引言
前面讲了webservice的安全机制和本节继续webservice的安全之旅
本节采用servlet的Filter的来实现对webservice的安全访问
在调用webservice之前过滤器会拦截匹配的请求只有满足安全要求的客户端才能访问webservice服务
项目环境
system:win myeclipse: tomcat:
JDK:开发环境编译环境
axis:
示例代码()配置文件
webxml
webxml
<?xml version= encoding=UTF?>
<webapp version=
xmlns=
xmlns:xsi=instance
xsi:schemaLocation=
app__xsd>
<! 配置webservice的处理类 >
<servlet>
<servletname>AxisServlet</servletname>
<servletclass>
orgapacheaxistransporthttpAxisServlet
</servletclass>
</servlet>
<servletmapping>
<servletname>AxisServlet</servletname>
<urlpattern>/services/*</urlpattern>
</servletmapping>
<!配置IP地址的过滤器 >
<filter>
<filtername>WebServiceFilter</filtername>
<filterclass>serverfilterWebServiceFilter</filterclass>
</filter>
<filtermapping>
<filtername>WebServiceFilter</filtername>
<urlpattern>/services/*</urlpattern>
</filtermapping>
</webapp>
serverconfigwsdd
serverconfigwsdd
<?xml version= encoding=UTF?>
<deployment xmlns=
xmlns:java=>
<globalConfiguration>
<parameter name=sendMultiRefs value=true />
<parameter name=disablePrettyXML value=true />
<parameter name=adminPassword value=admin />
<parameter name=attachmentsDirectory
value=D:\tomcat\webapps\WebService\WEBINF\attachments />
<parameter name=dotNetSoapEncFix value=true />
<parameter name=enableNamespacePrefixOptimization
value=false />
<parameter name=sendXMLDeclaration value=true />
<parameter name=sendXsiTypes value=true />
<parameter name=attachmentsimplementation
value=orgapacheaxisattachmentsAttachmentsImpl />
<requestFlow>
<handler type=java:orgapacheaxishandlersJWSHandler>
<parameter name=scope value=session />
</handler>
<handler type=java:orgapacheaxishandlersJWSHandler>
<parameter name=scope value=request />
<parameter name=extension value=jwr />
</handler>
</requestFlow>
</globalConfiguration>
<handler name=LocalResponder
type=java:orgapacheaxistransportlocalLocalResponder />
<handler name=URLMapper
type=java:orgapacheaxishandlershttpURLMapper />
<handler name=Authenticate
type=java:orgapacheaxishandlersSimpleAuthenticationHandler />
<service name=AdminService provider=java:MSG>
<parameter name=allowedMethods value=AdminService />
<parameter name=enableRemoteAdmin value=false />
<parameter name=className value=orgapacheaxisutilsAdmin />
<namespace>;/namespace>
</service>
<service name=Version provider=java:RPC>
<parameter name=allowedMethods value=getVersion />
<parameter name=className value=orgapacheaxisVersion />
</service>
<transport name=http>
<requestFlow>
<handler type=URLMapper />
<handler
type=java:orgapacheaxishandlershttpHTTPAuthHandler />
</requestFlow>
<parameter name=qs:list
value=orgapacheaxistransporthttpQSListHandler />
<parameter name=qs:wsdl
value=orgapacheaxistransporthttpQSWSDLHandler />
<parameter name=qslist
value=orgapacheaxistransporthttpQSListHandler />
<parameter name=thod
value=orgapacheaxistransporthttpQSMethodHandler />
<parameter name=qs:method
value=orgapacheaxistransporthttpQSMethodHandler />
<parameter name=qswsdl
value=orgapacheaxistransporthttpQSWSDLHandler />
</transport>
<transport name=local>
<responseFlow>
<handler type=LocalResponder />
</responseFlow>
</transport>
<! 配置自己的服务 >
