您好!请问一下,WSS4JInInterceptor为什么不验证HTTP GET的请求?这种做法导致我直接访问:http://10.1.1.51:9090/ws/onlineuserservice/queryOnlineUsers时,跳过了安全认证。我查了相关WS-Security的文档,没有说明使用HTTP-GET或者HTTP-POST方法来访问的内容呀。WSS4JInInterceptor中代码是这么写的:public final boolean isGET(SoapMessage message) {String method = (String)message.get(SoapMessage.HTTP_REQUEST_METHOD);return "GET".equals(method) && message.getContent(XMLStreamReader.class) == null;}public void handleMessage(SoapMessage msg) throws Fault {if (msg.containsKey(SECURITY_PROCESSED) || isGET(msg)) {return;}//...以下省略}--
您收到此信息是由于您订阅了 Google 论坛“cxf-zh”论坛。
要在此论坛发帖,请发电子邮件到 cxf...@googlegroups.com
要退订此论坛,请发邮件至 cxf-zh-un...@googlegroups.com
更多选项,请通过 http://groups.google.com/group/cxf-zh?hl=zh-CN 访问该论坛
----
Apache CXF 首页 http://cwiki.apache.org/confluence/display/CXF/Index