WS-安全 Websphere 配置
我正在尝试使用 Websphere 7 和 JAX-WS 开发一个使用 WS-Security 的 Web 服务。通过查看一些指南,我似乎必须创建一个应用程序服务器用户注册表并在该服务器内维护用户名/密码。无论如何,是否可以避免在服务器本身中创建用户名并以某种方式捕获标头并基于另一个自定义安全配置(例如单点登录)进行验证?
我可以创建一个处理程序来获取标头,但是当请求中的 MustUnderstands 设置为 1(这是强制性的)时,它会在我的处理程序看到消息之前被拒绝。
我只想使用 WS-Security 的 UsernameToken 部分。
任何帮助表示赞赏。
我的请求示例
<?xml version="1.0" encoding="UTF-8"?>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" soapenv:mustUnderstand="1">
<wsse:UsernameToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" Id="unt_20">
<wsse:Username>some_username</wsse:Username>
<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">some_password</wsse:Password>
</wsse:UsernameToken>
</wsse:Security>
</soapenv:Header>
<soapenv:Body>
...body...
</soapenv:Body>
</soapenv:Envelope>
是否可以创建自定义安全实现,以便我可以使用现有的用户验证方案?
I'm trying to develop a web service that uses WS-Security using Websphere 7 and JAX-WS. Looking through some guides, it appears that I MUST create a application server user registry and maintain username/passwords inside of that server. Is there anyway to avoid having to create usernames in the server itself and somehow capture the header and do validation based upon another a custom security configuration like a single sign-on?
I'm able to create a handler to get the header, but when mustUnderstands is set to 1 in the request (which is mandatory), it gets rejected before my handler sees the message.
I'm only looking to use the UsernameToken part of WS-Security.
Any help is appreciated.
An example of my request
<?xml version="1.0" encoding="UTF-8"?>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" soapenv:mustUnderstand="1">
<wsse:UsernameToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" Id="unt_20">
<wsse:Username>some_username</wsse:Username>
<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">some_password</wsse:Password>
</wsse:UsernameToken>
</wsse:Security>
</soapenv:Header>
<soapenv:Body>
...body...
</soapenv:Body>
</soapenv:Envelope>
Is it possible to create a custom security implementation so I can use my existing user validation scheme?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(5)
看来我可以实现一个自定义用户注册表,它可以与我选择的安全实现进行交互。 IBM 文章的链接:
http://publib.boulder.ibm.com/infocenter/wasinfo/v6r0/index.jsp?topic=/com.ibm.websphere.base.doc/info/aes/ae/tsec_useregistry.html
It would appear that I can implement a custom user registry that can interact with the security implementation of my choice. A link to the IBM article:
http://publib.boulder.ibm.com/infocenter/wasinfo/v6r0/index.jsp?topic=/com.ibm.websphere.base.doc/info/aes/ae/tsec_useregistry.html
另一个可能的答案是创建信任关联拦截器(TAI)。这基本上扩展了您当前的安全性。
这是一个有用的入门链接:
http://www.ibm.com/developerworks/websphere/techjournal/0508_benantar /0508_benantar.html
Another possible answer is to create a Trust Association Interceptor (TAI). This basically extends your current security.
Here is a useful link to get started:
http://www.ibm.com/developerworks/websphere/techjournal/0508_benantar/0508_benantar.html
您可以使用带有策略/绑定的现成 WS-Security 运行时来实现此目的,但您必须编写自定义代码来覆盖检查用户注册表中 UsernameTokens 的默认行为。
请参阅本文,了解如何在使用 UsernameToken 时使用您自己的认证机制:
在没有注册表交互的情况下配置 UsernameToken 调用方配置
如果您还想创建 WebSphere,请参阅本文基于该令牌中的用户名的凭证:
使用堆叠式JAAS登录模块替换UsernameToken消费者的身份验证方法
You can use the out-of-box WS-Security runtime with policy/bindings to achieve this, but you must write custom code to override the default behavior of checking the user registry for UsernameTokens.
See this article for using your own authentication mechanism when consuming the UsernameToken:
Configuring a UsernameToken caller configuration with no registry interaction
See this article if you want to also create WebSphere credentials based on the user name in that token:
Replacing the authentication method of the UsernameToken consumer using a stacked JAAS login module
您能详细说明一下您想要实现的目标吗?
WAS 服务器需要根据其用户注册表(可以是 LDAP、基于文件的注册表等)验证标头中的用户名和密码。
也可以使用 LTPA 令牌(WebSphere 和相关产品用于 SSO)。
如果您详细说明了您的要求,这里的人们将能够帮助您。
HTH
曼格鲁
Can you elaborate on what you want to achieve?
The WAS Server needs to validate the username and password that comes in the header against its user registry (which could an LDAP, File based registry etc).
LTPA tokens (which are used by WebSphere and related products for SSO) can be used too.
If you spell out your requirements, folks here will be able to help you out.
HTH
Manglu
JAX-WS 应该允许您拥有自定义拦截器。
看一下这个 spring 配置,看看我如何向服务端点添加拦截器。
然后,拦截器可以执行您希望执行的任何操作,包括调用外部服务进行身份验证。
JAX-WS should allow you to have a custom interceptor.
Take a look at this spring config to see how I have added an interceptor to the service endpoint.
The interceptor can then do whatever you wish including calling out to an external service for authentication.