Web Service security UserNameToken 使用
一: Web Service security UserNameToken 概念
原理:用户在发送请求的时候,在Soap head中加入自己的用户名以及密码,接受请求的Service通过之前与Client建立的共享密码来验证密码的合法性从而实现鉴别用户的功能。
- <wsse:UsernameToken>
- <wsse:Username>NNK</wsse:Username>
- <wsse:Password Type="...#PasswordDigest">
- weYI3nXd8LjMNVksCKFV8t3rgHh3Rw==
- </wsse:Password>
- <wsse:Nonce>WScqanjCEAC4mQoBE07sAQ==</wsse:Nonce>
- <wsu:Created>2003-07-16T01:24:32Z</wsu:Created>
- </wsse:UsernameToken>
Password_Digest = Base64 ( SHA-1 ( nonce + created + password ) )
wsse:Nonce和wsu:Created这两个元素的作用:是为了避免重放(Replay)***。
只要对密码做一些处理就可以从中派生出密钥。当然为了安全起见我们希望每次派生出来的密钥都不一样,这样就可以避免多次使用同一密钥而导致密钥被破解。下面就是WS-Security对密钥派生的元素定义:
- <wsse:UsernameToken wsse:Id=”…”>
- <wsse:Username>…</wsse:Username>
- <wsse11:Salt>…</wsse11:Salt>
- <wsse11:Iteration>…</wsse11:Iteration>
- </wsse:UsernameToken>
其中Salt是导致密钥变化的因子,Iteration是密钥派生时Hash的次数。
密码的派生公式如下:
K1 = SHA1( password + Salt) K2 = SHA1( K1 ) … Kn = SHA1 ( Kn-1)
二:代码示例
xml文件:
- Request xml:
- <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:web="http://www.webserviceX.NET/">
- <soapenv:Header/>
- <soapenv:Body>
- <web:ConversionRate>
- <web:FromCurrency>1</web:FromCurrency>
- <web:ToCurrency>2</web:ToCurrency>
- </web:ConversionRate>
- </soapenv:Body>
- </soapenv:Envelope>
- Response xml:
- <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:web="http://www.webserviceX.NET/">
- <soapenv:Header/>
- <soapenv:Body>
- <web:ConversionRateResponse>
- <web:ConversionRateResult>88</web:ConversionRateResult>
- </web:ConversionRateResponse>
- </soapenv:Body>
- </soapenv:Envelope>
1 直接使用httpclient调用service
- public static String soapSpecialConnection(String url) throws Exception
- {
- //拼装soap请求报文
- StringBuilder sb = new StringBuilder();
- StringBuilder soapHeader = new StringBuilder();
- soapHeader.append("<SOAP-ENV:Envelope xmlns:SOAP-ENV=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:web=\"http://www.webserviceX.NET/\">");
- soapHeader.append("<SOAP-ENV:Header/>");
- soapHeader.append("<SOAP-ENV:Body>");
- soapHeader.append("<web:ConversionRate>");
- soapHeader.append("<web:FromCurrency>123</web:FromCurrency>");
- soapHeader.append("<web:ToCurrency>123</web:ToCurrency>");
- soapHeader.append("</web:ConversionRate>");
- soapHeader.append("</SOAP-ENV:Body>");
- soapHeader.append("</SOAP-ENV:Envelope>");
- //设置soap请求报文的相关属性
- URL u = new URL(url);
- HttpURLConnection conn = (HttpURLConnection) u.openConnection();
- conn.setDoInput(true);
- conn.setDoOutput(true);
- conn.setUseCaches(false);
- conn.setDefaultUseCaches(false);
- conn.setRequestProperty("Host", "localhost:8080");
- conn.setRequestProperty("Content-Type", "text/xml; charset=utf-8");
- conn.setRequestProperty("Content-Length", String.valueOf(soapHeader.length()));
- conn.setRequestProperty("SOAPAction", "");
- conn.setRequestMethod("POST");
- //定义输出流
- OutputStream output = conn.getOutputStream();
- if (null != soapHeader) {
- byte[] b = soapHeader.toString().getBytes("utf-8");
- //发送soap请求报文
- output.write(b, 0, b.length);
- }
- output.flush();
- output.close();
- //定义输入流,获取soap响应报文
- InputStream input = conn.getInputStream();
- int c = -1;
- //sb为返回的soap响应报文字符串
- while (-1 != (c = input.read())) {
- sb.append((char)c);
- }
- input.close();
- return sb.toString();
- }
2 使用apache的axis 来调用service
- private void callRequest() throws SOAPException {
- String NAMESPACE_URI = "http://www.webserviceX.NET/";
