?一: Web Service security UserNameToken 概念

原理：用戶在發送請求的時候，在Soap head中加入自己的用戶名以及密碼，接受請求的Service通過之前與Client建立的共享密碼來驗證密碼的合法性從而實現鑒別用戶的功能。

<wsse:UsernameToken>??

????<wsse:Username>NNK</wsse:Username>??

????<wsse:Password?Type="...#PasswordDigest">??

?????????weYI3nXd8LjMNVksCKFV8t3rgHh3Rw==??

????</wsse:Password>??

????<wsse:Nonce>WScqanjCEAC4mQoBE07sAQ==</wsse:Nonce>??

????<wsu:Created>2003-07-16T01:24:32Z</wsu:Created>??

</wsse:UsernameToken>?

Password_Digest = Base64 ( SHA-1 ( nonce + created + password ) )
wsse:Nonce和wsu:Created這兩個元素的作用：是為了避免重放(Replay)***。

只要對密碼做一些處理就可以從中派生出密鑰。當然為了安全起見我們希望每次派生出來的密鑰都不一樣，這樣就可以避免多次使用同一密鑰而導致密鑰被破解。下面就是WS-Security對密鑰派生的元素定義：

<wsse:UsernameToken?wsse:Id=”…”>??

????<wsse:Username>…</wsse:Username>??

????<wsse11:Salt>…</wsse11:Salt>??

????<wsse11:Iteration>…</wsse11:Iteration>??

</wsse:UsernameToken>?

其中Salt是導致密鑰變化的因子，Iteration是密鑰派生時Hash的次數。
密碼的派生公式如下：
K1 = SHA1( password + Salt)??K2 = SHA1( K1 )??…?Kn = SHA1 ( Kn-1)

二:代碼示例

xml文件：

Request?xml：?

<soapenv:Envelope?xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"?xmlns:web="http://www.webserviceX.NET/">?

???<soapenv:Header/>?

???<soapenv:Body>?

??????<web:ConversionRate>?

?????????<web:FromCurrency>1</web:FromCurrency>?

?????????<web:ToCurrency>2</web:ToCurrency>?

??????</web:ConversionRate>?

???</soapenv:Body>?

</soapenv:Envelope>?

?

Response?xml：?

<soapenv:Envelope?xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"?xmlns:web="http://www.webserviceX.NET/">?

???<soapenv:Header/>?

???<soapenv:Body>?

??????<web:ConversionRateResponse>?

?????????<web:ConversionRateResult>88</web:ConversionRateResult>?

??????</web:ConversionRateResponse>?

???</soapenv:Body>?

</soapenv:Envelope>?

?

1 直接使用httpclient調用service

?

??public?static?String?soapSpecialConnection(String?url)?throws?Exception?

????{?

????//拼裝soap請求報文?

????????StringBuilder?sb?=?new?StringBuilder();?

????????StringBuilder?soapHeader?=?new?StringBuilder();?

????????soapHeader.append("<SOAP-ENV:Envelope?xmlns:SOAP-ENV=\"http://schemas.xmlsoap.org/soap/envelope/\"?xmlns:web=\"http://www.webserviceX.NET/\">");?

????????soapHeader.append("<SOAP-ENV:Header/>");?

????????soapHeader.append("<SOAP-ENV:Body>");?

????????soapHeader.append("<web:ConversionRate>");?

????????soapHeader.append("<web:FromCurrency>123</web:FromCurrency>");?

????????soapHeader.append("<web:ToCurrency>123</web:ToCurrency>");?

????????soapHeader.append("</web:ConversionRate>");?

????????soapHeader.append("</SOAP-ENV:Body>");?

????????soapHeader.append("</SOAP-ENV:Envelope>");?

?????????

????????//設置soap請求報文的相關屬性?

????????URL?u?=?new?URL(url);?

????????HttpURLConnection?conn?=?(HttpURLConnection)?u.openConnection();?

????????conn.setDoInput(true);?

????????conn.setDoOutput(true);?

????????conn.setUseCaches(false);?

????????conn.setDefaultUseCaches(false);?

????????conn.setRequestProperty("Host",?"localhost:8080");?

????????conn.setRequestProperty("Content-Type",?"text/xml;?charset=utf-8");?

????????conn.setRequestProperty("Content-Length",?String.valueOf(soapHeader.length()));?

????????conn.setRequestProperty("SOAPAction",?"");?

????????conn.setRequestMethod("POST");?

????????//定義輸出流?

????????OutputStream?output?=?conn.getOutputStream();?

????????if?(null?!=?soapHeader)?{?

????????????byte[]?b?=?soapHeader.toString().getBytes("utf-8");?

????????????//發送soap請求報文?

????????????output.write(b,?0,?b.length);?

????????}?

????????output.flush();?

????????output.close();?

????????//定義輸入流，獲取soap響應報文?

????????InputStream?input?=?conn.getInputStream();?

