webservice的安全机制3---Filter

1.引言

前面讲了webservice的安全机制1和2，本节继续webservice的安全之旅，

本节采用servlet的Filter的来实现对webservice的安全访问。

在调用webservice之前，过滤器会拦截匹配的请求，只有满足安全要求的客户端才能访问webservice服务。

2.项目环境

system：win7 myeclipse：6.5 tomcat：5.0

JDK：开发环境1.5，编译环境1.4

axis：1.4



3.示例代码

（1）配置文件

web.xml

<?xml version="1.0" encoding="UTF-8"?>
<web-app version="2.4"
xmlns="http://java.sun.com/xml/ns/j2ee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd"> 
<!-- 配置webservice的处理类 -->
<servlet>
<servlet-name>AxisServlet</servlet-name>
<servlet-class>
org.apache.axis.transport.http.AxisServlet
</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>AxisServlet</servlet-name>
<url-pattern>/services/*</url-pattern>
</servlet-mapping>

<!--配置IP地址的过滤器 -->
<filter>
<filter-name>WebServiceFilter</filter-name>
<filter-class>server.filter.WebServiceFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>WebServiceFilter</filter-name>
<url-pattern>/services/*</url-pattern>
</filter-mapping>

</web-app>

server-config.wsdd

<?xml version="1.0" encoding="UTF-8"?>
<deployment xmlns="http://xml.apache.org/axis/wsdd/"
xmlns:java="http://xml.apache.org/axis/wsdd/providers/java">
<globalConfiguration>
<parameter name="sendMultiRefs" value="true" />
<parameter name="disablePrettyXML" value="true" />
<parameter name="adminPassword" value="admin" />
<parameter name="attachments.Directory"
value="D:\tomcat5\webapps\WebService\WEB-INF\attachments" />
<parameter name="dotNetSoapEncFix" value="true" />
<parameter name="enableNamespacePrefixOptimization"
value="false" />
<parameter name="sendXMLDeclaration" value="true" />
<parameter name="sendXsiTypes" value="true" />
<parameter name="attachments.implementation"
value="org.apache.axis.attachments.AttachmentsImpl" />
<requestFlow>
<handler type="java:org.apache.axis.handlers.JWSHandler">
<parameter name="scope" value="session" />
</handler>
<handler type="java:org.apache.axis.handlers.JWSHandler">
<parameter name="scope" value="request" />
<parameter name="extension" value=".jwr" />
</handler>
</requestFlow>
</globalConfiguration>
<handler name="LocalResponder"
type="java:org.apache.axis.transport.local.LocalResponder" />
<handler name="URLMapper"
type="java:org.apache.axis.handlers.http.URLMapper" />
<handler name="Authenticate"
type="java:org.apache.axis.handlers.SimpleAuthenticationHandler" />
<service name="AdminService" provider="java:MSG">
<parameter name="allowedMethods" value="AdminService" />
<parameter name="enableRemoteAdmin" value="false" />
<parameter name="className" value="org.apache.axis.utils.Admin" />
<namespace>http://xml.apache.org/axis/wsdd/</namespace>
</service>
<service name="Version" provider="java:RPC">
<parameter name="allowedMethods" value="getVersion" />
<parameter name="className" value="org.apache.axis.Version" />
</service>

<transport name="http">
<requestFlow>
<handler type="URLMapper" />
<handler
type="java:org.apache.axis.handlers.http.HTTPAuthHandler" />
</requestFlow>
<parameter name="qs:list"
value="org.apache.axis.transport.http.QSListHandler" />
<parameter name="qs:wsdl"
value="org.apache.axis.transport.http.QSWSDLHandler" />
<parameter name="qs.list"
value="org.apache.axis.transport.http.QSListHandler" />
<parameter name="qs.method"
value="org.apache.axis.transport.http.QSMethodHandler" />
<parameter name="qs:method"
value="org.apache.axis.transport.http.QSMethodHandler" />
<parameter name="qs.wsdl"
value="org.apache.axis.transport.http.QSWSDLHandler" />
</transport>
<transport name="local">
<responseFlow>
<handler type="LocalResponder" />
</responseFlow>
</transport>