- String PREFIX = "web";
- String url = "http://localhost:28080/MockService";
- SOAPConnectionFactory connectionFactory=SOAPConnectionFactory.newInstance();
- MessageFactory messageFactory=MessageFactory.newInstance();
- SOAPFactory soapFactory = SOAPFactory.newInstance();
- SOAPMessage message = messageFactory.createMessage();
- SOAPEnvelope envelope = message.getSOAPPart().getEnvelope();
- envelope.addNamespaceDeclaration(PREFIX, NAMESPACE_URI);
- Name requestName = soapFactory.createName("ConversionRate", PREFIX, NAMESPACE_URI);
- SOAPBodyElement trackRequestElement = message.getSOAPBody().addBodyElement(requestName);
- SOAPElement element1, element2;
- element1 = trackRequestElement.addChildElement(soapFactory.createName("FromCurrency", PREFIX, NAMESPACE_URI));
- element2 = trackRequestElement.addChildElement(soapFactory.createName("ToCurrency", PREFIX, NAMESPACE_URI));
- element1.addTextNode("123");
- element2.addTextNode("123");
- MimeHeaders hd = message.getMimeHeaders();
- hd.setHeader("SOAPAction", "");
- hd.setHeader("Content-Type", "text/xml; charset=utf-8");
- SOAPConnection connection = connectionFactory.createConnection();
- SOAPMessage response = connection.call(message, url);
- }
3 输出为xml,便于调试
- public void wirteToxml(String fileName, SOAPMessage request) throws Exception {
- FileWriter fw = new FileWriter(fileName, true); // outputFile为要写入的.xml文件,如result.xml
- BufferedWriter bw = new BufferedWriter(fw);
- Source source = request.getSOAPPart().getContent();
- Transformer transformer = TransformerFactory.newInstance().newTransformer();
- ByteArrayOutputStream myOutStr = new ByteArrayOutputStream();
- StreamResult res = new StreamResult();
- res.setOutputStream(myOutStr);
- transformer.transform(source, res);
- String temp = myOutStr.toString().trim();
- bw.write(temp);
- bw.newLine();
- bw.flush();
- bw.close();
- }
4 设置 web service security
- protected void buildHeader(SOAPMessage message) throws SOAPException {
- String username = "1234";
- String password = "1234";
- final String SECURITY_PREFIX = "wsse";
- SOAPEnvelope envelope = message.getSOAPPart().getEnvelope();
- SOAPHeader soapHead = message.getSOAPHeader();
- SOAPHeaderElement security = soapHead.addHeaderElement(envelope.createName("Security", SECURITY_PREFIX,
- "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"));
- security.setMustUnderstand(true); // 服务方必须能够识别校验,否则失败
- SOAPElement usernameToken = security.addChildElement("UsernameToken", SECURITY_PREFIX);
- usernameToken.addNamespaceDeclaration("wsu",
- "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd");
- SOAPElement usernameNode = usernameToken.addChildElement("Username", SECURITY_PREFIX);
- usernameNode.setValue(username);
- SOAPElement passwordNode = usernameToken.addChildElement("Password", SECURITY_PREFIX);
- passwordNode.setAttribute("Type",
- "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText");
- passwordNode.setValue(password);
- }
mustUnderstand:用于标注security header是否必须被service端解析处理
三:测试工具
TCPMon : http://ws.apache.org/commons/tcpmon/tcpmontutorial.html 可视化发送请求的信息,以及返回结果的信息,便于调试
转载于:https://blog.51cto.com/drizzlewalk/1149515
Web Service security UserNameToken 使用相关推荐
- web service security profile的设计
要获取更多Jerry的原创文章,请关注公众号"汪子熙":
- 通向架构师的道路(第十四天)Axis2 Web Service安全之rampart
2019独角兽企业重金招聘Python工程师标准>>> 一.加密保护我们的web service传输 在上一天的教程中,我们讲了一个简单的基于" security-cons ...