????????int?c?=?-1;?

????????//sb為返回的soap響應報文字符串?

????????while?(-1?!=?(c?=?input.read()))?{?

????????????sb.append((char)c);?

????????}?

????????input.close();?

????????return?sb.toString();??????

}?

?

2 使用apache的axis 來調用service

private?void?callRequest()?throws?SOAPException?{?

????????String????NAMESPACE_URI?=?"http://www.webserviceX.NET/";?

????????String????PREFIX????????=?"web";?

????????String?url?=?"http://localhost:28080/MockService";?

?????????

?????????SOAPConnectionFactory?connectionFactory=SOAPConnectionFactory.newInstance();?

?????????MessageFactory????????messageFactory=MessageFactory.newInstance();?

?????????SOAPFactory???????????soapFactory?=?SOAPFactory.newInstance();?

?????????

????????SOAPMessage?message?=?messageFactory.createMessage();?

????????SOAPEnvelope?envelope?=?message.getSOAPPart().getEnvelope();?

????????envelope.addNamespaceDeclaration(PREFIX,?NAMESPACE_URI);?

????????Name?requestName?=?soapFactory.createName("ConversionRate",?PREFIX,?NAMESPACE_URI);?

????????SOAPBodyElement?trackRequestElement?=?message.getSOAPBody().addBodyElement(requestName);?

????????SOAPElement?element1,?element2;?

?

????????element1?=?trackRequestElement.addChildElement(soapFactory.createName("FromCurrency",?PREFIX,?NAMESPACE_URI));?

????????element2?=?trackRequestElement.addChildElement(soapFactory.createName("ToCurrency",?PREFIX,?NAMESPACE_URI));?

????????element1.addTextNode("123");?

????????element2.addTextNode("123");?

?

????????MimeHeaders?hd?=?message.getMimeHeaders();?

????????hd.setHeader("SOAPAction",?"");?

????????hd.setHeader("Content-Type",?"text/xml;?charset=utf-8");?

?

????????SOAPConnection?connection?=?connectionFactory.createConnection();?

????????SOAPMessage?response?=?connection.call(message,?url);??????

????}?

?

3 輸出為xml，便于調試

public?void?wirteToxml(String?fileName,?SOAPMessage?request)?throws?Exception?{?

??????FileWriter?fw?=?new?FileWriter(fileName,?true);?//?outputFile為要寫入的.xml文件，如result.xml?

??????BufferedWriter?bw?=?new?BufferedWriter(fw);?

??????Source?source?=?request.getSOAPPart().getContent();?

??????Transformer?transformer?=?TransformerFactory.newInstance().newTransformer();?

??????ByteArrayOutputStream?myOutStr?=?new?ByteArrayOutputStream();?

??????StreamResult?res?=?new?StreamResult();?

??????res.setOutputStream(myOutStr);?

??????transformer.transform(source,?res);?

??????String?temp?=?myOutStr.toString().trim();?

?

??????bw.write(temp);?

??????bw.newLine();?

??????bw.flush();?

??????bw.close();?

??}?

?

4 設置 web service security

?

??protected?void?buildHeader(SOAPMessage?message)?throws?SOAPException?{?

????????String?username?=?"1234";?

????????String?password?=?"1234";?

????????final?String?SECURITY_PREFIX?=?"wsse";?

????????SOAPEnvelope?envelope?=?message.getSOAPPart().getEnvelope();?

????????SOAPHeader?soapHead?=?message.getSOAPHeader();?

????????SOAPHeaderElement?security?=?soapHead.addHeaderElement(envelope.createName("Security",?SECURITY_PREFIX,?

???????????????????????????????????????????????????????????????????????????????????"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"));?

????????security.setMustUnderstand(true);?//?服務方必須能夠識別校驗，否則失敗?

?

????????SOAPElement?usernameToken?=?security.addChildElement("UsernameToken",?SECURITY_PREFIX);?

????????usernameToken.addNamespaceDeclaration("wsu",?

??????????????????????????????????????????????"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd");?

?

????????SOAPElement?usernameNode?=?usernameToken.addChildElement("Username",?SECURITY_PREFIX);?

????????usernameNode.setValue(username);?

?

????????SOAPElement?passwordNode?=?usernameToken.addChildElement("Password",?SECURITY_PREFIX);?

????????passwordNode.setAttribute("Type",?

??????????????????????????????????"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText");?

????????passwordNode.setValue(password);?

}??

mustUnderstand：用于標注security header是否必須被service端解析處理

三:測試工具

TCPMon :?? http://ws.apache.org/commons/tcpmon/tcpmontutorial.html 可視化發送請求的信息，以及返回結果的信息，便于調試

?

?

?

?

轉載于:https://blog.51cto.com/drizzlewalk/1149515

總結

以上是生活随笔為你收集整理的Web Service security UserNameToken 使用的全部內容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網站內容還不錯，歡迎將生活随笔推薦給好友。