0

I am using the usernameToken security policy to secure a soap webservice. I don't want the client to send the username/password on each requests. Is it possible to make the webservice statefull ? Currently the ServerPasswordCallback is called for each requests.

Here is my code :

ComputeWS.java

@WebService(
    serviceName = "ComputeWS",
    targetNamespace = "http://org.test/compute",
    name = "ComputeWS")
@EndpointProperties(
    value = { @EndpointProperty(key = "ws-security.callback-handler", value = "org.test.ServerPasswordCallback") })
@Policy(placement = Policy.Placement.BINDING, uri = "WSPolicy.xml")
public class ComputeWS {

@WebMethod
public int add(int x, int y) {
    return x * y;
}

}

WSPolicy.xml

<?xml version="1.0" encoding="UTF-8" ?>
<wsp:Policy wsu:Id="WSPolicy" xmlns:wsp="http://www.w3.org/ns/ws-policy"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsp:ExactlyOne>
    <wsp:All>
        <sp:SupportingTokens xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
            <wsp:Policy>
                <sp:UsernameToken sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
                    <wsp:Policy>
                        <sp:WssUsernameToken11/>
                    </wsp:Policy>
                </sp:UsernameToken>
            </wsp:Policy>
        </sp:SupportingTokens>
    </wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>

ServerPasswordCallback.java

public class ServerPasswordCallback implements CallbackHandler {

@Override
public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException {
    WSPasswordCallback pc = (WSPasswordCallback) callbacks[0];

    if ("joe".equals(pc.getIdentifier())) {
        pc.setPassword("joespassword"); 
    }
}

}
4

1 回答 1

0

没有“开箱即用”的方法。您可以将 UsernameToken 的“IncludeToken”策略从“AlwaysToRecipient”更改为“Once”。然后在服务器端,您必须通过 Spring Security 或 Apache Shiro 等方式实现某种方式来跟踪客户端。

于 2016-03-01T10:12:02.967 回答