使用CXF生成的WSDL，如何才能带ws-security5

如题。



由于项目需求，服务端使用CXF建一个WebService，但客户端是C#与PHP的。



由于C#或者PHP都通过WSDL文件，来反射生成调用代码，因此要求在生成的WSDL中带WS-SECURITY的信息。但CXF默认生成的都没带该部分信息。



google一天了，都没有看到怎么做的例子。



请问这里有人知道吗？



我希望生成的WDSL如：http://lists.w3.org/Archives/Public/www-ws-desc/2005Jan/att-0094/soap-header-blocks.html

<?xml version="1.0"?>
<wsdl:description name="StockQuote" 
  xmlns:wsdl="http://www.w3.org/@@@@/@@/wsdl"
  targetNamespace="http://example.com/stockquote"
  xmlns:tns="http://example.com/stockquote"
  xmlns:wsoap="http://www.w3.org/@@@@/@@/wsdl/soap"
  xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
     
  <wsdl:types>
    <xs:schema targetNamespace="http://example.com/stockquote"
      xmlns:xs="http://www.w3.org/2001/XMLSchema" 
      elementFormDefault="qualified">
      <xs:import
        namespace="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
        schemaLocation="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"/>
      <xs:element name="TradePriceRequest">
        <xs:complexType>
          <xs:all>
            <xs:element name="tickerSymbol" type="xs:string"/>
          </xs:all>
        </xs:complexType>
      </xs:element>
      <xs:element name="TradePrice">
        <xs:complexType>
          <xs:all>
            <xs:element name="price" type="xs:float"/>
          </xs:all>
        </xs:complexType>
      </xs:element>
      <xs:complexType name="myHeaders">
        <xs:sequence>
         <xs:element ref="wsse:Security" 
               wsoap:mustUnderstand="true"/>
         <xs:element name="isGoldClubMember" 
               type="xs:boolean" wsoap:mustUnderstand="true"/>
         <xs:element name="promotionalCode" 
               type="xs:string" minOccurs="0"/>
        </xs:sequence>
      </xs:complexType>
    </xs:schema>
  </wsdl:types>
  
  <wsdl:interface name="StockQuoteInterface">
    <wsdl:operation name="GetLastTradePrice" 
      pattern="http://www.w3.org/@@@@/@@/wsdl/in-out">
      <wsdl:input element="tns:GetLastTradePriceInput"/>
      <wsdl:output element="tns:GetLastTradePriceOutput"/>
    </wsdl:operation>
  </wsdl:interface>
  
  <wsdl:binding name="StockQuoteSoapBinding" interface="tns:StockQuoteInterface"
    type="http://www.w3.org/@@@@/@@/wsdl/soap" 
    wsoap:protocol="http://www.w3.org/2003/05/soap/bindings/HTTP/">
    <wsdl:operation ref="tns:GetLastTradePrice" 
      wsoap:action="http://example.com/GetLastTradePrice">
        <wsdl:input wsoap:headerDescription="tns:myHeaders"/>
        <wsdl:output wsoap:headerDescription="tns:myHeaders"/>
    </wsdl:operation>
  </wsdl:binding>
  
  <wsdl:service name="StockQuoteService" interface="tns:StockQuoteInterface">
    <wsdl:documentation>My first service</wsdl:documentation>
    <wsdl:endpoint name="StockQuoteEndPoint" binding="tns:StockQuoteBinding" 
    address="http://example.com/endpoint/stockquote"/>
  </wsdl:service>
  
</wsdl:description>

楼主可以参照http://lylhelin.iteye.com/blog/773221 这份博客，希望对你有帮助。

谢谢。

这个博客的内容我看过了，但该博客中wsdl文件是由自己编译完发布出来的。

而我希望的是cxf自动生成的wsdl文件中，就包含ws-security的内容。

哦，这样的话，楼主可以去cxf官方网站上看看，有没有这方面的资料。

还在研读之中。
有人说这样可以，继续测试。

   @WebParam(partName = "credentialSoapHeader", mode =
WebParam.Mode.INOUT, name = "CredentialSoapHeader", targetNamespace =
"http://service.ztc.dw.com/", header = true)

CXF官方的解释：
好像很复杂（本人英文不太好），没有现成的例子，郁闷。

There are several ways to do this depending on how your project is written (code first or wsdl first) and requirements such as portability.

• The "JAX-WS" standard way to do this is to write a SOAP Handler that will add the headers to the SOAP message and register the handler on the client/server. This is completely portable from jax-ws vendor to vendor, but is also more difficult and can have performance implications. You have to handle the conversion of the JAXB objects to XML yourself. It involves having the entire soap message in a DOM which breaks streaming. Requires more memory. etc... However, it doesn't require any changes to wsdl or SEI interfaces.
• JAX-WS standard "java first" way: if doing java first development, you can just add an extra parameter to the method and annotate it with @WebParam(header = true). If it's a response header, make it a Holder and add the mode = Mode.OUT to @WebParam.
• wsdl first way: you can add elements to the message in the wsdl and then mark them as soap:headers in the soap:binding section of the wsdl. The wsdl2java tool will generate the @WebParam(header = true) annotations as above. With CXF, you can also put the headers in their own message (not the same message as the request/response) and mark them as headers in the soap:binding, but you will need to pass the -exsh true flag to wsdl2java to get the paramters generated. This is not portable to other jax-ws providers. Processing headers from other messages it optional in the jaxws spec.
• CXF proprietary way: In the context (BindingProvider.getRequestContext() on client, WebServiceContext on server), you can add a List<org.apache.cxf.headers.Header> with the key Header.HEADER_LIST. The headers in the list are streamed at the appropriate time to the wire according to the databinding object found in the Header object. Like option 1, this doesn't require changes to wsdl or method signatures. However, it's much faster as it doesn't break streaming and the memory overhead is less.

List<Header> headers = new ArrayList<Header>();
Header dummyHeader = new Header(new QName("uri:org.apache.cxf", "dummy"), "decapitated",
                                new JAXBDataBinding(String.class));
headers.add(dummyHeader);

//server side:
context.getMessageContext().put(Header.HEADER_LIST, headers);

//client side:
((BindingProvider)proxy).getRequestContext().put(Header.HEADER_LIST, headers);

 

Soap开发WS貌似有两种方法，一般情况下如CXF以及axis之类的应该是有发布添加WS-secirity的方式的，官网上应该有，PS 本人CXF下只做过基础项目，没有玩过有添加安全选项的部分。另外，cxf发布有两种方式，一种Object first，也就是普通的方式，还有一种是WSDLfirst，就是你自己编写WSDL文档然后发布，如果万一不行，你可以自己编写wsdl文档，然后发布。

通过java first(就您说的object first)的方式，还是没有找到相关的解决方法。
我现在通过wsdl first的方法，来解决这个问题。

谢谢啦。

楼主不的问题解决了没。

目前soap服务端使用签名作为参数传过做校验。
WS-SECURITY做好还真不容易