- Silverlight访问Web Service报System.Security.SecurityException: 安全性错误的处理
Silverlight访问Web Service报"System.Security.SecurityException: 安全性错误"的处理 好几次了,执行的好好的Silverli ...
- Apache CXF实战之六 创建安全的Web Service
2019独角兽企业重金招聘Python工程师标准>>> 本文链接:http://blog.csdn.net/kongxx/article/details/7534035 Apache ...
- 使用WSE实现Web Service安全
WSE(Web Services Enhancements)是微软为了使开发者通过.NET创建出更强大,更好用的Web Services而推出功能增强插件.现在最新的版本是WSE2.0(SP2).本文 ...
- Java 调用Web service 添加认证头(soapenv:Header)
前言 有时候调用web service 会出现 Message does not conform to configured policy [ AuthenticationTokenPolicy(S) ...
- Web Service 安全性解决方案(SOAP篇)
拼吾爱程序人生 » 软件编程 » Visual Studio.NET » Web Service » Web Service 安全性解决方案(SOAP篇) Web Service 安全性解决方案(SO ...
- 论文阅读 Current Solutions for Web Service Composition
简单信息 Title Current solutions for Web service composition Journal IEEE Internet Computing Year 2004 A ...
- 银光中国网免费Silverlight空间Web Service部署方法
银光中国网为方便大家学习Silverlight技术,特别推出Silverlight免费空间服务.看到论坛上有不少开发人员询问在部署WCF或者Web Service应用时出现异常,无法部署成功,这里我做 ...
最新文章
- 第五课-第三讲05_03_bash脚本编程之二 条件判断
- public lt;Tgt; void method,此地泛型的意思
- python怎么画简单图片-小白艰难的Python图像的绘制
- Set the roller speed
- 使用RDLC报表向报表传入参数
- gprof + kprof + gprof2dot (性能 与 函数调用图)-
- http headers详解
- 今天在网上看到一个帖子,怎么样锻炼自己的大脑
- Fiori里花瓣的动画效果实现原理
- asp.net 报表页面模板_20套大屏模板,教你3分钟制作出酷炫的可视化大屏
- 贪心算法之用优先队列(priority_queue)实现哈夫曼编码问题
- 线程轮循打印ABC...
- webservice studio 参数是DataSet时不支持中文 解决方法
- FFmpeg实现多段小视频合成
- string与StringBuilder 性能差距到底有多大
- 深度优先搜索 - 最短路径
- 杭州云栖大会“弹性计算用户实践专场”等你来
- 水波纹特效怎么制作?这波水波纹特效拉动满满复古感
- 套接字Socket编程
- openlayers 6 图层望远镜功能的实现
热门文章
- C++(STL):01---pair容器
- C:02---scanf、printf
- AWS 给负载均衡器配置侦听器并上传IAM证书
- 深度学习(02)-- ANN学习
- linux中网页播放音乐,Linux_在Linux系统下播放网页中的背景音乐技巧,在Linux中的firefox浏览许多网页 - phpStudy...
- 使用国密浏览器和使用Wireshark进行国密抓包
- 中医教你5个补肾护发食疗方
- 职场:人生从没有最佳时机!一个离职客服人员的领悟
- 从创业失败中学到的七条教训
- MPEG-4 AVC/H.264 信息