【发布时间】:2016-03-21 15:41:03
【问题描述】:
我正在尝试将 Apache CXF 与基于策略的 WS-Security 一起使用。 WSDL 文件告诉客户端首先从安全令牌服务获取令牌。 此请求需要使用我从服务提供商处获得的证书进行签名。 STS 使用ADFS 实现。
我当前的代码如下所示:
BindingProvider bindingProvider = (BindingProvider) port;
Map<String, Object> requestContext = bindingProvider.getRequestContext();
// signing configuration
Properties cryptoProperties = new Properties();
cryptoProperties.put(Merlin.PREFIX + Merlin.KEYSTORE_TYPE, "pkcs12");
cryptoProperties.put(Merlin.PREFIX + Merlin.KEYSTORE_FILE, "C:\\[...]\\keystore.p12");
cryptoProperties.put(Merlin.PREFIX + Merlin.KEYSTORE_PASSWORD, KEYSTORE_KEY);
cryptoProperties.put(Merlin.PREFIX + Merlin.KEYSTORE_ALIAS, KEYSTORE_ALIAS);
requestContext.put(SecurityConstants.SIGNATURE_CRYPTO, new Merlin(cryptoProperties, Loader.getClassLoader(Merlin.class), null));
requestContext.put(SecurityConstants.SIGNATURE_USERNAME, KEYSTORE_ALIAS);
requestContext.put(SecurityConstants.CALLBACK_HANDLER,
new CallbackHandler() {
@Override
public void handle(Callback[] callbacks)
throws IOException, UnsupportedCallbackException {
WSPasswordCallback pc = (WSPasswordCallback) callbacks[0];
pc.setPassword(KEYSTORE_KEY);
}
});
// additional configuration
requestContext.put(SecurityConstants.STS_CLIENT_SOAP12_BINDING, "true");
目前我收到错误ID3035:请求无效或格式错误。
政策如下所示
<wsp:Policy wsu:Id="[...]">
<wsp:ExactlyOne>
<wsp:All>
<sp:TransportBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:TransportToken>
<wsp:Policy>
<sp:HttpsToken RequireClientCertificate="false"/>
</wsp:Policy>
</sp:TransportToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic256/>
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Strict/>
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp/>
</wsp:Policy>
</sp:TransportBinding>
<sp:EndorsingSupportingTokens xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:RequireThumbprintReference/>
<sp:WssX509V3Token10/>
</wsp:Policy>
</sp:X509Token>
<mssp:RsaToken sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never" wsp:Optional="true" xmlns:mssp="http://schemas.microsoft.com/ws/2005/07/securitypolicy"/>
<sp:SignedParts>
<sp:Header Name="To" Namespace="http://www.w3.org/2005/08/addressing"/>
</sp:SignedParts>
</wsp:Policy>
</sp:EndorsingSupportingTokens>
<sp:Wss11 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:MustSupportRefThumbprint/>
</wsp:Policy>
</sp:Wss11>
<sp:Trust10 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:MustSupportIssuedTokens/>
<sp:RequireClientEntropy/>
<sp:RequireServerEntropy/>
</wsp:Policy>
</sp:Trust10>
<wsaw:UsingAddressing/>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
服务提供者的例子告诉我以这种方式签署请求:
<Security>
<BinarySecurityToken Id="uuid-something">[...]</BinarySecurityToken>
<Signature>
[...]
<KeyInfo>
<SecurityTokenReference>
<Reference URI="#uuid-something"></Reference>
</SecurityTokenReference>
</KeyInfo>
</Signature>
</Security>
我的请求如下所示:
<Security>
<BinarySecurityToken>[...]</BinarySecurityToken>
<Signature>
[...]
<KeyInfo>
<SecurityTokenReference>
<KeyIdentifier>[...]</KeyIdentifier>
</SecurityTokenReference>
</KeyInfo>
</Signature>
</Security>
我如何设法获得 Reference 而不是 KeyIdentifier?
搜索互联网,我想我必须以某种方式将WSHandlerConstants.SIG_KEY_ID 设置为 DirectReference,就像 blog-post 中所述。 问题是我不知道如何使用基于策略的方法来做到这一点......
与工作示例的另一个区别是,我的请求包含
<wst:RequestSecurityToken>
[...]
<wst:Renewing/>
</wst:RequestSecurityToken>
【问题讨论】:
标签: cxf ws-security