本節摘要:本節繼續討論webservice的安全機制,本節采用servlet的過濾器Filter來實現。
1.引言
前面講了webservice的安全機制1和2,本節繼續webservice的安全之旅,
本節采用servlet的Filter的來實現對webservice的安全訪問。
在調用webservice之前,過濾器會攔截匹配的請求,只有滿足安全要求的客戶端才能訪問webservice服務。
2.項目環境
system:win7 myeclipse:6.5 tomcat:5.0
JDK:開發環境1.5,編譯環境1.4
axis:1.4
3.示例代碼
(1)配置文件
web.xml
web.xml
1 <?xml version="1.0" encoding="UTF-8"?> 2 <web-app version="2.4" 3 xmlns="http://java.sun.com/xml/ns/j2ee" 4 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 5 xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee 6 http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd"> 7 8 <!-- 配置webservice的處理類 --> 9 <servlet> 10 <servlet-name>AxisServlet</servlet-name> 11 <servlet-class> 12 org.apache.axis.transport.http.AxisServlet 13 </servlet-class> 14 </servlet> 15 <servlet-mapping> 16 <servlet-name>AxisServlet</servlet-name> 17 <url-pattern>/services/*</url-pattern> 18 </servlet-mapping> 19 20 <!--配置IP地址的過濾器 --> 21 <filter> 22 <filter-name>WebServiceFilter</filter-name> 23 <filter-class>server.filter.WebServiceFilter</filter-class> 24 </filter> 25 <filter-mapping> 26 <filter-name>WebServiceFilter</filter-name> 27 <url-pattern>/services/*</url-pattern> 28 </filter-mapping> 29 30 </web-app>
server-config.wsdd
server-config.wsdd
1 <?xml version="1.0" encoding="UTF-8"?> 2 <deployment xmlns="http://xml.apache.org/axis/wsdd/" 3 xmlns:java="http://xml.apache.org/axis/wsdd/providers/java"> 4 <globalConfiguration> 5 <parameter name="sendMultiRefs" value="true" /> 6 <parameter name="disablePrettyXML" value="true" /> 7 <parameter name="adminPassword" value="admin" /> 8 <parameter name="attachments.Directory" 9 value="D:\tomcat5\webapps\WebService\WEB-INF\attachments" /> 10 <parameter name="dotNetSoapEncFix" value="true" /> 11 <parameter name="enableNamespacePrefixOptimization" 12 value="false" /> 13 <parameter name="sendXMLDeclaration" value="true" /> 14 <parameter name="sendXsiTypes" value="true" /> 15 <parameter name="attachments.implementation" 16 value="org.apache.axis.attachments.AttachmentsImpl" /> 17 <requestFlow> 18 <handler type="java:org.apache.axis.handlers.JWSHandler"> 19 <parameter name="scope" value="session" /> 20 </handler> 21 <handler type="java:org.apache.axis.handlers.JWSHandler"> 22 <parameter name="scope" value="request" /> 23 <parameter name="extension" value=".jwr" /> 24 </handler> 25 </requestFlow> 26 </globalConfiguration> 27 <handler name="LocalResponder" 28 type="java:org.apache.axis.transport.local.LocalResponder" /> 29 <handler name="URLMapper" 30 type="java:org.apache.axis.handlers.http.URLMapper" /> 31 <handler name="Authenticate" 32 type="java:org.apache.axis.handlers.SimpleAuthenticationHandler" /> 33 <service name="AdminService" provider="java:MSG"> 34 <parameter name="allowedMethods" value="AdminService" /> 35 <parameter name="enableRemoteAdmin" value="false" /> 36 <parameter name="className" value="org.apache.axis.utils.Admin" /> 37 <namespace>http://xml.apache.org/axis/wsdd/</namespace> 38 </service> 39 <service name="Version" provider="java:RPC"> 40 <parameter name="allowedMethods" value="getVersion" /> 41 <parameter name="className" value="org.apache.axis.Version" /> 42 </service> 43 44 <transport name="http"> 45 <requestFlow> 46 <handler type="URLMapper" /> 47 <handler 48 type="java:org.apache.axis.handlers.http.HTTPAuthHandler" /> 49 </requestFlow> 50 <parameter name="qs:list" 51 value="org.apache.axis.transport.http.QSListHandler" /> 52 <parameter name="qs:wsdl" 53 value="org.apache.axis.transport.http.QSWSDLHandler" /> 54 <parameter name="qs.list" 55 value="org.apache.axis.transport.http.QSListHandler" /> 56 <parameter name="qs.method" 57 value="org.apache.axis.transport.http.QSMethodHandler" /> 58 <parameter name="qs:method" 59 value="org.apache.axis.transport.http.QSMethodHandler" /> 60 <parameter name="qs.wsdl" 61 value="org.apache.axis.transport.http.QSWSDLHandler" /> 62 </transport> 63 <transport name="local"> 64 <responseFlow> 65 <handler type="LocalResponder" /> 66 </responseFlow> 67 </transport> 68 69 70 <!-- 配置自己的服務 --> 71 <service name="HelloService" provider="java:RPC"> 72 <parameter name="allowedMethods" value="*" /> 73 <parameter name="className" 74 value="server.service.HelloServiceImpl" /> 75 76 </service> 77 78 </deployment>
