当用户名和密码位于数据库中时，JAX-WS 和 BASIC 身份验证

发布于 2024-08-08 21:46:54 字数 1266 浏览 5 评论 0原文

我是 JAX-WS 的新手，有件事我不明白。

有大量关于如何设置 JAX-WS 安全性的教程，但在几乎所有情况下 BindingProvider.USERNAME_PROPERTY 和 BindingProvider.PASSWORD_PROPERTY 都存储在一些 .xml 文件中（取决于我认为的容器） - 它们是“硬编码的”那是。这就是我不明白的。如何通过将 BindingProvider.USERNAME_PROPERTY 和 BindingProvider.PASSWORD_PROPERTY 与数据库中的用户名和密码进行比较来验证 Web 服务客户端？我尝试在客户端设置 BindingProvider.USERNAME_PROPERTY 和 BindingProvider.PASSWORD_PROPERTY 如下：

    ShopingCartService scs = new ShopingCartService(wsdlURL, name);
    ShopingCart sc = scs.getShopingCartPort();
    Map<String, Object> requestContext = ((BindingProvider)sc).getRequestContext();
    requestContext.put(BindingProvider.USERNAME_PROPERTY, userName);
    requestContext.put(BindingProvider.PASSWORD_PROPERTY, password);
    sc.someFunctionCall();

然后，在服务器端检索如下：

@Resource
WebServiceContext wsContext;

@WebMethod
public void someFunctionCall() {
    MessageContext mc = wsContext.getMessageContext();
    mc.get(BindingProvider.USERNAME_PROPERTY);
    mc.get(BindingProvider.PASSWORD_PROPERTY);
}

但我总是得到 null，我没有在 xml 中设置任何内容，Web 服务工作得很好，除了我无法获取这些变量:(

我在 java 1.6、tomcat 6 和 JAX- 上运行WS

非常感谢使用数据库中的密码对用户进行身份验证的任何帮助，谢谢。

原文

I'm new to JAX-WS and there's a thing which I don't understand.

There's a ton of tutorials available on how to set up JAX-WS security, but in pretty much all cases BindingProvider.USERNAME_PROPERTY and BindingProvider.PASSWORD_PROPERTY are stored in some .xml file(depending on the container I believe) - they are "hardcoded" that is. And that's what I don't get. How can I authenticate a web service client by comparing BindingProvider.USERNAME_PROPERTY and BindingProvider.PASSWORD_PROPERTY with a user name and password that's in a database? I tried setting BindingProvider.USERNAME_PROPERTY and BindingProvider.PASSWORD_PROPERTY on the client side like this:

    ShopingCartService scs = new ShopingCartService(wsdlURL, name);
    ShopingCart sc = scs.getShopingCartPort();
    Map<String, Object> requestContext = ((BindingProvider)sc).getRequestContext();
    requestContext.put(BindingProvider.USERNAME_PROPERTY, userName);
    requestContext.put(BindingProvider.PASSWORD_PROPERTY, password);
    sc.someFunctionCall();

And then, on the server side retrieving like this:

@Resource
WebServiceContext wsContext;

@WebMethod
public void someFunctionCall() {
    MessageContext mc = wsContext.getMessageContext();
    mc.get(BindingProvider.USERNAME_PROPERTY);
    mc.get(BindingProvider.PASSWORD_PROPERTY);
}

But I always get null, I didn't set up anything in xml, web service works just fine, except I can't get those variables :(

I'm running both on java 1.6, tomcat 6 and JAX-WS.

Any help with authenticating users with passwords from a database is greatly appreciated,
Thanks.

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

对不⑦ 2024-08-15 21:46:54

我认为您正在寻找应用程序级别的 JAX-WS 身份验证，而不是服务器级别的 HTTP 基本身份验证。请参阅以下完整示例：

使用 JAX-WS 进行应用程序身份验证

在Web服务客户端站点上，只需将您的“用户名”和“密码”放入请求标头中即可。

Map<String, Object> req_ctx = ((BindingProvider)port).getRequestContext();
req_ctx.put(BindingProvider.ENDPOINT_ADDRESS_PROPERTY, WS_URL);

Map<String, List<String>> headers = new HashMap<String, List<String>>();
headers.put("Username", Collections.singletonList("someUser"));
headers.put("Password", Collections.singletonList("somePass"));
req_ctx.put(MessageContext.HTTP_REQUEST_HEADERS, headers);

在Web服务服务器站点上，通过WebServiceContext获取请求标头参数。

@Resource
WebServiceContext wsctx;

@WebMethod
public String method() {
    MessageContext mctx = wsctx.getMessageContext();

    Map http_headers = (Map) mctx.get(MessageContext.HTTP_REQUEST_HEADERS);
    List userList = (List) http_headers.get("Username");
    List passList = (List) http_headers.get("Password");
    //...

