网络安全

位置:IT落伍者 >> 网络安全 >> 浏览文章

webservice的安全机制---Filter


发布日期:2020年11月21日
 
webservice的安全机制---Filter

引言

前面讲了webservice的安全机制本节继续webservice的安全之旅

本节采用servlet的Filter的来实现对webservice的安全访问

在调用webservice之前过滤器会拦截匹配的请求只有满足安全要求的客户端才能访问webservice服务

项目环境

system:win myeclipse: tomcat:

JDK:开发环境编译环境

axis:

示例代码()配置文件

webxml

webxml

<?xml version= encoding=UTF?>

<webapp version=

xmlns=

xmlns:xsi=instance

xsi:schemaLocation=

app__xsd>

<! 配置webservice的处理类 >

<servlet>

<servletname>AxisServlet</servletname>

<servletclass>

orgapacheaxistransporthttpAxisServlet

</servletclass>

</servlet>

<servletmapping>

<servletname>AxisServlet</servletname>

<urlpattern>/services/*</urlpattern>

</servletmapping>

<!配置IP地址的过滤器 >

<filter>

<filtername>WebServiceFilter</filtername>

<filterclass>serverfilterWebServiceFilter</filterclass>

</filter>

<filtermapping>

<filtername>WebServiceFilter</filtername>

<urlpattern>/services/*</urlpattern>

</filtermapping>

</webapp>

serverconfigwsdd

serverconfigwsdd

<?xml version= encoding=UTF?>

<deployment xmlns=

xmlns:java=>

<globalConfiguration>

<parameter name=sendMultiRefs value=true />

<parameter name=disablePrettyXML value=true />

<parameter name=adminPassword value=admin />

<parameter name=attachmentsDirectory

value=D:\tomcat\webapps\WebService\WEBINF\attachments />

<parameter name=dotNetSoapEncFix value=true />

<parameter name=enableNamespacePrefixOptimization

value=false />

<parameter name=sendXMLDeclaration value=true />

<parameter name=sendXsiTypes value=true />

<parameter name=attachmentsimplementation

value=orgapacheaxisattachmentsAttachmentsImpl />

<requestFlow>

<handler type=java:orgapacheaxishandlersJWSHandler>

<parameter name=scope value=session />

</handler>

<handler type=java:orgapacheaxishandlersJWSHandler>

<parameter name=scope value=request />

<parameter name=extension value=jwr />

</handler>

</requestFlow>

</globalConfiguration>

<handler name=LocalResponder

type=java:orgapacheaxistransportlocalLocalResponder />

<handler name=URLMapper

type=java:orgapacheaxishandlershttpURLMapper />

<handler name=Authenticate

type=java:orgapacheaxishandlersSimpleAuthenticationHandler />

<service name=AdminService provider=java:MSG>

<parameter name=allowedMethods value=AdminService />

<parameter name=enableRemoteAdmin value=false />

<parameter name=className value=orgapacheaxisutilsAdmin />

<namespace>;/namespace>

</service>

<service name=Version provider=java:RPC>

<parameter name=allowedMethods value=getVersion />

<parameter name=className value=orgapacheaxisVersion />

</service>

<transport name=http>

<requestFlow>

<handler type=URLMapper />

<handler

type=java:orgapacheaxishandlershttpHTTPAuthHandler />

</requestFlow>

<parameter name=qs:list

value=orgapacheaxistransporthttpQSListHandler />

<parameter name=qs:wsdl

value=orgapacheaxistransporthttpQSWSDLHandler />

<parameter name=qslist

value=orgapacheaxistransporthttpQSListHandler />

<parameter name=thod

value=orgapacheaxistransporthttpQSMethodHandler />

<parameter name=qs:method

value=orgapacheaxistransporthttpQSMethodHandler />

<parameter name=qswsdl

value=orgapacheaxistransporthttpQSWSDLHandler />

</transport>

<transport name=local>

<responseFlow>

<handler type=LocalResponder />

</responseFlow>

</transport>

<! 配置自己的服务 >

<service name=HelloService provider=java:RPC>

<parameter name=allowedMethods value=* />

<parameter name=className

value=serverserviceHelloServiceImpl />

</service>

</deployment>

)服务端代码

HelloServiceImpljavawebservice服务端

HelloServiceImpljava

package serverservice; public class HelloServiceImpl {

public String hello(String s) {

return hello + s;

