CXF自己定义拦截器实现权限控制

一. 拦截器

在我们学习Java的征途中碰到了非常多拦截器: Servlet中的Filter就是一个拦截器, Struts2中也有拦截器,.

CXF中的拦截器其基本原理还是使用动态代理, 我们能够在不正确核心模块进行改动的情况下, 动态加入一些功能, 从而减少代码的耦合性.

二. CXF拦截器

CXF通过在Interceptor中对消息进行特殊处理, 实现了非常多重要功能模块, 比如: 日志记录, soap消息处理, 消息的压缩处理.

以下我们使用一个样例介绍CXF Log拦截器: 

1. 服务端加入日志拦截器:

public class MyServer {
	public static void main(String[] args) {
		HelloService helloService = new HelloServiceImpl();
		EndpointImpl epi = (EndpointImpl)Endpoint.publish("http://localhost/sayHello", helloService);
		epi.getInInterceptors().add(new LoggingInInterceptor()); // 加入server端in log拦截器
		epi.getOutInterceptors().add(new LoggingOutInterceptor()); // 加入server端out log拦截器
		System.out.println("Web Service 暴露成功");
	}
}

2. client加入日志拦截器

public class MyClient {
	public static void main(String[] args) {
		HelloServiceImplService factory = new HelloServiceImplService();
		HelloService helloService = factory.getHelloServiceImplPort();

		Client client = ClientProxy.getClient(helloService);
		client.getInInterceptors().add(new LoggingInInterceptor()); // 加入客户端in log拦截器
		client.getOutInterceptors().add(new LoggingOutInterceptor()); // 加入客户端out log拦截器

		System.out.println(helloService.sayHello("zhangsan"));
	}
}

其它程序代码请參考上一篇博客: http://blog.csdn.net/zdp072/article/details/27829831

client须要引入下面jar包: cxf-2.2.10.jar  wsdl4j-1.6.2.jar  XmlSchema-1.4.5.jar

3. 日志例如以下:

- - 服务端

2014-6-7 23:04:28 org.apache.cxf.service.factory.ReflectionServiceFactoryBean buildServiceFromClass
信息: Creating Service {http://impl.service.zdp.com/}HelloServiceImplService from class com.zdp.service.HelloService
2014-6-7 23:04:28 org.apache.cxf.endpoint.ServerImpl initDestination
信息: Setting the server's publish address to be http://localhost:80/sayHello
2014-06-07 23:04:28.718::INFO:  Logging to STDERR via org.mortbay.log.StdErrLog
2014-06-07 23:04:28.726::INFO:  jetty-6.1.21
2014-06-07 23:04:28.799::INFO:  Started SelectChannelConnector@localhost:80
Web Service 暴露成功

- - client

2014-6-7 23:05:26 org.apache.cxf.service.factory.ReflectionServiceFactoryBean buildServiceFromWSDL
信息: Creating Service {http://impl.service.zdp.com/}HelloServiceImplService from WSDL: http://localhost/sayHello?wsdl
2014-6-7 23:05:26 org.apache.cxf.interceptor.LoggingOutInterceptor$LoggingCallback onClose
信息: Outbound Message
---------------------------
ID: 1
Address: http://localhost/sayHello
Encoding: UTF-8
Content-Type: text/xml
Headers: {SOAPAction=[""], Accept=[*/*]}
Payload: <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><ns2:sayHello xmlns:ns2="http://service.zdp.com/"><arg0>zhangsan</arg0></ns2:sayHello></soap:Body></soap:Envelope>
--------------------------------------
2014-6-7 23:05:26 org.apache.cxf.interceptor.LoggingInInterceptor logging
信息: Inbound Message
----------------------------
ID: 1
Response-Code: 200
Encoding: UTF-8
Content-Type: text/xml; charset=utf-8
Headers: {content-type=[text/xml; charset=utf-8], Content-Length=[275], Server=[Jetty(6.1.21)]}
Payload: <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><ns1:sayHelloResponse xmlns:ns1="http://service.zdp.com/"><return>zhangsan, 您好！ 如今的时间是: Sat Jun 07 23:05:26 CST 2014</return></ns1:sayHelloResponse></soap:Body></soap:Envelope>
--------------------------------------
zhangsan, 您好！ 如今的时间是: Sat Jun 07 23:05:26 CST 2014

三. CXF自己定义拦截器

怎样使用CXF进行权限控制呢?