I think you are looking for JAX-WS authentication in application level, not HTTP basic in server level. See following complete example :

Application Authentication with JAX-WS

On the web service client site, just put your “username” and “password” into request header.

Map<String, Object> req_ctx = ((BindingProvider)port).getRequestContext();
req_ctx.put(BindingProvider.ENDPOINT_ADDRESS_PROPERTY, WS_URL);

Map<String, List<String>> headers = new HashMap<String, List<String>>();
headers.put("Username", Collections.singletonList("someUser"));
headers.put("Password", Collections.singletonList("somePass"));
req_ctx.put(MessageContext.HTTP_REQUEST_HEADERS, headers);

On the web service server site, get the request header parameters via WebServiceContext.

@Resource
WebServiceContext wsctx;

@WebMethod
public String method() {
    MessageContext mctx = wsctx.getMessageContext();

    Map http_headers = (Map) mctx.get(MessageContext.HTTP_REQUEST_HEADERS);
    List userList = (List) http_headers.get("Username");
    List passList = (List) http_headers.get("Password");
    //...

回复收藏 0 原文

吃兔兔 2024-08-15 21:46:54

BindingProvider.USERNAME_PROPERTY 和 BindingProvider.PASSWORD_PROPERTY 与 HTTP 基本身份验证机制匹配，该机制在 HTTP 级别启用身份验证过程，而不是在应用程序或 servlet 级别。

基本上，只有 HTTP 服务器知道用户名和密码（并最终根据 HTTP/应用程序服务器规范（例如 Apache/PHP）来应用程序）。
使用 Tomcat/Java，在 web.xml 中添加登录配置 BASIC 和适当的安全约束/安全角色（稍后将与真实用户的用户/组关联的角色）。

<login-config>
    <auth-method>BASIC</auth-method>
    <realm-name>YourRealm</realm-name>
</login-config>

然后，将 HTTP 服务器（或应用程序服务器）级别的领域与适当的用户存储库连接起来。对于 tomcat，您可以查看可能适合您需求的 JAASRealm、JDBCRealm 或 DataSourceRealm。

http://tomcat.apache.org/tomcat-6.0-doc/realm -howto.html

BindingProvider.USERNAME_PROPERTY and BindingProvider.PASSWORD_PROPERTY are matching HTTP Basic Authentication mechanism that enable authentication process at the HTTP level and not at the application nor servlet level.

Basically, only the HTTP server will know the username and the password (and eventually application according to HTTP/application server specification, such with Apache/PHP).
With Tomcat/Java, add a login config BASIC in your web.xml and appropriate security-constraint/security-roles (roles that will be later associated to users/groups of real users).

<login-config>
    <auth-method>BASIC</auth-method>
    <realm-name>YourRealm</realm-name>
</login-config>

Then, connect the realm at the HTTP server (or application server) level with the appropriate user repository. For tomcat you may look at JAASRealm, JDBCRealm or DataSourceRealm that may suit your needs.

http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html

回复收藏 0 原文

回梦 2024-08-15 21:46:54

我遇到了同样的问题，并在这里找到了解决方案：

http://www.mastertheboss.com/web-interfaces/336-jax-ws-basic-authentication.html?start=1

祝你好运

回复收藏 0 原文

好久不见√ 2024-08-15 21:46:54

有关同时使用应用程序级别身份验证和 HTTP 基本身份验证的示例，请参阅我的一篇之前的帖子。

回复收藏 0 原文

孤独患者 2024-08-15 21:46:54

我遇到了类似的情况，我需要向我的 WS 提供：用户名、密码和 WSS 密码类型。

我最初使用“Http Basic Auth”（如@ahoge），我尝试使用@Philipp-Dev 的参考。也。我没有得到成功的解决方案。

在谷歌进行了一番深入搜索后，我发现了这篇文章：

https://stackoverflow.com/a/3117841/1223901

这是我的问题解决方案，

我希望这对其他人有帮助，就像对我有帮助一样。

平均值，
爱维

回复收藏 0 原文

苄①跕圉湢 2024-08-15 21:46:54

在客户端 SOAP 处理程序中，您需要设置 javax.xml.ws.security.auth.username 和 javax.xml.ws.security.auth.password 属性，如下所示：

public class ClientHandler implements SOAPHandler<SOAPMessageContext>{

    public boolean handleMessage(final SOAPMessageContext soapMessageContext)
    {
        final Boolean outInd = (Boolean)soapMessageContext.get(MessageContext.MESSAGE_OUTBOUND_PROPERTY);
        if (outInd.booleanValue())
        {
          try 
          {
               soapMessageContext.put("javax.xml.ws.security.auth.username", <ClientUserName>);
               soapMessageContext.put("javax.xml.ws.security.auth.password", <ClientPassword>);
          } 
          catch (Exception e)
          {
               e.printStackTrace();
               return false;
          }
         }
      return true;
     }
}

