webservice的安全机制3---Filter
发布时间:2020-12-17 00:20:40 所属栏目:安全 来源:网络整理
导读:1.引言 前面讲了webservice的安全机制1和2,本节继续webservice的安全之旅, 本节采用servlet的Filter的来实现对webservice的安全访问。 在调用webservice之前,过滤器会拦截匹配的请求,只有满足安全要求的客户端才能访问webservice服务。 2.项目环境 syste
|
1.引言
前面讲了webservice的安全机制1和2,本节继续webservice的安全之旅, 本节采用servlet的Filter的来实现对webservice的安全访问。 在调用webservice之前,过滤器会拦截匹配的请求,只有满足安全要求的客户端才能访问webservice服务。 2.项目环境 system:win7 myeclipse:6.5 tomcat:5.0 JDK:开发环境1.5,编译环境1.4 axis:1.4
3.示例代码 <?xml version="1.0" encoding="UTF-8"?>
<web-app version="2.4"
xmlns="http://java.sun.com/xml/ns/j2ee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee
http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd">
<!-- 配置webservice的处理类 -->
<servlet>
<servlet-name>AxisServlet</servlet-name>
<servlet-class>
org.apache.axis.transport.http.AxisServlet
</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>AxisServlet</servlet-name>
<url-pattern>/services/*</url-pattern>
</servlet-mapping>
<!--配置IP地址的过滤器 -->
<filter>
<filter-name>WebServiceFilter</filter-name>
<filter-class>server.filter.WebServiceFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>WebServiceFilter</filter-name>
<url-pattern>/services/*</url-pattern>
</filter-mapping>
</web-app>server-config.wsdd
<?xml version="1.0" encoding="UTF-8"?>
<deployment xmlns="http://xml.apache.org/axis/wsdd/"
xmlns:java="http://xml.apache.org/axis/wsdd/providers/java">
<globalConfiguration>
<parameter name="sendMultiRefs" value="true" />
<parameter name="disablePrettyXML" value="true" />
<parameter name="adminPassword" value="admin" />
<parameter name="attachments.Directory"
value="D:tomcat5webappsWebServiceWEB-INFattachments" />
<parameter name="dotNetSoapEncFix" value="true" />
<parameter name="enableNamespacePrefixOptimization"
value="false" />
<parameter name="sendXMLDeclaration" value="true" />
<parameter name="sendXsiTypes" value="true" />
<parameter name="attachments.implementation"
value="org.apache.axis.attachments.AttachmentsImpl" />
<requestFlow>
<handler type="java:org.apache.axis.handlers.JWSHandler">
<parameter name="scope" value="session" />
</handler>
<handler type="java:org.apache.axis.handlers.JWSHandler">
<parameter name="scope" value="request" />
<parameter name="extension" value=".jwr" />
</handler>
</requestFlow>
</globalConfiguration>
<handler name="LocalResponder"
type="java:org.apache.axis.transport.local.LocalResponder" />
<handler name="URLMapper"
type="java:org.apache.axis.handlers.http.URLMapper" />
<handler name="Authenticate"
type="java:org.apache.axis.handlers.SimpleAuthenticationHandler" />
<service name="AdminService" provider="java:MSG">
<parameter name="allowedMethods" value="AdminService" />
<parameter name="enableRemoteAdmin" value="false" />
<parameter name="className" value="org.apache.axis.utils.Admin" />
<namespace>http://xml.apache.org/axis/wsdd/</namespace>
</service>
<service name="Version" provider="java:RPC">
<parameter name="allowedMethods" value="getVersion" />
<parameter name="className" value="org.apache.axis.Version" />
</service>
<transport name="http">
<requestFlow>
<handler type="URLMapper" />
<handler
type="java:org.apache.axis.handlers.http.HTTPAuthHandler" />
</requestFlow>
<parameter name="qs:list"
value="org.apache.axis.transport.http.QSListHandler" />
<parameter name="qs:wsdl"
value="org.apache.axis.transport.http.QSWSDLHandler" />
<parameter name="qs.list"
value="org.apache.axis.transport.http.QSListHandler" />
<parameter name="qs.method"
value="org.apache.axis.transport.http.QSMethodHandler" />
<parameter name="qs:method"
value="org.apache.axis.transport.http.QSMethodHandler" />
