本节摘要:本节继续讨论webservice的安全机制,本节采用servlet的过滤器Filter来实现。
1.引言
前面讲了webservice的安全机制1和2,本节继续webservice的安全之旅,
本节采用servlet的Filter的来实现对webservice的安全访问。
在调用webservice之前,过滤器会拦截匹配的请求,只有满足安全要求的客户端才能访问webservice服务。
2.项目环境
system:win7 myeclipse:6.5 tomcat:5.0
JDK:开发环境1.5,编译环境1.4
axis:1.4
3.示例代码
(1)配置文件
web.xml
web.xml
1 <?xml version="1.0" encoding="UTF-8"?> 2 <web-app version="2.4" 3 xmlns="http://java.sun.com/xml/ns/j2ee" 4 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 5 xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee 6 http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd"> 7 8 <!-- 配置webservice的处理类 --> 9 <servlet> 10 <servlet-name>AxisServlet</servlet-name> 11 <servlet-class> 12 org.apache.axis.transport.http.AxisServlet 13 </servlet-class> 14 </servlet> 15 <servlet-mapping> 16 <servlet-name>AxisServlet</servlet-name> 17 <url-pattern>/services/*</url-pattern> 18 </servlet-mapping> 19 20 <!--配置IP地址的过滤器 --> 21 <filter> 22 <filter-name>WebServiceFilter</filter-name> 23 <filter-class>server.filter.WebServiceFilter</filter-class> 24 </filter> 25 <filter-mapping> 26 <filter-name>WebServiceFilter</filter-name> 27 <url-pattern>/services/*</url-pattern> 28 </filter-mapping> 29 30 </web-app>
server-config.wsdd
server-config.wsdd
1 <?xml version="1.0" encoding="UTF-8"?> 2 <deployment xmlns="http://xml.apache.org/axis/wsdd/" 3 xmlns:java="http://xml.apache.org/axis/wsdd/providers/java"> 4 <globalConfiguration> 5 <parameter name="sendMultiRefs" value="true" /> 6 <parameter name="disablePrettyXML" value="true" /> 7 <parameter name="adminPassword" value="admin" /> 8 <parameter name="attachments.Directory" 9 value="D:\tomcat5\webapps\WebService\WEB-INF\attachments" /> 10 <parameter name="dotNetSoapEncFix" value="true" /> 11 <parameter name="enableNamespacePrefixOptimization" 12 value="false" /> 13 <parameter name="sendXMLDeclaration" value="true" /> 14 <parameter name="sendXsiTypes" value="true" /> 15 <parameter name="attachments.implementation" 16 value="org.apache.axis.attachments.AttachmentsImpl" /> 17 <requestFlow> 18 <handler type="java:org.apache.axis.handlers.JWSHandler"> 19 <parameter name="scope" value="session" /> 20 </handler> 21 <handler type="java:org.apache.axis.handlers.JWSHandler"> 22 <parameter name="scope" value="request" /> 23 <parameter name="extension" value=".jwr" /> 24 </handler> 25 </requestFlow> 26 </globalConfiguration> 27 <handler name="LocalResponder" 28 type="java:org.apache.axis.transport.local.LocalResponder" /> 29 <handler name="URLMapper" 30 type="java:org.apache.axis.handlers.http.URLMapper" /> 31 <handler name="Authenticate" 32 type="java:org.apache.axis.handlers.SimpleAuthenticationHandler" /> 33 <service name="AdminService" provider="java:MSG"> 34 <parameter name="allowedMethods" value="AdminService" /> 35 <parameter name="enableRemoteAdmin" value="false" /> 36 <parameter name="className" value="org.apache.axis.utils.Admin" /> 37 <namespace>http://xml.apache.org/axis/wsdd/</namespace> 38 </service> 39 <service name="Version" provider="java:RPC"> 40 <parameter name="allowedMethods" value="getVersion" /> 41 <parameter name="className" value="org.apache.axis.Version" /> 42 </service> 43 44 <transport name="http"> 45 <requestFlow> 46 <handler type="URLMapper" /> 47 <handler 48 type="java:org.apache.axis.handlers.http.HTTPAuthHandler" /> 49 </requestFlow> 50 <parameter name="qs:list" 51 value="org.apache.axis.transport.http.QSListHandler" /> 52 <parameter name="qs:wsdl" 53 value="org.apache.axis.transport.http.QSWSDLHandler" /> 54 <parameter name="qs.list" 55 value="org.apache.axis.transport.http.QSListHandler" /> 56 <parameter name="qs.method" 57 value="org.apache.axis.transport.http.QSMethodHandler" /> 58 <parameter name="qs:method" 59 value="org.apache.axis.transport.http.QSMethodHandler" /> 60 <parameter name="qs.wsdl" 61 value="org.apache.axis.transport.http.QSWSDLHandler" /> 62 </transport> 63 <transport name="local"> 64 <responseFlow> 65 <handler type="LocalResponder" /> 66 </responseFlow> 67 </transport> 68 69 70 <!-- 配置自己的服务 --> 71 <service name="HelloService" provider="java:RPC"> 72 <parameter name="allowedMethods" value="*" /> 73 <parameter name="className" 74 value="server.service.HelloServiceImpl" /> 75 76 </service> 77 78 </deployment>
