In the previous article, we achieved the simplest AXIS service. Now let's talk about the security of WEB services.
Depending on the level of security requirements applied, there are different ways to implement security, and here are some of the most common implementations (ranging from low to high):
1, Java EE Web application default access control (the data is clear);
2. Access control using axis Handler (the data is plaintext);
3, use the Servlet filter (filter) for access control (the data is clear);
4, the use of Ssl/https protocol to transfer (encrypted data transmission protocol);
5, the use of ws-security specifications for information encryption and identity authentication (data is encrypted transmission).
We only discuss the 2nd, 4, 5 implementation methods. Before that, let's take a look at AXIS's own tool soapmonitor.
First, Soapmonitor the Use
Open http://localhost:8080/axis/into Axis's homepage and you will see:
Soapmonitor-[disabled By default to security reasons], which is not available by defaults, and now we're activating it.
1, to the directory%tomcat_home%/webapps/axis, you will find Soapmonitorapplet.java, the command line to compile it:
Javac-classpath%axis_home%/lib/axis.jar Soapmonitorapplet.java
After compiling, you will see a lot more CLASS files in the directory, their name is Soapmonitorapplet*.class
2, in the directory%tomcat_home%/webapps/axis/web-inf open SERVER-CONFIG.WSDD file, the following two parts of the code straight
Join the appropriate location
The first part:
< handler name = "Soapmonitor" type = "Java:org.apache.axis.handlers.SOAPMonitorHandler" >
< parameter name = "Wsdlurl" value = "/axis/soapmonitorservice-impl.wsdl"/>
< parameter name = "namespace" value = "http://tempuri.org/wsdl/2001/12/SOAPMonitorService-impl.wsdl"/>
< parameter name = "ServiceName" value = "Soapmonitorservice"/>
< parameter name = "PortName" value = "Demo"/>
Part II:
< service name = "Soapmonitorservice" Provider = "Java:rpc" >
< parameter name = "Allowedmethods" value = "PublishMessage"/>
< parameter name = "ClassName" value = "Org.apache.axis.monitor.SOAPMonitorService"/>
< parameter name = "Scope" VALUE = "Application"/>
</Service >
3, select the service you want to monitor
Take the last HelloWorld service for example, in SERVER-CONFIG.WSDD you'll find this code
< service name = "HelloWorld" Provider = "Java:rpc" >
< parameter name = "Allowedmethods" value = "SayHello"/>
< parameter name = "ClassName" value = "HelloWorld"/>
</Service >
Add the following code to this code:
< Requestflow >
< handler type = "Soapmonitor"/>
</Requestflow >
< Responseflow >
< handler type = "Soapmonitor"/>
</Responseflow >
The final look is:
< service name = "HelloWorld" Provider = "Java:rpc" >
< Requestflow >
< handler type = "Soapmonitor"/>
</Requestflow >
< Responseflow >
< handler type = "Soapmonitor"/>
</Responseflow >
< parameter name = "Allowedmethods" value = "SayHello"/>
< parameter name = "ClassName" value = "HelloWorld"/>
</Service >
So the HelloWorld service is monitored.
4, start Tomcat, open http://localhost:8080/axis/SOAPMonitor, you will see the Applet interface, in
Jbuilder2005 to run the client program we wrote last Testclient.java. Ok. You'll see it in the Applet interface.
See the XML content that is exchanged between client and server side, note that this is plaintext.
ii. Use of axis the Handler access Control (recommended when security requirements are not high)
Axis provides the associated configuration descriptor for access control of WEB services and provides a simple Handler for access control. By default, you simply add users to the configuration descriptor and then automatically allow roles in the deployment descriptor of the WEB server.
1. Add a user, such as "ronghao1111", to the Axis profile Users.lst (located in the Web-inf directory), indicating
The user name is Ronghao and the password is 1111.
2, the example HelloWorld Web services redeployment (the new part has been marked)
< service name = "HelloWorld" Provider = "Java:rpc" >
< Requestflow >
< handler type = "Soapmonitor"/>
< handler type = "Authenticate"/>//newly added axis self-brought handler
</Requestflow >
< Responseflow >
< handler type = "Soapmonitor"/>
</Responseflow >
< parameter name = "Allowedmethods" value = "SayHello"/>
< parameter name = "Allowedroles" value = "Ronghao"/>//Note, this is the new addition.
< parameter name = "ClassName" value = "HelloWorld"/>
</Service >
In this deployment descriptor, the specified HelloWorld service can only be accessed by Ronghao
3, modify the client program Testclient.java, increase access to user name, password (the new part has been marked)
Testclient.java
Import Org.apache.axis.client.Call;
Import Org.apache.axis.client.Service;
Import Javax.xml.rpc.ParameterMode;
public class TestClient
{
public static void Main (String [] args) throws Exception {
String endpoint = "http://localhost:" + "8080" + "/axis/helloworld";
Service service = new service ();
Call Call