我正在尝试将Apache CXF与基于策略的WS-Security一起使用。 WSDL文件告诉客户端首先从安全令牌服务获取令牌。 此请求需要使用我从服务提供商处获得的证书进行签名。 STS使用ADFS实现。
我目前的代码如下:
BindingProvider bindingProvider = (BindingProvider) port;
Map<String, Object> requestContext = bindingProvider.getRequestContext();
// signing configuration
Properties cryptoProperties = new Properties();
cryptoProperties.put(Merlin.PREFIX + Merlin.KEYSTORE_TYPE, "pkcs12");
cryptoProperties.put(Merlin.PREFIX + Merlin.KEYSTORE_FILE, "C:\\[...]\\keystore.p12");
cryptoProperties.put(Merlin.PREFIX + Merlin.KEYSTORE_PASSWORD, KEYSTORE_KEY);
cryptoProperties.put(Merlin.PREFIX + Merlin.KEYSTORE_ALIAS, KEYSTORE_ALIAS);
requestContext.put(SecurityConstants.SIGNATURE_CRYPTO, new Merlin(cryptoProperties, Loader.getClassLoader(Merlin.class), null));
requestContext.put(SecurityConstants.SIGNATURE_USERNAME, KEYSTORE_ALIAS);
requestContext.put(SecurityConstants.CALLBACK_HANDLER,
new CallbackHandler() {
@Override
public void handle(Callback[] callbacks)
throws IOException, UnsupportedCallbackException {
WSPasswordCallback pc = (WSPasswordCallback) callbacks[0];
pc.setPassword(KEYSTORE_KEY);
}
});
// additional configuration
requestContext.put(SecurityConstants.STS_CLIENT_SOAP12_BINDING, "true");
目前我收到错误 ID3035:请求无效或格式错误。
政策看起来像这样
<wsp:Policy wsu:Id="[...]">
<wsp:ExactlyOne>
<wsp:All>
<sp:TransportBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:TransportToken>
<wsp:Policy>
<sp:HttpsToken RequireClientCertificate="false"/>
</wsp:Policy>
</sp:TransportToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic256/>
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Strict/>
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp/>
</wsp:Policy>
</sp:TransportBinding>
<sp:EndorsingSupportingTokens xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:RequireThumbprintReference/>
<sp:WssX509V3Token10/>
</wsp:Policy>
</sp:X509Token>
<mssp:RsaToken sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never" wsp:Optional="true" xmlns:mssp="http://schemas.microsoft.com/ws/2005/07/securitypolicy"/>
<sp:SignedParts>
<sp:Header Name="To" Namespace="http://www.w3.org/2005/08/addressing"/>
</sp:SignedParts>
</wsp:Policy>
</sp:EndorsingSupportingTokens>
<sp:Wss11 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:MustSupportRefThumbprint/>
</wsp:Policy>
</sp:Wss11>
<sp:Trust10 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:MustSupportIssuedTokens/>
<sp:RequireClientEntropy/>
<sp:RequireServerEntropy/>
</wsp:Policy>
</sp:Trust10>
<wsaw:UsingAddressing/>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
服务提供商的示例告诉我以这种方式签署请求:
<Security>
<BinarySecurityToken Id="uuid-something">[...]</BinarySecurityToken>
<Signature>
[...]
<KeyInfo>
<SecurityTokenReference>
<Reference URI="#uuid-something"></Reference>
</SecurityTokenReference>
</KeyInfo>
</Signature>
</Security>
我的请求如下:
<Security>
<BinarySecurityToken>[...]</BinarySecurityToken>
<Signature>
[...]
<KeyInfo>
<SecurityTokenReference>
<KeyIdentifier>[...]</KeyIdentifier>
</SecurityTokenReference>
</KeyInfo>
</Signature>
</Security>
如何设法获取参考而不是 KeyIdentifier ?
在互联网上搜索我认为我必须将WSHandlerConstants.SIG_KEY_ID设置为 DirectReference ,如此blog-post中所述。 问题是我不知道如何用基于政策的方法做到这一点......
与工作示例的另一个不同之处在于,我的请求包含&lt; Renewing /&gt; ,它不适用于像stated in this answer这样的ADFS。
<wst:RequestSecurityToken>
[...]
<wst:Renewing/>
</wst:RequestSecurityToken>
答案 0 :(得分:2)
政策是什么样的?它应该告诉CXF如何引用签名密钥,而不进行任何配置更改。
该政策明确告诉CXF使用指纹参考来引用签名密钥,因此CXF根据策略做了正确的事情。如果要使用直接引用,请删除&#34; RequireThumbprintReference&#34;政策。
您可以通过设置&#34; sendRenewing&#34;来避免发送续订元素。 STSClient到&#34; false&#34;。