(2)服務端代碼
HelloServiceImpl.java---webservice服務端
HelloServiceImpl.java
1 package server.service; 2 3 public class HelloServiceImpl { 4 5 public String hello(String s) { 6 return "hello," + s; 7 } 8 }
WebServiceFilter.java---Filter過濾器
WebServiceFilter.java
1 package server.filter; 2 3 import java.io.IOException; 4 5 import javax.servlet.Filter; 6 import javax.servlet.FilterChain; 7 import javax.servlet.FilterConfig; 8 import javax.servlet.ServletException; 9 import javax.servlet.ServletRequest; 10 import javax.servlet.ServletResponse; 11 import javax.servlet.http.HttpServletRequest; 12 13 public class WebServiceFilter implements Filter { 14 15 //不允許訪問webservice服務的IP地址 16 static final String[] deniedIPList=new String[]{"192.168.1.12"}; 17 18 public boolean isIPDenied(String ipAddr){ 19 if(deniedIPList.length==0) 20 return false; 21 for(int i=0;i<deniedIPList.length;i++){ 22 if(deniedIPList[i].equals(ipAddr)){ 23 return true; 24 } 25 } 26 return false; 27 } 28 29 public void destroy() { 30 31 } 32 33 public void doFilter(ServletRequest req, ServletResponse res, 34 FilterChain chain) throws IOException, ServletException { 35 HttpServletRequest request=(HttpServletRequest) req; 36 37 String clientIP=request.getRemoteHost(); 38 System.out.println("客戶端IP:"+clientIP); 39 40 System.out.println("開始過濾..."); 41 42 if(isIPDenied(clientIP)){ 43 throw new ServletException("你沒有權限調用此webservice!"); 44 }else{ 45 chain.doFilter(req, res); 46 } 47 48 } 49 50 public void init(FilterConfig arg0) throws ServletException { 51 52 } 53 54 }
(3)客戶端代碼
Test.java---客戶端動態調用的代碼
Test.java
1 package client; 2 3 import java.net.URL; 4 5 import javax.xml.rpc.ParameterMode; 6 7 import org.apache.axis.client.Call; 8 import org.apache.axis.encoding.XMLType; 9 10 public class Test { 11 12 public static void main(String args[]) throws Exception{ 13 webservice_user(); 14 } 15 16 public static void webservice_user() throws Exception { 17 18 // 1.創建service對象,通過axis自帶的類創建 19 org.apache.axis.client.Service service = new org.apache.axis.client.Service(); 20 21 // 2.創建url對象 22 String wsdlUrl = "http://localhost:8080/WebService08_Security/services/HelloService?wsdl";// 請求服務的URL 23 URL url = new URL(wsdlUrl);// 通過URL類的構造方法傳入wsdlUrl地址創建URL對象 24 25 // 2.創建服務方法的調用者對象call,設置call對象的屬性 26 Call call = (Call) service.createCall(); 27 call.setTargetEndpointAddress(url);// 給call對象設置請求的URL屬性 28 String serviceName = "hello";// webservice的方法名 29 call.setOperationName(serviceName);// 給call對象設置調用方法名屬性 30 call.addParameter("s", XMLType.XSD_STRING, ParameterMode.IN);// 給call對象設置方法的參數名、參數類型、參數模式 31 call.setReturnType(XMLType.SOAP_STRING);// 設置調用方法的返回值類型 32 // call.setTimeout(new Integer(200));//設置超時限制 33 34 //--------------------------------------------------------------------------------------- 35 //此處的用戶名和密碼對應WEB-INF目錄下users.lst文件中的用戶名和密碼 36 // call.getMessageContext().setUsername("pantp"); 37 // call.getMessageContext().setPassword("123456"); 38 //--------------------------------------------------------------------------------------- 39 40 // 4.通過invoke方法調用webservice 41 String str=new String("pantp"); 42 System.out.println("開始調用webservice服務....."); 43 String dept = (String) call.invoke(new Object[] { str });// 調用服務方法 44 System.out.println("結束調用webservice服務....."); 45 46 // 5.打印返回結果 47 System.out.println("返回結果如下:"+dept); 48 } 49 50 }
4.安全測試
(1)正常測試(本機IP地址不在受限IP之內)
瀏覽器中輸入wsdl地址測試:
運行Test客戶端測試:
客戶端日志:
服務端日志:
(2)受限測試(本機IP地址在受限IP之內)
修改WebServiceFilter類中deniedIPList數組所在的一行代碼,加入IP地址127.0.0.1,然后重新發布項目;
修改后數組IP地址如下:
受限IP地址列表
1 static final String[] deniedIPList=new String[]{"192.168.1.12","127.0.0.1"};
瀏覽器中輸入wsdl地址測試:
運行Test客戶端測試:
客戶端日志:
服務端日志:
5.總結
至此,webservice的安全相關的文章就已經介紹完了;
以上都是webservice安全方面比較簡單的實現措施。
更多的歡迎各位的探討。