<parameter name="qs.wsdl"
value="org.apache.axis.transport.http.QSWSDLHandler" />
</transport>
<transport name="local">
<responseFlow>
<handler type="LocalResponder" />
</responseFlow>
</transport>
<!-- 配置自己的服务 -->
<service name="HelloService" provider="java:RPC">
<parameter name="allowedMethods" value="*" />
<parameter name="className"
value="server.service.HelloServiceImpl" />
</service>
</deployment>(2)服务端代码
HelloServiceImpl.java---webservice服务端 package server.service;
public class HelloServiceImpl {
public String hello(String s) {
return "hello," + s;
}
}WebServiceFilter.java---Filter过滤器
package server.filter;
import java.io.IOException;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
public class WebServiceFilter implements Filter {
//不允许访问webservice服务的IP地址
static final String[] deniedIPList=new String[]{"192.168.1.12"};
public boolean isIPDenied(String ipAddr){
if(deniedIPList.length==0)
return false;
for(int i=0;i<deniedIPList.length;i++){
if(deniedIPList[i].equals(ipAddr)){
return true;
}
}
return false;
}
public void destroy() {
}
public void doFilter(ServletRequest req,ServletResponse res,FilterChain chain) throws IOException,ServletException {
HttpServletRequest request=(HttpServletRequest) req;
String clientIP=request.getRemoteHost();
System.out.println("客户端IP:"+clientIP);
System.out.println("开始过滤...");
if(isIPDenied(clientIP)){
throw new ServletException("你没有权限调用此webservice!");
}else{
chain.doFilter(req,res);
}
}
public void init(FilterConfig arg0) throws ServletException {
}
}(3)客户端代码
Test.java---客户端动态调用的代码 package client;
import java.net.URL;
import javax.xml.rpc.ParameterMode;
import org.apache.axis.client.Call;
import org.apache.axis.encoding.XMLType;
public class Test {
public static void main(String args[]) throws Exception{
webservice_user();
}
public static void webservice_user() throws Exception {
// 1.创建service对象,通过axis自带的类创建
org.apache.axis.client.Service service = new org.apache.axis.client.Service();
// 2.创建url对象
String wsdlUrl = "http://localhost:8080/WebService08_Security/services/HelloService?wsdl";// 请求服务的URL
URL url = new URL(wsdlUrl);// 通过URL类的构造方法传入wsdlUrl地址创建URL对象
// 2.创建服务方法的调用者对象call,设置call对象的属性
Call call = (Call) service.createCall();
call.setTargetEndpointAddress(url);// 给call对象设置请求的URL属性
String serviceName = "hello";// webservice的方法名
call.setOperationName(serviceName);// 给call对象设置调用方法名属性
call.addParameter("s",XMLType.XSD_STRING,ParameterMode.IN);// 给call对象设置方法的参数名、参数类型、参数模式
call.setReturnType(XMLType.SOAP_STRING);// 设置调用方法的返回值类型
// call.setTimeout(new Integer(200));//设置超时限制
//---------------------------------------------------------------------------------------
//此处的用户名和密码对应WEB-INF目录下users.lst文件中的用户名和密码
// call.getMessageContext().setUsername("pantp");
// call.getMessageContext().setPassword("123456");
//---------------------------------------------------------------------------------------
// 4.通过invoke方法调用webservice
String str=new String("pantp");
System.out.println("开始调用webservice服务.....");
String dept = (String) call.invoke(new Object[] { str });// 调用服务方法
System.out.println("结束调用webservice服务.....");
// 5.打印返回结果
System.out.println("返回结果如下:"+dept);
}
}4.安全测试
(1)正常测试(本机IP地址不在受限IP之内) 浏览器中输入wsdl地址测试:
运行Test客户端测试: 客户端日志:
服务端日志:
(2)受限测试(本机IP地址在受限IP之内)? ? ?修改WebServiceFilter类中deniedIPList数组所在的一行代码,加入IP地址127.0.0.1,然后重新发布项目; ? ? ?修改后数组IP地址如下: static final String[] deniedIPList=new String[]{"192.168.1.12","127.0.0.1"};
浏览器中输入wsdl地址测试:
运行Test客户端测试: 客户端日志:
服务端日志:
? 5.总结至此,webservice的安全相关的文章就已经介绍完了; 以上都是webservice安全方面比较简单的实现措施。 更多的欢迎各位的探讨。 (编辑:李大同) 【声明】本站内容均来自网络,其相关言论仅代表作者个人观点,不代表本站立场。若无意侵犯到您的权利,请及时与联系站长删除相关内容! |