} }

WebServiceFilterjavaFilter过滤器

WebServiceFilterjava

package serverfilter; import javaioIOException; import javaxservletFilter; import javaxservletFilterChain; import javaxservletFilterConfig; import javaxservletServletException; import javaxservletServletRequest; import javaxservletServletResponse; import javaxservlethttpHttpServletRequest; public class WebServiceFilter implements Filter {

//不允许访问webservice服务的IP地址

static final String[] deniedIPList=new String[]{};

public boolean isIPDenied(String ipAddr){

if(deniedIPListlength==

return false;

for(int i=;i<deniedIPListlength;i++){

if(deniedIPList[i]equals(ipAddr)){

return true;

}

}

return false;

}

public void destroy() {

}

public void doFilter(ServletRequest req ServletResponse res

FilterChain chain) throws IOException ServletException {

HttpServletRequest request=(HttpServletRequest) req;

String clientIP=requestgetRemoteHost()

Systemoutprintln(客户端IP:+clientIP)

Systemoutprintln(开始过滤…

if(isIPDenied(clientIP)){

throw new ServletException(你没有权限调用此webservice!

}else{

chaindoFilter(req res)

}

}

public void init(FilterConfig arg) throws ServletException {

} }

)客户端代码

Testjava客户端动态调用的代码

Testjava

package client;

import URL;

import javaxxmlrpcParameterMode;

import orgapacheaxisclientCall;

import orgapacheaxisencodingXMLType;

public class Test {

public static void main(String args[]) throws Exception{

webservice_user()

}

public static void webservice_user() throws Exception {

// 创建service对象通过axis自带的类创建

orgapacheaxisclientService service = new orgapacheaxisclientService()

// 创建url对象

String wsdlUrl = //localhost:/WebService_Security/services/HelloService?wsdl;// 请求服务的URL

URL url = new URL(wsdlUrl)// 通过URL类的构造方法传入wsdlUrl地址创建URL对象

// 创建服务方法的调用者对象call设置call对象的属性

Call call = (Call) servicecreateCall()

callsetTargetEndpointAddress(url)// 给call对象设置请求的URL属性

String serviceName = hello;// webservice的方法名

callsetOperationName(serviceName)// 给call对象设置调用方法名属性

calladdParameter(s XMLTypeXSD_STRING ParameterModeIN)// 给call对象设置方法的参数名参数类型参数模式

callsetReturnType(XMLTypeSOAP_STRING)// 设置调用方法的返回值类型 //

callsetTimeout(new Integer())//设置超时限制

//

//此处的用户名和密码对应WEBINF目录下userslst文件中的用户名和密码 //

callgetMessageContext()setUsername(pantp //

callgetMessageContext()setPassword(

//

// 通过invoke方法调用webservice

String str=new String(pantp

Systemoutprintln(开始调用webservice服务……

String dept = (String) callinvoke(new Object[] { str })// 调用服务方法

Systemoutprintln(结束调用webservice服务……

// 打印返回结果

Systemoutprintln(返回结果如下+dept) } }

安全测试()正常测试(本机IP地址不在受限IP之内)

浏览器中输入wsdl地址测试

运行Test客户端测试

客户端日志

服务端日志

)受限测试(本机IP地址在受限IP之内)

修改WebServiceFilter类中deniedIPList数组所在的一行代码加入IP地址然后重新发布项目

修改后数组IP地址如下

受限IP地址列表

static final String[] deniedIPList=new String[]{};

浏览器中输入wsdl地址测试

运行Test客户端测试

客户端日志

服务端日志

总结

至此webservice的安全相关的文章就已经介绍完了

以上都是webservice安全方面比较简单的实现措施

更多的欢迎各位的探讨

               

上一篇:AES对称加密例子

下一篇:加密网页破解大法