我对SOAP Web服务比较陌生,它似乎是一个基本的东西,但我仍然找不到解决它的方法。 我有一个使用Spring WS和XWS安全性编写的SOAP服务器。 这些是相关的bean:
<bean id="wsSecurityInterceptor" class="org.springframework.ws.soap.security.xwss.XwsSecurityInterceptor"> <property name="policyConfiguration" value="classpath:security-policy.xml"/> <property name="callbackHandlers"> <list> <ref bean="passwordValidationHandler"/> </list> </property> </bean> <bean id="passwordValidationHandler" class="org.springframework.ws.soap.security.xwss.callback.SimplePasswordValidationCallbackHandler"> <property name="users"> <props> <prop key="user">*****</prop> </props> </property> </bean>以下是security-policy.xml :
<xwss:SecurityConfiguration xmlns:xwss="http://java.sun.com/xml/ns/xwss/config"> <xwss:RequireUsernameToken passwordDigestRequired="true" nonceRequired="true"/> <xwss:UsernameToken digestPassword="true" useNonce="true"/> </xwss:SecurityConfiguration>问题是我想使用nonce(一次性令牌来阻止再次发送截获的请求)来建立摘要式身份验证。 据我所知(这里有描述http://www.whitemesa.com/soapauth.html#S4 ),服务器应该创建一个挑战(我认为是随机数和时间戳),然后客户端应该用它加密它其密码和时间戳,并将其发送回服务器进行验证。 这应该适用于每个请求。 即使用户发送空请求,服务器也应提供质询。 但就我而言,它不起作用。 我错过了什么吗?
I am relatively new to SOAP web services, and it seems to be a basic thing, but still, I cannot find the way so solve it. I have a SOAP server written using Spring WS with XWS security. These are the relevant beans:
<bean id="wsSecurityInterceptor" class="org.springframework.ws.soap.security.xwss.XwsSecurityInterceptor"> <property name="policyConfiguration" value="classpath:security-policy.xml"/> <property name="callbackHandlers"> <list> <ref bean="passwordValidationHandler"/> </list> </property> </bean> <bean id="passwordValidationHandler" class="org.springframework.ws.soap.security.xwss.callback.SimplePasswordValidationCallbackHandler"> <property name="users"> <props> <prop key="user">*****</prop> </props> </property> </bean>And the following is security-policy.xml:
<xwss:SecurityConfiguration xmlns:xwss="http://java.sun.com/xml/ns/xwss/config"> <xwss:RequireUsernameToken passwordDigestRequired="true" nonceRequired="true"/> <xwss:UsernameToken digestPassword="true" useNonce="true"/> </xwss:SecurityConfiguration>The thing is that I want to extablish a digest authentication using nonce (a one-time token that prevents an intercepted request from being sent again). As far as I know (and it is described here http://www.whitemesa.com/soapauth.html#S4), the server should create a challenge (nonce and timestamp, I think) and then the client should encrypt it with its password and timestamp and send it back to the server for verification. And this it should work for every request. Even if the user sends an empty request, the server should provide a challenge. But in my case it does not work. Am I missing something?
最满意答案
当它出现时,不一定是服务器应该生成nonce。 我在客户端生成它,连接并根据规则对其进行哈希处理,然后发送到服务器。 坦率地说,我只能通过调试Spring WS源并查找确切问题所在的位置来找到错误的根源。
As it turned up, it is not necessarily the server who should generate nonce. I generated it on client, concatenated and hashed it according to the rules and then sent to the server. Frankly speaking, I could only find the root of error by debugging Spring WS sources and looking for where exactly an authentication problem is.
更多推荐
发布评论