webservice的安全机制2

《webservice的安全机制2》由会员分享，可在线阅读，更多相关《webservice的安全机制2（14页珍藏版）》请在装配图网上搜索。

1、本节摘要：本节介绍使用handler的方式来实现webservice的IP地址的校验。1引言前一节介绍了使用users.lst文件来实现webservice的用户名和密码的校验，本节介绍使用webservice的handler来实现webservice的安全校验。这里，不用用户名和密码来实现安全校验，换一种方式，采用IP地址校验的方式。这里通过一个配置文件来控制是否打开IP校验开关以及允许哪些IP地址的客户端可以访 问。这里的开发还是基于上一节HelloService这个基本的webservice基础上来开发。2项目环境system : win7myeclipse : 6.5tomcat :

2、5.0 JDK:开发环境 1.5，编译环境 1.4axis : 1.4项目结构图如下：J |空 WebServiceOS.Security |酋srcT.+j client jj Testl ,j avaj 田 servertj handler0 国 IpAuthentionHandler.java 園 ip.properties* servicet- HelloServicempl.java JRE System Library jdkl.5.0_060 J2EE 1.4 LibrariesP Ek R&f&renced Librariesj 凸 WebRootp & META-1NFj 凸

3、 WEB-INF& lib,X server-config.wsdd xf wrgb.xml index.jsp3示例代码配置文件web.xml-web项目的配置文件，和基本的webservice配置没任何区别 web.xml?xml version=1.0 encoding=UTF-8?web-app version=2.4xmlns= xmlns:xsi=http:/www.w3.org/2001/XMLSchema-instance xsi:schemaLocation= http/http./wTWHw 0791iwang cnAxisServlet10servletclass11or

4、g.apache.axis.transport.http.AxisServlet12/servletclass13 14 15 servlet-nameAxisServlet/servlet-name16 /servic /*17 1819 侖server-co nfig.wsdd-axis的配置文件，这里的配置就是一个webservice+ha ndler的基本配置田日server-config.wsdd?xml version=1.0 encoding=UTF-8?deployment xmlns=http:/xml.apache.org/axis/wsdd/xmlns:java=http

5、:/xml.apache.org/axis/wsdd/providers/javaparametername=disablePrettyXML value=true /parametername=adminPassword value=admin /parametername=attachments.Directoryvalue=D:tomcat5webappsWebServiceWEB-INFattachments /10parameter name=dotNetSoapEncFix value=true /11parameter name=enableNamespacePrefixOpti

6、mization12value=false /13141517requestFlow18handler type=java:org.apache.axis.handlers.JWSHandler1920/handler21handler type=java:org.apache.axis.handlers.JWSHandler222324/handler25/requestFlow26/globalConfiguration27handler name=LocalResponder28type=java:org.apache.axistransportlocalLocalResponder /

7、29handler name=URLMapper30type=java:org.apache.axishandlershttpURLMapper /3132333435363738394041424344454 6474849505152535455565758596061626364656667686970type=7172handler name=Authenticate type=java:org.apache.axis.handlersSimpleAuthenticationHandler /parameter name=allowedMethods value=AdminServic

8、e /parameter name=enableRemoteAdmin value=false /http/:/xml.apache.org/axis/wsdd/serviceservice name=Version provider=java:RPCparameter name=allowedMethods value=getVersion /parameter name=className value=org.apache.axis.Version /servicetransport name=httprequestFlowhandler type=URLMapper /handler t

9、ype=java:org.apache.axishandlershttpHTTPAuthHandler /requestFlow /transporttransport name=localresponseFlowhandler type=LocalResponder /responseFlow/transport！-配置一个handler，用来进行IP校验-handler name=IPHandlerjava:server.handler.IpAuthentionHandler/handler75767778/798081828384!-配置自己的服务-(parameter name=cla

10、ssName value=server.service.HelloServiceImpl(handler type=IPHandler /requestFlow85 8687 /deployment服务端文件服务类:HelloServicelmpl.javaHelloServicelmpl.java package server.service;public class HelloServicelmpl public String hello(String s) System.out.println 我是服务端)System.out.println 方法的入参为： + s); return h

11、ello, + s;10han dler处理类和配置文件:IpAuthe nti onHan dler.java田日IpAuthentionHandler.java1 package server.handler;importjava.io.IOException;importjava.io.InputStream;importjava.util.Properties;importjava.util.regex.Pattern;importjavax.servlet.http.HttpServletRequest;10importorg.apache.axis.AxisFault;11impo

