【发布时间】:2017-03-08 18:36:20
【问题描述】:
我必须使用 SoapUI 进行带有证书签名和时间戳的 RequestSecurityToken 请求,以获取安全令牌以在其他请求中使用它,但我无法正确实现它。
以下是正确的请求,不同的应用程序,但具有相同的证书:
<o:Security s:mustUnderstand="1" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<u:Timestamp u:Id="_0">
<u:Created>2016-10-24T14:35:54.851Z</u:Created>
<u:Expires>2016-10-24T14:40:54.851Z</u:Expires>
</u:Timestamp>
<o:BinarySecurityToken u:Id="uuid-e5fff67c-e3ce-4c63-86da-9661adfd6e0c-2" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">...MIIFgTCCBGmgAwIBAgIKOePZb(shortened)...</o:BinarySecurityToken>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<Reference URI="#_0">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>tsLKDNU0lJ5SB1p75WGVjd7LMHc=</DigestValue>
</Reference>
<Reference URI="#_1">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>4QwJS9rCbZb1B3DcR37qnuJgSl4=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>...gmAXzaf8hhj44/M0Q(shortened)...</SignatureValue>
<KeyInfo>
<o:SecurityTokenReference>
<o:Reference URI="#uuid-e5fff67c-e3ce-4c63-86da-9661adfd6e0c-2"/>
</o:SecurityTokenReference>
</KeyInfo>
</Signature>
</o:Security>
在 SoapUI 中,在 WSS 配置中,我将我的证书添加为密钥库并进行了传出配置,其中生成时间图和签名。在签名中,我将其配置为二进制安全令牌,选择我的密钥库、别名和密码。我已经尝试过各种方法,但最接近纠正的结果是:
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<u:Timestamp u:Id="TS-6EB3E416E924850AA51477473502423447">
<u:Created>2016-10-26T09:18:22.423Z</u:Created>
<u:Expires>2016-10-26T09:23:22.423Z</u:Expires>
</u:Timestamp>
<wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" u:Id="X509-6EB3E416E924850AA51477473502407442">...CCBGmgAwIBAgIKOeP(shortened)..." xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#id-6EB3E416E924850AA51477473502408445">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>ylZ7mgRanKsz3pYpbSXtE3FoVcc=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>...PwHLpHxINEYUGoCM+Tsz9ucg(shortened)...</ds:SignatureValue>
<ds:KeyInfo Id="KI-6EB3E416E924850AA51477473502407443">
<wsse:SecurityTokenReference u:Id="STR-6EB3E416E924850AA51477473502407444">
<wsse:Reference URI="#X509-6EB3E416E924850AA51477473502407442" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
</wsse:Security>
根据这个请求,我收到了错误消息的响应
验证消息的安全性时出错。
我看到的差异之一是,在正确的请求中,与 SoapUI 请求相比,有两个具有不同 URI 的引用,但我不知道如何在 SoapUI 中模拟正确的请求。我很高兴得到一些建议,也许有人有类似的问题。
【问题讨论】:
标签: certificate soapui keystore adfs sts-securitytokenservice