思路: server端要求input消息总是携带实username, password信息, 假设没实username和password信息, 直接拒绝调用.

代码实现:

1. server端拦截器:

/**  
 * 服务端权限拦截器
 */
public class AuthInterceptor extends AbstractPhaseInterceptor<SoapMessage> {

	public AuthInterceptor() {
		super(Phase.PRE_INVOKE); //拦截器在调用方法之前拦截SOAP消息
	}
    
	// 拦截器操作
	@Override
	public void handleMessage(SoapMessage msg) throws Fault {
		System.out.println("come to auth interceptor...");
		//获取SOAP消息的全部Header
		List<Header> headers = msg.getHeaders();
		
		if(headers == null || headers.size() < 1) {
			throw new Fault(new IllegalArgumentException("没有Header,拦截器实施拦截"));
		}
		//获取Header携带是用户和密码信息
		Header firstHeader = headers.get(0);
		Element element = (Element) firstHeader.getObject();
		
		NodeList userNameElement = element.getElementsByTagName("userName");
		NodeList passwordElement = element.getElementsByTagName("password");
		
		if (userNameElement.getLength() != 1) {
			throw new Fault(new IllegalArgumentException("username格式不正确"));
		}
			
		if (passwordElement.getLength() != 1) {
			throw new Fault(new IllegalArgumentException("用户密码格式不正确"));
		}
		
		//获取元素的文本内容
		String userName = userNameElement.item(0).getTextContent();
		String password = passwordElement.item(0).getTextContent();
		
		// 实际项目中, 应该去查询数据库, 该username,密码是否被授权调用该webservice
		if (!userName.equals("zhangsan") || !password.equals("123456")) {
			throw new Fault(new IllegalArgumentException("username或密码不正确"));
		}
	}
}

2. client拦截器

/**
 * client拦截器(在xml片段中加头部)
 */
public class AddHeaderInterceptor extends AbstractPhaseInterceptor<SoapMessage>{
    
	private String userName;
	private String password;
	
	public AddHeaderInterceptor(String userName, String password) {
		super(Phase.PREPARE_SEND);
		this.userName = userName;
		this.password = password; 
	}

	@Override
	public void handleMessage(SoapMessage msg) throws Fault {
		
		List<Header> headers = msg.getHeaders();
		
		//创建Document对象
		Document document = DOMUtils.createDocument();
		Element element = document.createElement("authHeader"); 
		
		//配置server端Head信息的用户密码
		Element userNameElement= document.createElement("userName"); 
		userNameElement.setTextContent(userName);
		Element passwordElement = document.createElement("password"); 
		passwordElement.setTextContent(password);
		
		element.appendChild(userNameElement);
		element.appendChild(passwordElement);
		headers.add(new Header(new QName(""), element));
		/**
		 * 生成的XML文档
		 * <authHeader>
		 * 	    <userName>zhangsan</userName>
		 * 	    <password>123456</password>
		 * </authHeader>
		 */
	}
}

3. 服务端

public class MyServer {
	public static void main(String[] args) {
		HelloService helloService = new HelloServiceImpl();
		EndpointImpl epi = (EndpointImpl)Endpoint.publish("http://localhost/sayHello", helloService);

		// 加入server端in 权限拦截器, 该AuthInterceptor就会负责检查username, password是否正确
		epi.getInInterceptors().add(new AuthInterceptor()); 
		System.out.println("Web Service 暴露成功");
	}
}

4. client

public class MyClient {
	public static void main(String[] args) {
		HelloServiceImplService factory = new HelloServiceImplService();
		
		// 此处返回的仅仅是webservice的代理
		HelloService helloService = factory.getHelloServiceImplPort();
		Client client = ClientProxy.getClient(helloService);
		client.getOutInterceptors().add(new AddHeaderInterceptor("zhangsan", "123456")); 
		System.out.println(helloService.sayHello("zhangsan"));
	}
}