12、rtorg.apache.axis.MessageContext;12importorg.apache.axis.handlers.BasicHandler;13importorg.apache.axis.transport.http.HTTPConstants;14importorg.apache.axis.utils.Messages;1516/利用handler进行客户端IP校验17public class IpAuthentionHandler extends BasicHandler 1819private static final long serialVersionUID = 1

13、L;2021private static Properties p = new Properties();2223static 24InputStream in =null;try /注意这里的文件的存放位置和文件路径的书写方式；path不以/开头时默认是从 此类所在的包下取资源2526/这里如果我们把ip.properties放在src根目录下，然后采用 src/ip.properties的形式是没法取到此文件的；/此时需要使用2728in=IpAuthentionHandler.class.getClassLoader().getResourceAsStream(ip.properties

14、);29inIpAuthentionHandler.class.getResourceAsStream(ip.properties);30p.load(in);3132catch (IOException e) System.out.println(ip.propertie配置文件加载失败！);e.printStackTrace();34finally 35if (null != in)3637try 38catch (IOException e) in.close();4142434445474849String uri = messageContext.getSOAPActionURI()

15、;50String targetService = messageContext.getTargetService();51System .out. println(webservic 开始 IP 认证： service + uri + / + targetService);5253String name = HTTPConstants MC_HTTP_SERVLETREQUEST;5455HttpServletRequest request = (HttpServletRequest) messageContext56.getProperty(name);5758String remoteA

16、ddr = request.getRemoteAddr();System .out. println 客 户端 IP： + remoteAddr);596061String switcher = p.getProperty(ip_switcher);System .out. println(I 校验开关： + switcher);626364if (on.equalsIgnoreCase(switcher) System.out.println服务端IP校验开关处于【打开】状态，需要校验IP);6566String regx = p.getProperty(ip_allow);67System

17、.out.println允许调用服务的IP地址有：+ regx);6869if (null != regx & regx.length() 0)7071String regxArray = regx.split(,)72boolean ip_check = false;73for (int i = 0; i regxArray.length; i+)Pattern p = Ppile(regxArrayi);75boolean flag = p.matcher(remoteAddr).find();76if(flag) public void invoke(MessageContext mes

18、sagecontext) throws AxisFault String status=(Strinthis .getOption(status);System.out.println(IpAuthentionHandlers status is :+status);7778ip_chectrue;82if (ip.check) break;8384System.out.println(I验通过！)；else 85 throw new AxisFault(,Messages.getMessage(wrong ip： + remoteAddr),null, null);86 87 else 88

19、 System.out.printl请指定校验的客户端IP!);89 throw new AxisFault();90 91 else if (off.equalsIgnoreCase(switcher) 92 System.out.println服务端IP校验开关处于【关闭】状态，不需要校验IP);93 94 95 96 ip.properties田日ip.properties#2 #IP校验开关只能填写on或者off,不区分大小写3 ip_switcher=on44 #允许调用对应的webservice服务的客户端IP地址 多个IP地址之间用逗号隔开5 #当ip校验开关打开的时候，必须配置

20、IP地址6 ip_allow=10.10.147.124,10.10.147.123,127.0.0.189校验配置#客户端文件TestljavaHE ,Test1.java1 package client;23 import .URL;456import javax.xml.rpc.ParameterMode;67import org.apache.axis.client.Call;89import org.apache.axis.encoding.XMLType;91011public class Test1 12public static void main(String args) t

21、hrows Exception 13webservice user();14151617public static void webservice user() throws Exception 18/ 1创建service对象，通过axis自带的类创建19org.apache.axis.client.Service service neworg.apache.axis.client.Service();2021/ 2 创建url对象22String wsdlUrl =http:/localhost:8080/WebService05_Security/services/HelloServic

22、e?wsdl;/ 请求服务的URL23URUrl = new URL(wsdlUrl);/通过URL类的构造方法传入wsdlUrl地址创建URL对象2425/ 2 创建服务方法的调用者对象call，设置call对象的属性26Call call = (Call) service.createCall();27call.setTargetEndpointAddress(url / 给 call 对象设置请求的 URL 属性28String serviceName = hello / webservice 的方法名29call.setOperationName(serviceName / 给 cal

23、l 对象设置调用方法名属性30call.addParameter(s, XMLType.XSD STRING, ParameterMode.IN)/;/ 给call对象设置方法的参数名、参数类型、参数模式31call.setReturnType(XMLType.SOAP STRING)/;/ 设置调用方法的返回值类型3233/ call.setTimeout(new Integer(200);/设置超时限制34/ 4 .通过 invoke 方法调用 webservice35String str new String(pantp);36法String dept = (String) call.i

