WebService如果涉及到安全保密或者使用权限的时候,WS-Security通常是最优选择。WS-Security (Web服务安全)
包含了关于如何在WebService消息上保证完整性和机密性的规约,如何将签名和加密头加入SOAP消息。
不过WS-Security也有一些性能上的损耗,在信息保密要求不是很高的情况下,可以通过在SOAPHeader中添加简单的校验信息实现。
具体思路是客户端调用需要认证的服务时,在SOAPHeader中添加授权信息(如用户名、密码或者序列号等)。
服务端收到请求,在SOAPHeader中校验授权信息,校验通过则执行请求,校验不通过则返回错误提示。
客户端发起请求在SOAPHeader中添加的授权数据格式如下
<auth xmlns="http://schemas.xmlsoap.org/soap/actor/next">
<username>admin</username>
<password>admin</password>
</auth>
服务端授权校验 Handler
import java.util.Iterator;
import java.util.Set;
import javax.xml.namespace.QName;
import javax.xml.soap.SOAPBody;
import javax.xml.soap.SOAPConstants;
import javax.xml.soap.SOAPElement;
import javax.xml.soap.SOAPEnvelope;
import javax.xml.soap.SOAPException;
import javax.xml.soap.SOAPFault;
import javax.xml.soap.SOAPHeader;
import javax.xml.soap.SOAPMessage;
import javax.xml.ws.handler.MessageContext;
import javax.xml.ws.handler.soap.SOAPHandler;
import javax.xml.ws.handler.soap.SOAPMessageContext;
import org.apache.cxf.interceptor.Fault;
import org.w3c.dom.NodeList;
* @author
public class JaxServerAuthValidateHeader implements SOAPHandler<SOAPMessageContext> {
@Override
public void close(MessageContext context) {
@Override
public boolean handleFault(SOAPMessageContext context) {
return true;
@Override
public boolean handleMessage(SOAPMessageContext context) {
// 判断消息是输入还是输出
boolean isRequest = (Boolean) context.get(MessageContext.MESSAGE_OUTBOUND_PROPERTY);
SOAPMessage soapMessage = context.getMessage();
if (!isRequest) {
SOAPHeader soapHeader = null;
try {
SOAPEnvelope soapEnv = soapMessage.getSOAPPart().getEnvelope();
soapHeader = soapEnv.getHeader();
} catch (SOAPException e) {
throw new Fault(new Exception("服务器异常!"));
if (soapHeader == null) {
validateFail(soapMessage, "无 Soap Header 头信息!");
return false;
// add an node named "auth"
QName qname = new QName(SOAPConstants.URI_SOAP_ACTOR_NEXT, "auth");
Iterator<?> iterator = soapHeader.getChildElements(qname);
SOAPElement auth = null;
if (iterator.hasNext()) {
// 获取auth
auth = (SOAPElement) iterator.next();
// 如果授权信息元素不存在,提示错误
if (auth == null) {
validateFail(soapMessage, "无授权信息!");
return false;
NodeList nameList = auth.getElementsByTagName("username");
NodeList pwdList = auth.getElementsByTagName("password");
if (nameList == null || nameList.getLength() <= 0 || pwdList == null || pwdList.getLength() <= 0) {
validateFail(soapMessage, "授权信息格式错误!");
return false;
String username = nameList.item(0).getTextContent();
String password = pwdList.item(0).getTextContent();
if (!"admin".equals(username) || !"admin".equals(password)) {
validateFail(soapMessage, "授权信息格式错误!");
return false;
System.out.println(isRequest ? "服务端响应:" : "服务端接收:");
System.out.println("\r\n");
return true;
@Override
public Set<QName> getHeaders() {
return null;
* 授权校验失败,在SOAPBody中添加SOAPFault
* @param message
private void validateFail(SOAPMessage soapMessage, String faultString) {
try {
SOAPEnvelope envelop = soapMessage.getSOAPPart().getEnvelope();
envelop.getHeader().detachNode();
envelop.addHeader();
envelop.getBody().detachNode();
SOAPBody body = envelop.addBody();
SOAPFault fault = body.getFault();
if (fault == null) {
fault = body.addFault();
fault.setFaultString(faultString);
soapMessage.saveChanges();
} catch (SOAPException e) {
e.printStackTrace();
服务端Handler配置文件handler-chain.xml
<?xml version="1.0" encoding="UTF-8"?>
<javaee:handler-chains xmlns:javaee="http://java.sun.com/xml/ns/javaee"
xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<javaee:handler-chain>
<javaee:handler>
<javaee:handler-class>com.server.handler.JaxServerAuthValidateHeader</javaee:handler-class>
</javaee:handler>
</javaee:handler-chain>
</javaee:handler-chains>
服务端的Service中添加Handler配置文件
import javax.jws.WebMethod;
import javax.jws.WebParam;
import javax.jws.WebResult;
import javax.jws.WebService;
import javax.xml.bind.annotation.XmlSeeAlso;
import javax.xml.ws.RequestWrapper;
import javax.xml.ws.ResponseWrapper;
* This class was generated by Apache CXF 3.2.1
* 2017-12-01T14:12:00.085+08:00
* Generated source version: 3.2.1
@WebService(targetNamespace = "http://tempuri.org/", name = "AExampleDemoWebService")
@HandlerChain(file="handler-chain.xml")
public interface AExampleDemoWebService {
@WebMethod
@WebResult(name = "single", targetNamespace = "")
public java.lang.String querySingle(
@WebParam(name = "single", targetNamespace = "http://tempuri.org/")
java.lang.String single
服务端的Service 实现类
import java.util.ArrayList;
import java.util.List;
import cn.evun.iwm.receive.soap.service.AExampleDemoWebService;
