>
</map>
</constructor-arg>
</bean>
<bean id="authorizationInterceptor" class="org.apache.cxf.interceptor.security.SimpleAuthorizingInterceptor">
<property name="globalRoles" value="testrole"/>
</bean>
<cxf:cxfEndpoint id="auth-endpoint"
xmlns:nms="http://tempuri.org/"
address="http://localhost:9090/auth/test"
endpointName="nms:BasicHttpBinding_IRmsAuthenticationService"
serviceName="nms:RmsAuthenticationService"
wsdlURL="wsdl/Authentication_1.wsdl"
loggingFeatureEnabled="true">
<cxf:properties>
<entry key="ws-security.validate.token" value="false" />
<entry key="dataFormat" value="MESSAGE"/>
</cxf:properties>
<cxf:inInterceptors>
<ref bean="authenticationInterceptor" />
<ref bean="authorizationInterceptor" />
</cxf:inInterceptors>
</cxf:cxfEndpoint>
肥皂请求XML:
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:upm="http://testservices.com">
<soapenv:Header>
<wsse:Security soapenv:mustUnderstand="true" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<wsse:UsernameToken>
<wsse:Username>testauth</wsse:Username>
<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">testauth@123</wsse:Password>
</wsse:UsernameToken>
</wsse:Security>
</soapenv:Header>
<soapenv:Body>
<upm:GetToken2>
<upm:Token>test</upm:Token>
</upm:GetToken2>
</soapenv:Body>
触发请求后,它会发出以下错误:
WARN org.apache.cxf.phase.PhaseInterceptorChain Interceptor for {
http://tempuri.org/}RmsAuthenticationService has thrown exception, unwinding now: java.lang.NullPointerException
at org.jboss.wsf.stack.cxf.security.authentication.SubjectCreatingInterceptor.handleMessage(SubjectCreatingInterceptor.java:95) [jbossws-cxf-server-4.3.6.Final-redhat-1.jar:4.3.6.Final-redhat-1]
at org.jboss.wsf.stack.cxf.security.authentication.SubjectCreatingInterceptor.handleMessage(SubjectCreatingInterceptor.java:61) [jbossws-cxf-server-4.3.6.Final-redhat-1.jar:4.3.6.Final-redhat-1]
at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:308) [cxf-core-3.1.5.redhat-630262.jar:3.1.5.redhat-630262]
at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121) [cxf-core-3.1.5.redhat-630262.jar:3.1.5.redhat-630262]
at org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:254) [cxf-rt-transports-http-3.1.5.redhat-630262.jar:3.1.5.redhat-630262]
at org.apache.cxf.transport.http_jetty.JettyHTTPDestination.doService(JettyHTTPDestination.java:234) [cxf-rt-transports-http-jetty-3.1.5.redhat-630262.jar:3.1.5.redhat-630262]
at org.apache.cxf.transport.http_jetty.JettyHTTPHandler.handle(JettyHTTPHandler.java:70) [cxf-rt-transports-http-jetty-3.1.5.redhat-630262.jar:3.1.5.redhat-630262]
at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1129) [jetty-server-9.2.19.v20160908.jar:9.2.19.v20160908]
at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1065) [jetty-server-9.2.19.v20160908.jar:9.2.19.v20160908]
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141) [jetty-server-9.2.19.v20160908.jar:9.2.19.v20160908]
at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:215) [jetty-server-9.2.19.v20160908.jar:9.2.19.v20160908]
at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:97) [jetty-server-9.2.19.v20160908.jar:9.2.19.v20160908]
at org.eclipse.jetty.server.Server.handle(Server.java:499) [jetty-server-9.2.19.v20160908.jar:9.2.19.v20160908]
at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:311) [jetty-server-9.2.19.v20160908.jar:9.2.19.v20160908]
at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:257) [jetty-server-9.2.19.v20160908.jar:9.2.19.v20160908]
at org.eclipse.jetty.io.AbstractConnection$2.run(AbstractConnection.java:544) [jetty-io-9.2.19.v20160908.jar:9.2.19.v20160908]
at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:635) [jetty-util-9.2.19.v20160908.jar:9.2.19.v20160908]
at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:555) [jetty-util-9.2.19.v20160908.jar:9.2.19.v20160908]
at java.lang.Thread.run(Thread.java:748) [rt.jar:1.8.0_151-1-redhat]
你能否提出一些缺失的建议。提前谢谢。
亲爱的里卡多,我们已经尝试过按照你的建议实施WSS4J拦截器了。但我们面临以下问题,WARN [org.eclipse.jetty.server.HttpChannel](qtp1703888095-358)/ auth / test:java.lang.NoSuchFieldError:SAML_TOKEN 在org.apache.cxf.ws.security.wss4j.CXFRequestData。(CXFRequestData.java:39)[cxf-rt-ws-security-3.1.12.jar:3.1.12] at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessageInternal(WSS4JInInterceptor.java:184)[cxf-rt-ws-security-3.1.12.jar:3.1.12] at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:171)[cxf-rt-ws-security-3.1.12.jar:3.1.12] at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:80)[cxf-rt-ws-security-3.1.12.jar:3.1.12] at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:308)[cxf-core-3.1.5.redhat-630262.jar:3.1.5.redhat-630262] at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121)[cxf-core-3.1.5.redhat-630262.jar:3.1.5.redhat-630262] at org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:254)[cxf-rt-transports-http-3.1.5.redhat-630262.jar:3.1.5.redhat-630262] at org.apache.cxf.transport.http_jetty.JettyHTTPDestination.doService(JettyHTTPDestination.java:234)[cxf-rt-transports-http-jetty-3.1.5.redhat-630262.jar:3.1.5.redhat-630262] 在org.apache.cxf.transport.http_jetty.JettyHTTPHandler.handle(JettyHTTPHandler.java:70)[cxf-rt-transports-http-jetty-3.1.5.redhat-630262.jar:3.1.5.redhat-630262] 在org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1129)[jetty-server-9.2.19.v20160908.jar:9.2.19.v20160908] 在org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1065)[jetty-server-9.2.19.v20160908.jar:9.2.19.v20160908] 在org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)[jetty-server-9.2.19.v20160908.jar:9.2.19.v20160908] at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:215)[jetty-server-9.2.19.v20160908.jar:9.2.19.v20160908] at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:97)[jetty-server-9.2.19.v20160908.jar:9.2.19.v20160908] 在org.eclipse.jetty.server.Server.handle(Server.java:499)[jetty-server-9.2.19.v20160908.jar:9.2.19.v20160908] at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:311)[jetty-server-9.2.19.v20160908.jar:9.2.19.v20160908] at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:257)[jetty-server-9.2.19.v20160908.jar:9.2.19.v20160908] 在org.eclipse.jetty.io.AbstractConnection $ 2.run(AbstractConnection.java:544)[jetty-io-9.2.19.v20160908.jar:9.2.19.v20160908] at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:635)[jetty-util-9.2.19.v20160908.jar:9.2.19.v20160908] 在org.eclipse.jetty.util.thread.QueuedThreadPool $ 3.run(QueuedThreadPool.java:555)[jetty-util-9.2.19.v20160908.jar:9.2.19.v20160908] 在java.lang.Thread.run(Thread.java:748)[rt.jar:1.8.0_151-1-redhat] 看起来它无法初始化CXFrequestdata java类。我们使用了util
<util:constant
static-field="org.apache.wss4j.dom.handler.WSHandlerConstants.ACTION"/>
在constructor-arg中声明WSS4JInterceptor bean,以避免在CXFRequestData类中加载常量。你能否建议我们如何进一步发展。谢谢。!!