java - Spring WS : How to apply Interceptor to a specific endpoint

Question

我在 Spring 应用程序上有多个工作的 SOAP Web 服务，使用 httpBasic 身份验证，我需要在其中一个上使用 WS-Security 以允许使用以下 Soap Header 进行身份验证。

<soap:Header><wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" soap:mustUnderstand="1">
  <wsse:UsernameToken xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="UsernameToken-1">
    <wsse:Username>username</wsse:Username>
    <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">password</wsse:Password>
  </wsse:UsernameToken>
</wsse:Security></soap:Header>

当前的 WSConfiguration 是根据 https://github.com/spring-projects/spring-boot/blob/master/spring-boot-samples/spring-boot-sample-ws/ 完成的给类似的东西

@EnableWs
@Configuration
public class WebServiceConfig extends WsConfigurerAdapter {

    @Bean
    public ServletRegistrationBean dispatcherServlet(ApplicationContext applicationContext) {
        MessageDispatcherServlet servlet = new MessageDispatcherServlet();
        servlet.setApplicationContext(applicationContext);
        return new ServletRegistrationBean(servlet, "/services/*");
    }

    @Bean(name = "SOAP1")
    public DefaultWsdl11Definition defaultWsdl11Definition(XsdSchema soap1) {
        DefaultWsdl11Definition wsdl11Definition = new DefaultWsdl11Definition();
        wsdl11Definition.setPortTypeName("Soap1");
        wsdl11Definition.setLocationUri("/soap1/");
        wsdl11Definition.setTargetNamespace("http://mycompany.com/hr/definitions");
        wsdl11Definition.setSchema(soap1);
        return wsdl11Definition;
    }

    @Bean
    public XsdSchema soap1() {
        return new SimpleXsdSchema(new ClassPathResource("META-INF/schemas/hr.xsd"));
    }

}

和网络安全根据 http://spring.io/blog/2013/07/03/spring-security-java-config-preview-web-security/看起来像这样

@EnableWebSecurity
@Configuration
public class CustomWebSecurityConfigurerAdapter extends
   WebSecurityConfigurerAdapter {
  @Autowired
  public void configureGlobal(AuthenticationManagerBuilder auth) {
    auth
      .inMemoryAuthentication()
        .withUser("user1")  
          .password("password")
          .roles("SOAP1")
          .and()
        .withUser("user2") 
          .password("password")
          .roles("SOAP2");
  }

  @Override
  protected void configure(HttpSecurity http) throws Exception {
    http
      .authorizeUrls()
        .antMatchers("/soap/soap1").hasRole("SOAP1") 
        .antMatchers("/soap/soap2").hasRole("SOAP2") 
        .anyRequest().authenticated() 
        .and().httpBasic();
  }
}

经过一番搜索，我发现Wss4J提供了一个UsernameToken认证，但是不知道怎么用。我想做的是以下 https://sites.google.com/site/ddmwsst/ws-security-impl/ws-security-with-usernametoken但没有带有 bean 定义的 XML 文件。

我打算做什么:

• 创建回调处理程序。
• 创建一个 Wss4jSecurityInterceptor，将“setValidationActions”设置为“UsernameToken”，将“setValidationCallbackHandler”设置为我的回调处理程序，然后通过覆盖添加它> addInterceptors 在我的 WebServiceConfig 上。

(我尝试过类似的方法，但我才意识到我的回调使用的是已弃用的方法)

问题:即使它有效，它也会应用于我在“WebServiceConfig”上的所有网络服务。

更新:

该实现确实有效，但正如预期的那样，它应用于我的所有 Web 服务。如何将我的拦截器仅添加到 1 个 Web 服务？

下面是我在WebServiceConfig中添加的代码

 @Bean
    public Wss4jSecurityInterceptor wss4jSecurityInterceptor() throws IOException, Exception{
        Wss4jSecurityInterceptor interceptor = new Wss4jSecurityInterceptor();
        interceptor.setValidationActions("UsernameToken");
        interceptor.setValidationCallbackHandler(new Wss4jSecurityCallbackImpl());

    return interceptor;
}

@Override
public void addInterceptors(List<EndpointInterceptor> interceptors)  {
    try {
        interceptors.add(wss4jSecurityInterceptor());
    } catch (Exception e) {
        e.printStackTrace();
    }
}

Answer 1

抱歉，我完全忘了回答这个问题，但万一它对某人有帮助:

我们通过创建一个新的 SmartEndpointInterceptor 并将其仅应用于我们的端点来让它工作:

public class CustomSmartEndpointInterceptor extends Wss4jSecurityInterceptor implements SmartEndpointInterceptor {

    //CustomEndpoint is your @Endpoint class
    @Override
    public boolean shouldIntercept(MessageContext messageContext, Object endpoint) {
        if (endpoint instanceof MethodEndpoint) {
            MethodEndpoint methodEndpoint = (MethodEndpoint)endpoint;
            return methodEndpoint.getMethod().getDeclaringClass() == CustomEndpoint.class; 
        }
        return false;
    }
}

我们没有向 WebServiceConfig 添加 wss4j bean，而是添加了 SmartEndpointInterceptor:

@Configuration
public class SoapWebServiceConfig extends WsConfigurationSupport {

    //Wss4jSecurityCallbackImpl refers to an implementation of https://sites.google.com/site/ddmwsst/ws-security-impl/ws-security-with-usernametoken
    @Bean
    public CustomSmartEndpointInterceptor customSmartEndpointInterceptor() {
        CustomSmartEndpointInterceptor customSmartEndpointInterceptor = new CustomSmartEndpointInterceptor();
        customSmartEndpointInterceptor.setValidationActions("UsernameToken");
        customSmartEndpointInterceptor.setValidationCallbackHandler(new Wss4jSecurityCallbackImpl(login, pwd)); 
        return customSmartEndpointInterceptor;
    }

  [...]
}

希望这已经够清楚了:)