如何在 Web 服务请求之间发送用户名？

发布于 2024-07-21 08:29:50 字数 1331 浏览 5 评论 0原文

基本上问题是这样的：
有一个存储数据库过程，它将用户名作为参数并根据它生成一些 XML 数据。它由不安全 Web 服务（我们将该 Web 服务称为 WSA）中不带参数的方法调用。还有另一个 Web 服务（我们称之为 WSB），它应该调用 WSA。在此设置中，WSA 只能由 WSB 调用，而不能由其他任何人调用。 WSB 是用户所说的，它是他们获取所需 XML 数据的方式。 Web 服务部署在 OC4J 上，并且启用了安全性。 WSB 由 OC4J 保护，并通过提供 OC4J 用户的用户名和密码来访问。
测试 Web 服务时，OC4J 会向您提供一个表单，您可以在调用 Web 服务之前在其中输入登录信息。如果您选择在标头中包含安全信息并在调用服务之前预览消息，则用户名和密码将显示在消息中。
我的问题是我无法获取安全信息（或至少是用户名）来到达端点实现和存储过程的调用。到目前为止，我已经创建了 WSA，制作了一个引用它的 Web 服务代理，并基于该代理创建了 WSB。
到目前为止，我已尝试获取用户名（以及为什么它不起作用）：

让 WSA 实现 javax.xml.rpc.server.ServiceLifecycle。这为 WSA 提供了一个 javax.xml.rpc.server.ServletEndpointContext 实例，它为我提供了一个 java.security.Principal 实例。但是，如果我调用 WSB（WSB 又调用 WSA），则该 Principal 为 null。如果我保护 WSA 并直接调用它，则 Pricipal 不为 null 并且包含用户（但这并不能解决问题，因为我需要调用 WSB，而不是 WSA）。
为两个服务创建了处理程序（扩展javax.xml.rpc.handler.GenericHandler），它们应该能够处理消息。这里有一件事确实让我困惑。处理程序方法得到正确调用 - WSB 处理程序处理请求，然后 WSA 处理程序处理请求，然后 WSA 处理程序处理响应，最后 WSB 处理程序处理响应。但是，当我尝试在每个步骤中将消息打印到文件中时，我发现即使在第一步（当 WSB 处理请求时），消息中也没有安全信息。没有用户名，什么都没有。事实上，该消息与调用服务之前预览请求消息时在调用页面上显示的消息有很大不同。
尝试使用 @Resource 注释注入 WebServiceContext 实例，但显然 OC4J 不支持此操作。

如果有人能指出我可能做错的地方，我将非常感激。

原文

Basically the problem is this:
There is a stored database procedure that takes a username as an argument and produces some XML data depending on it. It is called by a method with no arguments in an unsecured web service (let's call that web service WSA). There is also another web service (let's call it WSB) which is supposed to call WSA. In this setup, WSA should only ever be called by WSB and never by anyone else. WSB is what users call and it is the way they get the required XML data. The web services are deployed on OC4J, and they have security enabled on them. WSB is secured by OC4J and is accessed by providing the username and password of an OC4J user.
When testing a web service, OC4J provides you with a form where you can enter login information prior to invoking a web service. If you select to include security info in the header and preview the message before invoking the service, the username and password are in the message.
My problem is that I can't get the security information (or at least the username) to reach the endpoint implementation and invocation of the stored procedure.
So far I have created WSA, made a web service proxy that refers to it, and created WSB based on the proxy.
What I have tried so far to get the username (and why it doesn't work):

Had WSA implement javax.xml.rpc.server.ServiceLifecycle. This provides WSA with an instance of javax.xml.rpc.server.ServletEndpointContext, which provides me with a java.security.Principal. However, that Principal is null if I call WSB (which in turn calls WSA). If I secure WSA and call it directly, the Pricipal is not null and contains the user (but it doesn't solve the problem, because I need to call WSB, not WSA).
Created handlers (extending javax.xml.rpc.handler.GenericHandler) for both services, which were supposed to be able to process the message. One thing really baffled me here. The handler methods get called correctly - the WSB handler handles the request, then the WSA handler handles the request, then the WSA handler handles the response and finally the WSB handler handles the response. But when I tried printing the messages to a file on each step, I found out that even at the first step (when WSB handles the request) there is no security information in the message. No username, no nothing. The message is in fact quite different from what is shown on the invocation page when previewing the request message before invoking the service.
Tried injecting an instance of WebServiceContext by using the @Resource annotation, but apparently OC4J doesn't support this.