Wss4jSecurityInterceptor - 我的自定义回调被解释为 CleanupCallback 对象
Wss4jSecurityInterceptor - My Custom Callback is interpreted as a CleanupCallback Object
我在一个使用 Java 8 和 Spring Boot 制作的项目中工作,我想在其中添加 Wss4jSecurityInterceptor 以用于登录目的。
到目前为止,这就是我在 WebServiceConfig class
中所做的
@Bean
public AuthorizationCallBackHandler authorizationCallBackHandler(){
AuthorizationCallBackHandler callbackHandler = new AuthorizationCallBackHandler();
return callbackHandler;
}
@Bean
public Wss4jSecurityInterceptor securityInterceptor(){
Wss4jSecurityInterceptor securityInterceptor = new Wss4jSecurityInterceptor();
securityInterceptor.setValidationActions("UsernameToken");
securityInterceptor.setValidationCallbackHandler(authorizationCallBackHandler());
return securityInterceptor;
}
@Override
public void addInterceptors(List interceptors) {
interceptors.add(securityInterceptor());
//interceptors.add(endPointInterceptor());
}
因此,每个到达我的 Web 服务的请求都将被 Wss4jSecurityInterceptor 拦截,并由我的自定义回调处理,定义如下
public class AuthorizationCallBackHandler implements CallbackHandler{
private final Logger logger = LoggerFactory.getLogger(this.getClass());
@Autowired
VnWsCredentialRepository credentialsRepo;
@Autowired
AuthUtility authUtil;
@Override
public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException {
if (callbacks[0] instanceof WSPasswordCallback) {
WSPasswordCallback pc = (WSPasswordCallback) callbacks[0];
String username = pc.getIdentifier();
VnWsCredential credentials = credentialsRepo.findByUsername(username);
logger.info("Request of authentication for username" + username);
String p = pc.getPassword();
// set the password on the callback. This will be compared to the
// password which was sent from the client.
if (credentials == null) {
pc.setPassword(null);
}else {
// String encodedPsw = authUtil.obtaindMD5Value(credentials.getPassword());
// pc.setPassword(encodedPsw);
pc.setPassword(credentials.getPassword());
}
}
if (callbacks[0] instanceof UsernameTokenPrincipalCallback) {
UsernameTokenPrincipalCallback pc = (UsernameTokenPrincipalCallback) callbacks[0];
pc.getPrincipal();
}
}
}
这是我的问题:当回调被调用时,它接收到一个数组,该数组仅包含 1 个 "CleanupCallback" 类型的回调,当然我不能用它做任何事情。
我在以下设置中缺少什么?
这是我用 SOAP 进行的 SOAP 调用 UI
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:it="some.fancy.ws">
<soapenv:Header>
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsse:UsernameToken wsu:Id="UsernameToken-3967AEB46D733EF6E2154990461080350">
<wsse:Username>Just a user</wsse:Username>
<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">just a password</wsse:Password>
<wsse:Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">pUn8VjdpVaIamSAIwXEeXg==</wsse:Nonce>
<wsu:Created>2019-02-16T17:03:30.803Z</wsu:Created>
</wsse:UsernameToken></wsse:Security>
</soapenv:Header>
<soapenv:Body>
<it:getPOrderRequest>
<it:poNumber>2197111225-F03292</it:poNumber>
</it:getPOrderRequest>
</soapenv:Body>
</soapenv:Envelope>
对于任何感兴趣的人,我通过首先从请求中删除 header 中的内容来解决这个问题。
之后,我使用凭据设置了一个传出 WSS,就像那样,Wss4j 安全处理程序将回调转换为我想要的实例(即 WSPasswordCallback)。
经验教训:如果 Wss4j 在处理 SOAP 请求时检测到某种错误,它将生成 CleanupCallback 而不是 WSPasswordCallback 的实例
我在一个使用 Java 8 和 Spring Boot 制作的项目中工作,我想在其中添加 Wss4jSecurityInterceptor 以用于登录目的。
到目前为止,这就是我在 WebServiceConfig class
@Bean
public AuthorizationCallBackHandler authorizationCallBackHandler(){
AuthorizationCallBackHandler callbackHandler = new AuthorizationCallBackHandler();
return callbackHandler;
}
@Bean
public Wss4jSecurityInterceptor securityInterceptor(){
Wss4jSecurityInterceptor securityInterceptor = new Wss4jSecurityInterceptor();
securityInterceptor.setValidationActions("UsernameToken");
securityInterceptor.setValidationCallbackHandler(authorizationCallBackHandler());
return securityInterceptor;
}
@Override
public void addInterceptors(List interceptors) {
interceptors.add(securityInterceptor());
//interceptors.add(endPointInterceptor());
}
因此,每个到达我的 Web 服务的请求都将被 Wss4jSecurityInterceptor 拦截,并由我的自定义回调处理,定义如下
public class AuthorizationCallBackHandler implements CallbackHandler{
private final Logger logger = LoggerFactory.getLogger(this.getClass());
@Autowired
VnWsCredentialRepository credentialsRepo;
@Autowired
AuthUtility authUtil;
@Override
public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException {
if (callbacks[0] instanceof WSPasswordCallback) {
WSPasswordCallback pc = (WSPasswordCallback) callbacks[0];
String username = pc.getIdentifier();
VnWsCredential credentials = credentialsRepo.findByUsername(username);
logger.info("Request of authentication for username" + username);
String p = pc.getPassword();
// set the password on the callback. This will be compared to the
// password which was sent from the client.
if (credentials == null) {
pc.setPassword(null);
}else {
// String encodedPsw = authUtil.obtaindMD5Value(credentials.getPassword());
// pc.setPassword(encodedPsw);
pc.setPassword(credentials.getPassword());
}
}
if (callbacks[0] instanceof UsernameTokenPrincipalCallback) {
UsernameTokenPrincipalCallback pc = (UsernameTokenPrincipalCallback) callbacks[0];
pc.getPrincipal();
}
}
}
这是我的问题:当回调被调用时,它接收到一个数组,该数组仅包含 1 个 "CleanupCallback" 类型的回调,当然我不能用它做任何事情。
我在以下设置中缺少什么?
这是我用 SOAP 进行的 SOAP 调用 UI
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:it="some.fancy.ws">
<soapenv:Header>
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsse:UsernameToken wsu:Id="UsernameToken-3967AEB46D733EF6E2154990461080350">
<wsse:Username>Just a user</wsse:Username>
<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">just a password</wsse:Password>
<wsse:Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">pUn8VjdpVaIamSAIwXEeXg==</wsse:Nonce>
<wsu:Created>2019-02-16T17:03:30.803Z</wsu:Created>
</wsse:UsernameToken></wsse:Security>
</soapenv:Header>
<soapenv:Body>
<it:getPOrderRequest>
<it:poNumber>2197111225-F03292</it:poNumber>
</it:getPOrderRequest>
</soapenv:Body>
</soapenv:Envelope>
对于任何感兴趣的人,我通过首先从请求中删除 header 中的内容来解决这个问题。
之后,我使用凭据设置了一个传出 WSS,就像那样,Wss4j 安全处理程序将回调转换为我想要的实例(即 WSPasswordCallback)。
经验教训:如果 Wss4j 在处理 SOAP 请求时检测到某种错误,它将生成 CleanupCallback 而不是 WSPasswordCallback 的实例