(2)服务端代码
HelloServiceImpl.java---webservice服务端
HelloServiceImpl.java
1 package server.service; 2 3 public class HelloServiceImpl { 4 5 public String hello(String s) { 6 return "hello," + s; 7 } 8 }
WebServiceFilter.java---Filter过滤器
WebServiceFilter.java
1 package server.filter; 2 3 import java.io.IOException; 4 5 import javax.servlet.Filter; 6 import javax.servlet.FilterChain; 7 import javax.servlet.FilterConfig; 8 import javax.servlet.ServletException; 9 import javax.servlet.ServletRequest; 10 import javax.servlet.ServletResponse; 11 import javax.servlet.http.HttpServletRequest; 12 13 public class WebServiceFilter implements Filter { 14 15 //不允许访问webservice服务的IP地址 16 static final String[] deniedIPList=new String[]{"192.168.1.12"}; 17 18 public boolean isIPDenied(String ipAddr){ 19 if(deniedIPList.length==0) 20 return false; 21 for(int i=0;i<deniedIPList.length;i++){ 22 if(deniedIPList[i].equals(ipAddr)){ 23 return true; 24 } 25 } 26 return false; 27 } 28 29 public void destroy() { 30 31 } 32 33 public void doFilter(ServletRequest req, ServletResponse res, 34 FilterChain chain) throws IOException, ServletException { 35 HttpServletRequest request=(HttpServletRequest) req; 36 37 String clientIP=request.getRemoteHost(); 38 System.out.println("客户端IP:"+clientIP); 39 40 System.out.println("开始过滤..."); 41 42 if(isIPDenied(clientIP)){ 43 throw new ServletException("你没有权限调用此webservice!"); 44 }else{ 45 chain.doFilter(req, res); 46 } 47 48 } 49 50 public void init(FilterConfig arg0) throws ServletException { 51 52 } 53 54 }
(3)客户端代码
Test.java---客户端动态调用的代码
Test.java
1 package client; 2 3 import java.net.URL; 4 5 import javax.xml.rpc.ParameterMode; 6 7 import org.apache.axis.client.Call; 8 import org.apache.axis.encoding.XMLType; 9 10 public class Test { 11 12 public static void main(String args[]) throws Exception{ 13 webservice_user(); 14 } 15 16 public static void webservice_user() throws Exception { 17 18 // 1.创建service对象,通过axis自带的类创建 19 org.apache.axis.client.Service service = new org.apache.axis.client.Service(); 20 21 // 2.创建url对象 22 String wsdlUrl = "http://localhost:8080/WebService08_Security/services/HelloService?wsdl";// 请求服务的URL 23 URL url = new URL(wsdlUrl);// 通过URL类的构造方法传入wsdlUrl地址创建URL对象 24 25 // 2.创建服务方法的调用者对象call,设置call对象的属性 26 Call call = (Call) service.createCall(); 27 call.setTargetEndpointAddress(url);// 给call对象设置请求的URL属性 28 String serviceName = "hello";// webservice的方法名 29 call.setOperationName(serviceName);// 给call对象设置调用方法名属性 30 call.addParameter("s", XMLType.XSD_STRING, ParameterMode.IN);// 给call对象设置方法的参数名、参数类型、参数模式 31 call.setReturnType(XMLType.SOAP_STRING);// 设置调用方法的返回值类型 32 // call.setTimeout(new Integer(200));//设置超时限制 33 34 //--------------------------------------------------------------------------------------- 35 //此处的用户名和密码对应WEB-INF目录下users.lst文件中的用户名和密码 36 // call.getMessageContext().setUsername("pantp"); 37 // call.getMessageContext().setPassword("123456"); 38 //--------------------------------------------------------------------------------------- 39 40 // 4.通过invoke方法调用webservice 41 String str=new String("pantp"); 42 System.out.println("开始调用webservice服务....."); 43 String dept = (String) call.invoke(new Object[] { str });// 调用服务方法 44 System.out.println("结束调用webservice服务....."); 45 46 // 5.打印返回结果 47 System.out.println("返回结果如下:"+dept); 48 } 49 50 }
4.安全测试
(1)正常测试(本机IP地址不在受限IP之内)
浏览器中输入wsdl地址测试:
运行Test客户端测试:
客户端日志:
服务端日志:
(2)受限测试(本机IP地址在受限IP之内)
修改WebServiceFilter类中deniedIPList数组所在的一行代码,加入IP地址127.0.0.1,然后重新发布项目;
修改后数组IP地址如下:
受限IP地址列表
1 static final String[] deniedIPList=new String[]{"192.168.1.12","127.0.0.1"};
浏览器中输入wsdl地址测试:
运行Test客户端测试:
客户端日志:
服务端日志:
5.总结
至此,webservice的安全相关的文章就已经介绍完了;
以上都是webservice安全方面比较简单的实现措施。
更多的欢迎各位的探讨。