import cn.evun.iwm.receive.soap.struc.sample.InputParam;
import cn.evun.iwm.receive.soap.struc.sample.OutputParam;
@javax.jws.WebService(serviceName = "aexampleDemoWebService", portName = "Sample",
targetNamespace = "http://tempuri.org/", endpointInterface = "cn.soap.service.AExampleDemoWebService")
public class AExampleDemoWebServiceImpl implements AExampleDemoWebService {
@Override
public String querySingle(String input) {
return "success";
客户端添加授权Handler
import java.io.IOException;
import java.util.Set;
import javax.xml.namespace.QName;
import javax.xml.soap.SOAPConstants;
import javax.xml.soap.SOAPElement;
import javax.xml.soap.SOAPException;
import javax.xml.soap.SOAPHeader;
import javax.xml.soap.SOAPMessage;
import javax.xml.ws.handler.MessageContext;
import javax.xml.ws.handler.soap.SOAPHandler;
import javax.xml.ws.handler.soap.SOAPMessageContext;
public class JaxWsClientHandler implements SOAPHandler<SOAPMessageContext> {
@Override
public boolean handleMessage(SOAPMessageContext context) {
// 判断消息是请求还是响应
Boolean isRequest = (Boolean) context.get(MessageContext.MESSAGE_OUTBOUND_PROPERTY);
SOAPMessage soapMessage = context.getMessage();
if (isRequest) {
try {
SOAPHeader soapHeader = soapMessage.getSOAPHeader();
if (soapHeader == null) {
soapHeader = soapMessage.getSOAPPart().getEnvelope().addHeader();
// add an node named "auth"
QName qname = new QName(SOAPConstants.URI_SOAP_ACTOR_NEXT, "auth");
SOAPElement auth = soapHeader.addChildElement(qname);
SOAPElement name = auth.addChildElement("username");
name.addTextNode("admin");
SOAPElement password = auth.addChildElement("password");
password.addTextNode("admin");
soapMessage.saveChanges();
// tracking
soapMessage.writeTo(System.out);
} catch (SOAPException e) {
System.err.println(e);
} catch (IOException e) {
System.err.println(e);
return true;
@Override
public boolean handleFault(SOAPMessageContext context) {
return false;
@Override
public void close(MessageContext context) {
@Override
public Set<QName> getHeaders() {
return null;
客户端Handler配置文件handler-chain.xml
<?xml version="1.0" encoding="UTF-8"?>
<javaee:handler-chains xmlns:javaee="http://java.sun.com/xml/ns/javaee"
xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<javaee:handler-chain>
<javaee:handler>
<javaee:handler-class>com.client.handler.JaxWsClientHandler</javaee:handler-class>
</javaee:handler>
</javaee:handler-chain>
</javaee:handler-chains>
客户端的Service中添加Handler配置文件
import java.net.MalformedURLException;
import java.net.URL;
import javax.xml.namespace.QName;
import javax.xml.ws.WebEndpoint;
import javax.xml.ws.WebServiceClient;
import javax.xml.ws.WebServiceFeature;
import javax.xml.ws.Service;
* This class was generated by Apache CXF 3.2.1
* 2017-12-01T14:12:00.117+08:00
* Generated source version: 3.2.1
@WebServiceClient(name = "aexampleDemoWebService",
wsdlLocation = "http://localhost:8090/service/Sample?wsdl",
targetNamespace = "http://tempuri.org/")
@HandlerChain(file="handler-chain.xml")
public class AexampleDemoWebServiceSoap extends Service {
public final static URL WSDL_LOCATION;
public final static QName SERVICE = new QName("http://tempuri.org/", "aexampleDemoWebService");
public final static QName Sample = new QName("http://tempuri.org/", "Sample");
static {
URL url = null;
try {
url = new URL("http://localhost:8090/service/Sample?wsdl");
} catch (MalformedURLException e) {
java.util.logging.Logger.getLogger(AexampleDemoWebServiceSoap.class.getName())
.log(java.util.logging.Level.INFO,
"Can not initialize the default wsdl from {0}", "http://localhost:8090/service/Sample?wsdl");
WSDL_LOCATION = url;
public AexampleDemoWebServiceSoap(URL wsdlLocation) {
super(wsdlLocation, SERVICE);
public AexampleDemoWebServiceSoap(URL wsdlLocation, QName serviceName) {
super(wsdlLocation, serviceName);
public AexampleDemoWebServiceSoap() {
super(WSDL_LOCATION, SERVICE);
public AexampleDemoWebServiceSoap(WebServiceFeature ... features) {
super(WSDL_LOCATION, SERVICE, features);
public AexampleDemoWebServiceSoap(URL wsdlLocation, WebServiceFeature ... features) {
super(wsdlLocation, SERVICE, features);
public AexampleDemoWebServiceSoap(URL wsdlLocation, QName serviceName, WebServiceFeature ... features) {
super(wsdlLocation, serviceName, features);
* @return
* returns AExampleDemoWebService
@WebEndpoint(name = "Sample")
public AExampleDemoWebService getSample() {
return super.getPort(Sample, AExampleDemoWebService.class);
* @param features
* A list of {@link javax.xml.ws.WebServiceFeature} to configure on the proxy.