<service name=HelloService provider=java:RPC>
<parameter name=allowedMethods value=* />
<parameter name=className
value=serverserviceHelloServiceImpl />
</service>
</deployment>
()服务端代码
HelloServiceImpljavawebservice服务端
HelloServiceImpljava
package serverservice; public class HelloServiceImpl {
public String hello(String s) {
return hello + s;
} }
WebServiceFilterjavaFilter过滤器
WebServiceFilterjava
package serverfilter; import javaioIOException; import javaxservletFilter; import javaxservletFilterChain; import javaxservletFilterConfig; import javaxservletServletException; import javaxservletServletRequest; import javaxservletServletResponse; import javaxservlethttpHttpServletRequest; public class WebServiceFilter implements Filter {
//不允许访问webservice服务的IP地址
static final String[] deniedIPList=new String[]{};
public boolean isIPDenied(String ipAddr){
if(deniedIPListlength==)
return false;
for(int i=;i<deniedIPListlength;i++){
if(deniedIPList[i]equals(ipAddr)){
return true;
}
}
return false;
}
public void destroy() {
}
public void doFilter(ServletRequest req ServletResponse res
FilterChain chain) throws IOException ServletException {
HttpServletRequest request=(HttpServletRequest) req;
String clientIP=requestgetRemoteHost()
Systemoutprintln(客户端IP:+clientIP)
Systemoutprintln(开始过滤…)
if(isIPDenied(clientIP)){
throw new ServletException(你没有权限调用此webservice!)
}else{
chaindoFilter(req res)
}
}
public void init(FilterConfig arg) throws ServletException {
} }
()客户端代码
Testjava客户端动态调用的代码
Testjava
package client;
import URL;
import javaxxmlrpcParameterMode;
import orgapacheaxisclientCall;
import orgapacheaxisencodingXMLType;
public class Test {
public static void main(String args[]) throws Exception{
webservice_user()
}
public static void webservice_user() throws Exception {
// 创建service对象通过axis自带的类创建
orgapacheaxisclientService service = new orgapacheaxisclientService()
// 创建url对象
String wsdlUrl = //localhost:/WebService_Security/services/HelloService?wsdl;// 请求服务的URL
URL url = new URL(wsdlUrl)// 通过URL类的构造方法传入wsdlUrl地址创建URL对象
// 创建服务方法的调用者对象call设置call对象的属性
Call call = (Call) servicecreateCall()
callsetTargetEndpointAddress(url)// 给call对象设置请求的URL属性
String serviceName = hello;// webservice的方法名
callsetOperationName(serviceName)// 给call对象设置调用方法名属性
calladdParameter(s XMLTypeXSD_STRING ParameterModeIN)// 给call对象设置方法的参数名参数类型参数模式
callsetReturnType(XMLTypeSOAP_STRING)// 设置调用方法的返回值类型 //
callsetTimeout(new Integer())//设置超时限制
//
//此处的用户名和密码对应WEBINF目录下userslst文件中的用户名和密码 //
callgetMessageContext()setUsername(pantp) //
callgetMessageContext()setPassword()
//
// 通过invoke方法调用webservice
String str=new String(pantp)
Systemoutprintln(开始调用webservice服务……)
String dept = (String) callinvoke(new Object[] { str })// 调用服务方法
Systemoutprintln(结束调用webservice服务……)
// 打印返回结果
Systemoutprintln(返回结果如下+dept) } }
安全测试()正常测试(本机IP地址不在受限IP之内)
浏览器中输入wsdl地址测试
运行Test客户端测试
客户端日志
服务端日志
(
)受限测试(本机IP地址在受限IP之内)
修改WebServiceFilter类中deniedIPList数组所在的一行代码加入IP地址然后重新发布项目
修改后数组IP地址如下
受限IP地址列表
static final String[] deniedIPList=new String[]{};
浏览器中输入wsdl地址测试
运行Test客户端测试
客户端日志
服务端日志
总结
至此webservice的安全相关的文章就已经介绍完了
以上都是webservice安全方面比较简单的实现措施
更多的欢迎各位的探讨