24、nvoknew Object str );/ 调用服务方3738/ 5打印返回结果39System.out.println 我是客户端);40System.out.println(dept);4142 43 验证结果发布工程，启动tomcat服务器：1.看webservice在浏览器中是否可以正常显示在浏览器中输入wsd I地址：http:/localhost:8080/WebService05 Security/services/HelloService?wsdl匚网贡LUTH肆 口肢止i!辱丸localhoC localhcst:8080/WebService05_Security/ser

25、vices/HelloService?wsdl口 study 口This XML file does not appear to have any style information associated with it. Thet wsdl: def init ions smlns: apachesoap=f http:/sml. apache. org/.xml-soap Kmlns: imp 1- httpi./localh( Kmlns:mtf= ht t pi /loc alho st:8080/WebServiceG5_Securit7/services/HelloService

26、Kinins:suapenc Kmlns:wsdlsoap= http:/schemas, zmlsoap, org/wsdl/soap/ smlns:ssd= http:/ww.w-3. org/2001 /KMLSfWSDL created by Apache Axis version: 1.4 Built on Apr 22 2006 (0655:48 PDT7t iwsdl: message name=helloReque t.:rt v ：wsdl: input rne.S3.ge impl:helloRequest name=helloRequemt/3ws dl rout put

27、 messag e= imp l:hell uRe sp ons e najne= hell oRe sp ons :；wsdlsoap;operat ion suapAct ion= /t ntsdlsoap:body encodingStyle http:/schemas. Kmlsoap, org/spapAencoding;/17 namespace- ht v -ws dlsoap:body enc o ding St yl e- http ?/ chemab Kml soap, or g/s o ap/enc o ding;/ name sp ac e- ht /wsdl! ope

28、ratiori/-wsdl: bindingt wsdlc service name=HelloServic已ImplSer寸iuet .2运行webservice客户端，看是否可以正常的访问目前IP配置文件中开关是打开的，并且127.0.0.1是允许访问此webservice服务的运行后客户端和服务端日志分别如下：terminated T&stl Java Applicatic*, Problems 匡 Tasks / Web Browser 貝 匚onsole 蘆槪 Servers 芝 Progresstomcat5&erv&r Remote Java Application D:Prog

29、ram Fi 1 esjdkl.4.2binjavaw.(Sep 10, 201；hellorpantpIpAuthentionHandlers status is :successWEb5Ervke开始I卩认证：serviceAVebService05_Security/HeiloService 客户端IP 127.0.0.1IP校验开关:on服务端【打开】 舷r 校验IP允许调用服务的IP地址有:10.10.147.124r10.10.147.123r127.0.0.1!3模拟不能正常访问的IP地址的调用情况把ip.properties文件中的ip_allow=10.10.147.124,

30、10.10.147.123,127.0.0.1改为：ip_allow=10.10.147.124,10.10.147.123然后，重新发布项目，启动tomcat :此时客户端和服务端的日志如下（此时需要时间稍微长一点，客户端才会出现以下异常）:m vonsoie 堂沪 Javaheri pi cripis inspecEor 旨 nisiory 旦5 ns Qi已0旦 Console Testi (2) Java Application D:Program FiIesJavajdkl.5.0_06binjavaw.exe (Sep IX 2012 12:15:2Exception in thr

31、ead mainn AxisFault faultcode: http:/xml.apache.org/axis/JServer faultsubcode:faultString: Server ErrorfaultActor:faultNode:faultDetail:http:/xml.apache.org/axis/Jst日匸灯旧匸出职前 Errorat og.日p日che.日xish日nclleg.so日p.SOAPServke.irh/ciicEdOAPServicE.i日廿日:474)at og.日pmche.日xi55ErvE.Axi&SErve.im/olce(AxiSErvE

32、iiBHB：2ljat org.apache.axis.transport.http.Axi5SmrvlEtclo卩05t(AxisSErvlet.iBVB：69g)dt j 日 v白兀舵用1吐打 ttp.HttpSEwlEt昶 rviy(HttpSgrvlEtjBV3：709)at og日pchm日xim.t日门5porthttp.AjJ JavaScript Scripts Inspector Histotomcat5Server Remote Java Application D:ProgramFiIesjdkl.4.2binjavaw.exe Sep 11, 2012 12:17:1IpAuthentionHandlers status is :successweb&erviceJfiniPiAffi : &erviceAVebService05_Secufity/HelloService 客户端I卩：127.0.0.1【卩校斷关：on 服务端IP校验开关处于【打开】状态r需要校验IP允许调用眼务的IP地址有：10.10.147.124,10.10.147.123