* Supported features not in the <code>features</code> parameter will have their default values.
* @return
* returns AExampleDemoWebService
@WebEndpoint(name = "Sample")
public AExampleDemoWebService getSample(WebServiceFeature... features) {
return super.getPort(Sample, AExampleDemoWebService.class, features);
客户端发起请求
QName SERVICE_NAME = new QName("http://tempuri.org/", "aexampleDemoWebService");
URL url = new URL("http://localhost:8090/service/Sample?wsdl");
AexampleDemoWebServiceSoap ss = new AexampleDemoWebServiceSoap(wsdlURL, SERVICE_NAME);
AExampleDemoWebService port = ss.getSample();
port.querySingle("1111");
@HandlerChain 注解 替代方式
客户端 通过 HandlerReolver 代替 @HandlerChain 注解 导入 Handler 配置文件
handler-chain配置文件对所有的请求都添加授权验证信息,有些时候不是所有的请求都需要添加授权验证,HandlerResolver提供了在编程时添加Handler的方法,可以用HandlerResolver给需要授权的接口添加Handler。
QName SERVICE_NAME = new QName("http://tempuri.org/", "aexampleDemoWebService");
URL url = new URL("http://localhost:8090/service/Sample?wsdl");
AexampleDemoWebServiceSoap ss = new AexampleDemoWebServiceSoap(wsdlURL, SERVICE_NAME);
//通过HandlerResolver添加Handler
ss.setHandlerResolver(new HandlerResolver(){
@Override
@SuppressWarnings("rawtypes")
public List<Handler> getHandlerChain(PortInfo portInfo) {
List<Handler> handlerChain = new ArrayList<Handler>();
handlerChain.add(new JaxWsClientHandler());
return handlerChain;
AExampleDemoWebService port = ss.getSample();
port.querySingle("2222");
服务端 @HandlerChain 注解替代
服务发布时服务端通过继承至 Endpoint 实现类 EndpointImpl 的 setHandlers 方法添加头部信息 代替 @HandlerChain 注解 导入 Handler 配置文件
import java.util.ArrayList;
import java.util.List;
import javax.xml.ws.Endpoint;
import javax.xml.ws.handler.Handler;
import org.apache.cxf.Bus;
import org.apache.cxf.bus.spring.SpringBus;
import org.apache.cxf.interceptor.Interceptor;
import org.apache.cxf.jaxws.EndpointImpl;
import org.apache.cxf.message.Message;
import org.apache.cxf.transport.servlet.CXFServlet;
import org.springframework.boot.context.embedded.ServletRegistrationBean;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
@Configuration
public class CXFConfig {
@Bean
public ServletRegistrationBean dispatcherServlet() {
return new ServletRegistrationBean(new CXFServlet(), "/service/*");
@Bean(name = Bus.DEFAULT_BUS_ID)
public SpringBus springBus() {
return new SpringBus();
@Bean
public AExampleDemoWebServiceImpl aExampleDemoWebServiceImpl() {
return new AExampleDemoWebServiceImpl();
@Bean
public Endpoint endpointWebServiceSampleImpl() {
EndpointImpl endpoint = new EndpointImpl(springBus(), aExampleDemoWebServiceImpl());
// SOAPHandler 方式
@SuppressWarnings("rawtypes")
List<Handler> handlers = new ArrayList<>();
handlers.add(new JaxServerAuthValidateHeader());
endpoint.setHandlers(handlers);
endpoint.publish("/Sample");
return endpoint;
当使用替代方式添加头部信息的时候就不需要使用 @HandlerChain 注解
