WSS4j 1.5:如何跳过密码验证?
WSS4j 1.5: How to skip password validation?
我需要为某些 SOAP 使用 apache WSS4J 1.5 signing/verification,但是我在 skipping/disabling UsernameToken 密码验证方面遇到了问题。
在 WSS4J 1.6+ 中,我可以将安全引擎配置为使用 NoOpValidator() class 来跳过用户名令牌身份验证,但 1.5 不支持此功能。
有什么方法可以告诉 WSS4J 1.5 完全跳过 Username/Password 验证路由吗?
您需要编写自己的回调处理程序实现以跳过加载 LoginContext。然后可以从系统 属性 加载该处理程序 class。
参考javax.security.auth.callback.CallbackHandler,
的源码
A default CallbackHandler class implementation may be specified in the
auth.login.defaultCallbackHandler security property.
The security property can be set in the Java security properties file
located in the file named /lib/security/java.security.
refers to the value of the java.home system property, and
specifies the directory where the JRE is installed.
If the security property is set to the fully qualified name of a
CallbackHandler implementation class, then a LoginContext will load
the specified CallbackHandler and pass it to the underlying
LoginModules.
The LoginContext only loads the default handler if it was not provided
one. All default handler implementations must provide a public
zero-argument constructor.
还要注意 WSS4J 1.5.XX
带来的一些风险
在 WSSecEngine 中深入挖掘 class 之后,我发现我需要的不是 CallBackHandler,而是跳过 UsernameToken 对象处理的自定义处理器:
WSSecurityEngine secEngine = new WSSecurityEngine();
WSSConfig wsConfig = WSSConfig.newInstance();
wsConfig.setProcessor(UsernameToken.TOKEN, new Processor() {
@Override
public void handleToken(Element arg0, Crypto arg1, Crypto arg2, CallbackHandler arg3, WSDocInfo arg4, Vector arg5, WSSConfig arg6)
throws WSSecurityException {
// skip the token processing
logger.debug("Skipping processing of the username token");
}
@Override
public String getId() {
return null;
}
});
secEngine.setWssConfig(wsConfig);
虽然 WSS4J 1.5 非常古老,但希望这可能会希望将来有其他人。
WSS4J 1.6+ 改变了这些处理器与验证器一起工作的方式。
我需要为某些 SOAP 使用 apache WSS4J 1.5 signing/verification,但是我在 skipping/disabling UsernameToken 密码验证方面遇到了问题。
在 WSS4J 1.6+ 中,我可以将安全引擎配置为使用 NoOpValidator() class 来跳过用户名令牌身份验证,但 1.5 不支持此功能。
有什么方法可以告诉 WSS4J 1.5 完全跳过 Username/Password 验证路由吗?
您需要编写自己的回调处理程序实现以跳过加载 LoginContext。然后可以从系统 属性 加载该处理程序 class。
参考javax.security.auth.callback.CallbackHandler,
的源码A default CallbackHandler class implementation may be specified in the auth.login.defaultCallbackHandler security property.
The security property can be set in the Java security properties file located in the file named /lib/security/java.security. refers to the value of the java.home system property, and specifies the directory where the JRE is installed.
If the security property is set to the fully qualified name of a CallbackHandler implementation class, then a LoginContext will load the specified CallbackHandler and pass it to the underlying LoginModules.
The LoginContext only loads the default handler if it was not provided one. All default handler implementations must provide a public zero-argument constructor.
还要注意 WSS4J 1.5.XX
带来的一些风险在 WSSecEngine 中深入挖掘 class 之后,我发现我需要的不是 CallBackHandler,而是跳过 UsernameToken 对象处理的自定义处理器:
WSSecurityEngine secEngine = new WSSecurityEngine();
WSSConfig wsConfig = WSSConfig.newInstance();
wsConfig.setProcessor(UsernameToken.TOKEN, new Processor() {
@Override
public void handleToken(Element arg0, Crypto arg1, Crypto arg2, CallbackHandler arg3, WSDocInfo arg4, Vector arg5, WSSConfig arg6)
throws WSSecurityException {
// skip the token processing
logger.debug("Skipping processing of the username token");
}
@Override
public String getId() {
return null;
}
});
secEngine.setWssConfig(wsConfig);
虽然 WSS4J 1.5 非常古老,但希望这可能会希望将来有其他人。
WSS4J 1.6+ 改变了这些处理器与验证器一起工作的方式。