In your client SOAP handler you need to set javax.xml.ws.security.auth.username and javax.xml.ws.security.auth.password property as follow:

public class ClientHandler implements SOAPHandler<SOAPMessageContext>{

    public boolean handleMessage(final SOAPMessageContext soapMessageContext)
    {
        final Boolean outInd = (Boolean)soapMessageContext.get(MessageContext.MESSAGE_OUTBOUND_PROPERTY);
        if (outInd.booleanValue())
        {
          try 
          {
               soapMessageContext.put("javax.xml.ws.security.auth.username", <ClientUserName>);
               soapMessageContext.put("javax.xml.ws.security.auth.password", <ClientPassword>);
          } 
          catch (Exception e)
          {
               e.printStackTrace();
               return false;
          }
         }
      return true;
     }
}

回复收藏 0 原文

北斗星光 2024-08-15 21:46:54

如果您将客户端的用户名和密码以这种方式放入请求中：

URL url = new URL("http://localhost:8080/myapplication?wsdl");
MyWebService webservice = new MyWebServiceImplService(url).getMyWebServiceImplPort();
Map<String, Object> requestContext = ((BindingProvider) webservice).getRequestContext();
requestContext.put(BindingProvider.USERNAME_PROPERTY, "myusername");
requestContext.put(BindingProvider.PASSWORD_PROPERTY, "mypassword");

并调用您的Web服务

String response = webservice.someMethodAtMyWebservice("test");

然后您可以在服务器端读取像这样的基本身份验证字符串（您必须添加一些检查并执行一些异常处理）：

@Resource
WebServiceContext webserviceContext;

public void someMethodAtMyWebservice(String parameter) {
    MessageContext messageContext = webserviceContext.getMessageContext();
    Map<String, ?> httpRequestHeaders = (Map<String, ?>) messageContext.get(MessageContext.HTTP_REQUEST_HEADERS);
    List<?> authorizationList = (List<?>) httpRequestHeaders.get("Authorization");
    if (authorizationList != null && !authorizationList.isEmpty()) {
        String basicString = (String) authorizationList.get(0);
        String encodedBasicString = basicString.substring("Basic ".length());
        String decoded = new String(Base64.getDecoder().decode(encodedBasicString), StandardCharsets.UTF_8);
        String[] splitter = decoded.split(":");
        String usernameFromBasicAuth = splitter[0];
        String passwordFromBasicAuth = splitter[1];
    }

If you put the username and password at clientside into the request this way:

URL url = new URL("http://localhost:8080/myapplication?wsdl");
MyWebService webservice = new MyWebServiceImplService(url).getMyWebServiceImplPort();
Map<String, Object> requestContext = ((BindingProvider) webservice).getRequestContext();
requestContext.put(BindingProvider.USERNAME_PROPERTY, "myusername");
requestContext.put(BindingProvider.PASSWORD_PROPERTY, "mypassword");

and call your webservice

String response = webservice.someMethodAtMyWebservice("test");

Then you can read the Basic Authentication string like this at the server side (you have to add some checks and do some exceptionhandling):

@Resource
WebServiceContext webserviceContext;

public void someMethodAtMyWebservice(String parameter) {
    MessageContext messageContext = webserviceContext.getMessageContext();
    Map<String, ?> httpRequestHeaders = (Map<String, ?>) messageContext.get(MessageContext.HTTP_REQUEST_HEADERS);
    List<?> authorizationList = (List<?>) httpRequestHeaders.get("Authorization");
    if (authorizationList != null && !authorizationList.isEmpty()) {
        String basicString = (String) authorizationList.get(0);
        String encodedBasicString = basicString.substring("Basic ".length());
        String decoded = new String(Base64.getDecoder().decode(encodedBasicString), StandardCharsets.UTF_8);
        String[] splitter = decoded.split(":");
        String usernameFromBasicAuth = splitter[0];
        String passwordFromBasicAuth = splitter[1];
    }

回复收藏 0 原文

~没有更多了~