BlogJava-流金De岁月-随笔分类-Jave/Webservice

BlogJava-流金De岁月-随笔分类-Jave/Webservicehttp://www.blogjava.net/jinn/category/33084.html Jinn's Programming Roadzh-cnFri, 18 Jul 2008 14:47:04 GMTFri, 18 Jul 2008 14:47:04 GMT60用Stax组装及解析XMLhttp://www.blogjava.net/jinn/archive/2008/07/18/215812.htmljinnjinnFri, 18 Jul 2008 07:13:00 GMThttp://www.blogjava.net/jinn/archive/2008/07/18/215812.htmlhttp://www.blogjava.net/jinn/comments/215812.htmlhttp://www.blogjava.net/jinn/archive/2008/07/18/215812.html#Feedback0http://www.blogjava.net/jinn/comments/commentRss/215812.htmlhttp://www.blogjava.net/jinn/services/trackbacks/215812.html阅读全文

jinn 2008-07-18 15:13 发表评论

]]>Axis中用户名、密码传递http://www.blogjava.net/jinn/archive/2008/07/18/215750.htmljinnjinnFri, 18 Jul 2008 05:18:00 GMThttp://www.blogjava.net/jinn/archive/2008/07/18/215750.htmlhttp://www.blogjava.net/jinn/comments/215750.htmlhttp://www.blogjava.net/jinn/archive/2008/07/18/215750.html#Feedback0http://www.blogjava.net/jinn/comments/commentRss/215750.htmlhttp://www.blogjava.net/jinn/services/trackbacks/215750.htmlWebservice交互经常需要验证用户，用户名和密码的传递采用SOAPHeader传递不失为一种好办法。在Axis1中设置很简单：
客户端：
((org.apache.axis.client.Call) call).addHeader(new SOAPHeaderElement("Authorization","username",username));
((org.apache.axis.client.Call) call).addHeader(new SOAPHeaderElement("Authorization","password",password));

经包装后传递的内容如下
<soapenv:Header>
  <ns1:username
   soapenv:actor="http://schemas.xmlsoap.org/soap/actor/next"
   soapenv:mustUnderstand="0" xsi:type="soapenc:string"
   xmlns:ns1="Authorization"
   xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">
   admin
  </ns1:username>
  <ns2:password
   soapenv:actor="http://schemas.xmlsoap.org/soap/actor/next"
   soapenv:mustUnderstand="0" xsi:type="soapenc:string"
   xmlns:ns2="Authorization"
   xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">
   1
  </ns2:password>
</soapenv:Header>

服务端通过Handler取得用户名和密码进行验证：
username = (String) messageContext.getRequestMessage().getSOAPEnvelope()
.getHeaderByName("Authorization","username").getValue();
password = (String) messageContext.getRequestMessage().getSOAPEnvelope()
.getHeaderByName("Authorization","password").getValue();

如果觉得这样不安全，可双方约定一种加密解密规则，将用户名和密码加密后进行传输。

我曾试过使用如下方法，
客户端：
((org.apache.axis.client.Call) call).setUsername(username);
((org.apache.axis.client.Call) call).setPassword(password);

包装后传递内容(多了最后一句：Authorization: Basic emphZG1pbjox。Axis将用户名和密码经Base64加密后传递)：
POST /web/services/GenericServer HTTP/1.0
Content-Type: text/xml; charset=utf-8
Accept: application/soap+xml, application/dime, multipart/related, text/*
User-Agent: Axis/1.4
Host: localhost:8083
Cache-Control: no-cache
Pragma: no-cache
SOAPAction: ""
Content-Length: 807
Authorization: Basic emphZG1pbjox

服务端的Handle:
username =messageContext.getUsername();
password = messageContext.getPassword();

这样是没问题，看起来更简单。可惜调用部署在weblogic上的ws时，会被weblogic拦截，必须在weblogic安全域中配置相应的用户才能通过验证，这不是我们所需要的，通常我们有自己的用户管理机制，调用WS的用户也作为系统中的一个用户纳入我们的管理，而不是跟weblogic安全域用户绑在一起。

jinn 2008-07-18 13:18 发表评论

]]>