web服務SOAP UsernameToken CXF不發送每個請求的用戶名/密碼

Question

我正在使用usernameToken安全策略來保護soap webservice。我不希望客戶端在每個請求上發送用戶名/密碼。是否有可能使Web服務狀態完整？目前爲每個請求調用ServerPasswordCallback。

這裏是我的代碼：

ComputeWS.java

@WebService(
    serviceName = "ComputeWS", 
    targetNamespace = "http://org.test/compute", 
    name = "ComputeWS") 
@EndpointProperties(
    value = { @EndpointProperty(key = "ws-security.callback-handler", value = "org.test.ServerPasswordCallback") }) 
@Policy(placement = Policy.Placement.BINDING, uri = "WSPolicy.xml") 
public class ComputeWS { 

@WebMethod 
public int add(int x, int y) { 
    return x * y; 
} 

} 

WSPolicy.xml

<?xml version="1.0" encoding="UTF-8" ?> 
<wsp:Policy wsu:Id="WSPolicy" xmlns:wsp="http://www.w3.org/ns/ws-policy" 
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"> 
<wsp:ExactlyOne> 
    <wsp:All> 
     <sp:SupportingTokens xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"> 
      <wsp:Policy> 
       <sp:UsernameToken sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient"> 
        <wsp:Policy> 
         <sp:WssUsernameToken11/> 
        </wsp:Policy> 
       </sp:UsernameToken> 
      </wsp:Policy> 
     </sp:SupportingTokens> 
    </wsp:All> 
</wsp:ExactlyOne> 
</wsp:Policy> 

ServerPasswordCallback.java

public class ServerPasswordCallback implements CallbackHandler { 

@Override 
public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException { 
    WSPasswordCallback pc = (WSPasswordCallback) callbacks[0]; 

    if ("joe".equals(pc.getIdentifier())) { 
     pc.setPassword("joespassword"); 
    } 
} 

} 

Answer 1

有沒有「開箱即用「做我的方式噸。您可以將UsernameToken的「IncludeToken」策略從「AlwaysToRecipient」更改爲「Once」。然後在服務器端，你必須實現一些跟蹤客戶端的方式，通過像Spring Security或Apache Shiro等。