使用Wss4jSecurityInterceptor添加 userNameToken和签名 securementActions不起作用,因为BinarySecurityToken和UsernameToken从securityInterceptor获取相同的密码和用户名
@Bean
public Wss4jSecurityInterceptor securityInterceptor() throws Exception {
Wss4jSecurityInterceptor securityInterceptor = new Wss4jSecurityInterceptor();
CryptoFactoryBean crypto = new CryptoFactoryBean();
crypto.setKeyStoreLocation(getResourceFrom(keyStoreLocation));
crypto.setKeyStorePassword(encryptorService.decrypt(keyStorePassword));
crypto.setKeyStoreType("JKS");
crypto.afterPropertiesSet();
securityInterceptor.setSecurementActions(WSHandlerConstants.SIGNATURE + " " + WSHandlerConstants.TIMESTAMP + " " + WSHandlerConstants.USERNAME_TOKEN);
securityInterceptor.setSecurementSignatureKeyIdentifier("DirectReference");
securityInterceptor.setSecurementSignatureCrypto(crypto.getObject());
securityInterceptor.setSecurementUsername(userName);
securityInterceptor.setSecurementPassword(encryptorService.decrypt(password));
return securityInterceptor;
}
如果两者的用户名和密码相同,则可以使用,如何设置不同的用户名密码。
在使用:securementCallbackHandlers之前是可能的,但是对于wpring-ws 2.4.2版本,这已经不可能了
答案 0 :(得分:0)
在调试springboot的内部之后,我得到了这个解决方案:
创建了一个 CustomUserNameTokenAction :
@Getter
@Setter
@AllArgsConstructor
public class CustomUserNameTokenAction implements Action {
private String userName;
private String password = "";
public void execute(WSHandler handler, SecurityActionToken actionToken,
Document doc, RequestData reqData)
throws WSSecurityException {
String username = userName;
WSSecUsernameToken builder = new WSSecUsernameToken();
builder.setIdAllocator(reqData.getWssConfig().getIdAllocator());
builder.setPrecisionInMilliSeconds(reqData.isPrecisionInMilliSeconds());
builder.setWsTimeSource(reqData.getWssConfig().getCurrentTime());
builder.setPasswordType(WSConstants.PASSWORD_TEXT);
builder.setPasswordsAreEncoded(reqData.isEncodePasswords());
builder.setUserInfo(username, password);
builder.build(doc, reqData.getSecHeader());
}
}
我还创建了一个类来包装用户名和密码的配置
@Getter
@Setter
public class UserNameTokenConfig {
private String userName;
private String password;
}
我的安全拦截器代码变为:
@Bean
public Wss4jSecurityInterceptor securityInterceptor() throws Exception {
Wss4jSecurityInterceptor securityInterceptor = new Wss4jSecurityInterceptor();
CryptoFactoryBean crypto = new CryptoFactoryBean();
crypto.setKeyStoreLocation(getResourceFrom(keyStoreLocation));
crypto.setKeyStorePassword(keyStorePassword);
crypto.setKeyStoreType("JKS");
crypto.afterPropertiesSet();
securityInterceptor.setSecurementActions(WSHandlerConstants.SIGNATURE + " " + WSHandlerConstants.TIMESTAMP + " " + WSHandlerConstants.USERNAME_TOKEN);
securityInterceptor.setSecurementSignatureKeyIdentifier("DirectReference");
securityInterceptor.setSecurementSignatureCrypto(crypto.getObject());
securityInterceptor.setSecurementUsername(keyAlias);
securityInterceptor.setSecurementPassword(keyPassword);
val wssConfig = WSSConfig.getNewInstance();
wssConfig.setAction(1, new CustomUserNameTokenAction(userNameToken.getUserName(), userNameToken.getPassword()));
securityInterceptor.setWssConfig(wssConfig);
return securityInterceptor;
}
如此
securityInterceptor.setSecurementUsername(keyAlias);
securityInterceptor.setSecurementPassword(keyPassword);
用于 WSHandlerConstants.SIGNATURE
和
val wssConfig = WSSConfig.getNewInstance();
wssConfig.setAction(1, new CustomUserNameTokenAction(userNameToken.getUserName(), userNameToken.getPassword()));
securityInterceptor.setWssConfig(wssConfig);
用于 WSHandlerConstants.USERNAME_TOKEN
希望这会有所帮助