我正在使用Apache CXF为我的Web服务配置WS-Security。我添加了WSS4JInInterceptor和回调,它正在运行。问题是某些方法不需要受WS-Security保护,有些方法应该。
我怎么能这样做? WSS4JInInterceptor的任何注释或输入映射键?
我可以在WSS4jInInterceptor代码中看到:
public void handleMessage(SoapMessage msg) throws Fault {
if (msg.containsKey(SECURITY_PROCESSED) || isGET(msg)) {
return;
}
所以我似乎可以添加自定义拦截器并将SECURITY_PROCESSED添加到不受保护的方法中,但似乎有更好的方法。
答案 0 :(得分:1)
现在我不得不用我自己的Interceptor impl:
// adds skip flag for methods that should not be checked
public static class CheckMethodsInterceptor implements PhaseInterceptor<SoapMessage> {
private List<String> checkedMethods;
public CheckMethodsInterceptor(List<String> checkedMethods) {
this.checkedMethods = checkedMethods;
}
protected void allowConnection(SoapMessage message) {
// skip checking by WSS4JInInterceptor
message.put(WSS4JInInterceptor.SECURITY_PROCESSED, "true");
}
@Override
public void handleMessage(SoapMessage message) throws Fault {
String action = (String)message.get("SOAPAction");
if (action == null || !checkedMethods.contains(action.substring(action.lastIndexOf("/") + 1))) {
allowConnection(message);
}
}
@Override
public Set<String> getAfter() {
return Collections.emptySet();
}
@Override
public Set<String> getBefore() {
return Collections.emptySet();
}
@Override
public String getId() {
return CheckMethodsInterceptor.class.getName();
}
@Override
public String getPhase() {
return Phase.PRE_PROTOCOL;
}
@Override
public Collection<PhaseInterceptor<? extends Message>> getAdditionalInterceptors() {
return null;
}
@Override
public void handleFault(SoapMessage message) {
}
}
并像这样使用它:
// checked methods only (before WSS4JInInterceptor !)
SecurityService.CheckMethodsInterceptor checkMethodsInterceptor =
new SecurityService.CheckMethodsInterceptor(Arrays.asList(
"CreateUsers",
"GetUsers"
));
ep.getServer().getEndpoint().getInInterceptors().add(checkMethodsInterceptor);
WSS4JInInterceptor inSecurityInterceptor = new WSS4JInInterceptor(inSecurityProperties);
随意提出更好的解决方案。