<!-- 配置自己的服务 -->
<service name="HelloService" provider="java:RPC">
<parameter name="allowedMethods" value="*" />
<parameter name="className"
value="server.service.HelloServiceImpl" />

</service>

</deployment>

（2）服务端代码

HelloServiceImpl.java---webservice服务端

package server.service;

public class HelloServiceImpl {

public String hello(String s) {
return "hello," + s;
}
}

WebServiceFilter.java---Filter过滤器

package server.filter;

import java.io.IOException;

import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;

public class WebServiceFilter implements Filter {

//不允许访问webservice服务的IP地址
static final String[] deniedIPList=new String[]{"192.168.1.12"};

public boolean isIPDenied(String ipAddr){
if(deniedIPList.length==0)
return false;
for(int i=0;i<deniedIPList.length;i++){
if(deniedIPList[i].equals(ipAddr)){
return true;
}
}
return false;
}

public void destroy() {

}

public void doFilter(ServletRequest req, ServletResponse res,
FilterChain chain) throws IOException, ServletException {
HttpServletRequest request=(HttpServletRequest) req;

String clientIP=request.getRemoteHost();
System.out.println("客户端IP："+clientIP);

System.out.println("开始过滤...");

if(isIPDenied(clientIP)){
throw new ServletException("你没有权限调用此webservice！");
}else{
chain.doFilter(req, res);
}

}

public void init(FilterConfig arg0) throws ServletException {

}

}

（3）客户端代码

Test.java---客户端动态调用的代码

package client;

import java.net.URL;

import javax.xml.rpc.ParameterMode;

import org.apache.axis.client.Call;
import org.apache.axis.encoding.XMLType;

public class Test {

public static void main(String args[]) throws Exception{
webservice_user();
}

public static void webservice_user() throws Exception {

// 1.创建service对象，通过axis自带的类创建
org.apache.axis.client.Service service = new org.apache.axis.client.Service();

// 2.创建url对象
String wsdlUrl = "http://localhost:8080/WebService08_Security/services/HelloService?wsdl";// 请求服务的URL
URL url = new URL(wsdlUrl);// 通过URL类的构造方法传入wsdlUrl地址创建URL对象

// 2.创建服务方法的调用者对象call，设置call对象的属性
Call call = (Call) service.createCall();
call.setTargetEndpointAddress(url);// 给call对象设置请求的URL属性
String serviceName = "hello";// webservice的方法名
call.setOperationName(serviceName);// 给call对象设置调用方法名属性
call.addParameter("s", XMLType.XSD_STRING, ParameterMode.IN);// 给call对象设置方法的参数名、参数类型、参数模式
call.setReturnType(XMLType.SOAP_STRING);// 设置调用方法的返回值类型
//         call.setTimeout(new Integer(200));//设置超时限制

//---------------------------------------------------------------------------------------
//此处的用户名和密码对应WEB-INF目录下users.lst文件中的用户名和密码
//        call.getMessageContext().setUsername("pantp");
//        call.getMessageContext().setPassword("123456");
//---------------------------------------------------------------------------------------

// 4.通过invoke方法调用webservice
String str=new String("pantp");
System.out.println("开始调用webservice服务.....");
String dept = (String) call.invoke(new Object[] { str });// 调用服务方法
System.out.println("结束调用webservice服务.....");

// 5.打印返回结果
System.out.println("返回结果如下："+dept);
}

}

4.安全测试

(1)正常测试(本机IP地址不在受限IP之内)

浏览器中输入wsdl地址测试：



运行Test客户端测试：

客户端日志：



服务端日志：

(2)受限测试(本机IP地址在受限IP之内)

修改WebServiceFilter类中deniedIPList数组所在的一行代码，加入IP地址127.0.0.1，然后重新发布项目；

修改后数组IP地址如下：

static final String[] deniedIPList=new String[]{"192.168.1.12","127.0.0.1"};

浏览器中输入wsdl地址测试：



运行Test客户端测试：

客户端日志：



服务端日志：

5.总结

至此，webservice的安全相关的文章就已经介绍完了；

以上都是webservice安全方面比较简单的实现措施。

更多的欢迎各位的探讨。