Ale*_*ira 6 java ws-security cxf wss4j
我正在使用Apache CXF来构建Web服务.它使用Apache WSS4J来提供WS-Security功能.我需要发出SOAP请求,必须签名.
这是我传递给WSS4J的属性文件的内容:
org.apache.ws.security.crypto.provider = org.apache.ws.security.components.crypto.Merlin
org.apache.ws.security.crypto.merlin.keystore.type = PKCS12
org.apache.ws.security.crypto.merlin.keystore.provider = BC
org.apache.ws.security.crypto.merlin.keystore.password = 12345678
org.apache.ws.security.crypto.merlin.keystore.alias = my-alias
org.apache.ws.security.crypto.merlin.keystore.file = my_certificate.p12
我希望摆脱那条线,我的密码写成纯文本.我删除了那一行并为我的WSS4JOutInterceptor提供了一个密码回调处理程序,就像上面的代码一样:
public SoapInterceptor newSignerInterceptor() {
Map<String, Object> outProps = new HashMap<String, Object>();
outProps.put(WSHandlerConstants.ACTION, "Signature");
outProps.put(WSHandlerConstants.USER, config.getKeyAlias());
outProps.put(WSHandlerConstants.SIG_KEY_ID, "DirectReference");
outProps.put(WSHandlerConstants.USE_REQ_SIG_CERT, WSHandlerConstants.SIGNATURE_USER);
outProps.put(WSHandlerConstants.USE_SINGLE_CERTIFICATE, "false");
outProps.put(WSHandlerConstants.PW_CALLBACK_CLASS, this.getClass().getName());
outProps.put(WSHandlerConstants.SIG_PROP_FILE, config.getPropertiesFileName());
return new WSS4JOutInterceptor(outProps);
}
@Override
public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException {
for (int i = 0; i < callbacks.length; i++) {
if (callbacks[i] instanceof WSPasswordCallback) {
((WSPasswordCallback) callbacks[i]).setPassword(password);
}
}
}
但那没用.它在属性文件中找不到密码,并使用默认密码"security".
如何让它使用回调来获取密码?
您可以实现CallbackHandler:
public class PasswordCallbackHandler implements CallbackHandler {
@Override
public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException {
for(Callback callBack:callbacks){
if(callBack instanceof WSPasswordCallback){
((WSPasswordCallback)callBack).setPassword("password");
}
}
}
}
然后将处理程序添加到属性:
outProps.put(WSHandlerConstants.PW_CALLBACK_CLASS, PasswordCallbackHandler.class);
您还可以使用PW_CALLBACK_REF来设置处理程序的引用.