我使用带有自定义WebServiceTemplate的spring-ws(2.1.4)WebServiceMessageCallback来插入带有SAML的安全标头,我将收到org.w3c.dom.Element和只创造自己进行测试。
我使用webServiceTemplate.marshalSendAndReceive(request, new HeaderCallback(ctx, uri))来编组并发送我的请求。
我的问题是签名验证在服务器端失败,摘要不匹配。在发送之前和接收之后比较SAML的输出我看到在接收端我在发送之前没有一个元素的命名空间声明。
我目前在回调中做了什么:
@Override
public void doWithMessage(WebServiceMessage message) throws IOException, TransformerException {
super.doWithMessage(message);
Assert.isInstanceOf(SoapMessage.class, message);
SoapMessage soapMessage = (SoapMessage) message;
SoapHeaderElement securityHeader = soapMessage.getSoapHeader().addHeaderElement(WS_SECURITY_NAME);
try {
Transformer t = TransformerFactory.newInstance().newTransformer();
t.transform(new DOMSource(assertion), securityHeader.getResult());
} catch (org.springframework.oxm.MarshallingException ex) {
throw new IOException(ex);
}
有谁知道如何将元素插入到SOAP XML中,确保元素不会被修改?或者是否有一种不同的方法来使用Spring WebServiceTemplate来实现这一目标?
我遇到的org.apache.ws.security.saml.ext.SAMLCallback有一个方法setAssertionElement,但是我没有找到如何使用WebServiceTemplate(分别为Wss4jSecurityInterceptor),特别是考虑到我需要传入一个现有的SAML断言作为参数。
SAML XML:
<saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" IssueInstant="2015-09-23T09:46:14.357Z" Version="2.0">
<saml2:Issuer>iTEST</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>rVbvzGr4LI/Kd0c+kuhqkupSY44=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>TIbtFHnqURfko94eqANDX8UEhw0HSI3xL0sAQ5GbhjVn2DicckzxpoJL3RVPF6KhLOkUPm5IgnF5At6Es69D48DLE+QvWvP0F7VmcdNJHRSnzIWYaJsXfNfDt2AXXM1kanp5Gq8nj1EsT6C8SlkO1x77C3vKkn1nLSNszEkukuhEzA8V7G+l6L65bIveA36IyYqjiVDKIMOIzHMF9qK03Um7qJHWoxvxSig1UPBINlBtDqyhbGW01OnoHP8qXK7bzuP6p3zbBDhhEYMyNV2P8GT8zX1+cv+JE6ghde4K9hyf6V+x6L218L1AOjACEJUkBrxw0q1uJAVGA1UNJPJbJQ==</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIIC1TCCAb2gAwIBAgIENFWkEzANBgkqhkiG9w0BAQsFADAbMRkwFwYDVQQDExBpVEVTVDpjb21tdW5pdHlBMB4XDTE1MDkxMDE0NDcyMFoXDTI1MDkwNzE0NDcyMFowGzEZMBcGA1UEAxMQaVRFU1Q6Y29tbXVuaXR5QTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMX9f6af8s8bqZSlSl7nZVmVz9sQuaxK/fYHwKcBCmeQGfx67K6Lrmg4ZkVlMxFPFAZta8i0UHVbFXD6hY4nD8skA+P1RjnHvk4KboBM2krtx7tSC8IzXmtb8sxXsfLKfu1Blqq0lX0kjPyvCIo4FLOSRE//AuKy8zeTSrKAX8tcZYo23mX8TWkp22Hd6O/x4IxuakWRB6fq8DxYWFsu9f1cnt2n3R+d/myrZ6XRVdpZhptWlZjzy90L2VOuHFC3kY8DvgSCdI3UgL+PzD7R3cKUytHlz04LO5cJue4kRaGbNOdgJoRdj4D24BsjpIZ9PCbzSw689N/hRftsUtO5PRECAwEAAaMhMB8wHQYDVR0OBBYEFBL153jJBGRArnJ5dSyHZGKC3vGcMA0GCSqGSIb3DQEBCwUAA4IBAQCWa0KtdISsQecjA3i4Kyr50oynOnas6YK9Jgb3LzJEU911JW4vX4rHmXEe64OkbIO/fpdCE30saTiBoLEFxrUx0xn+0wGvPMIBJZYncaZUUN9412XPEjYoj5DnFjFvdYqNsdNZ9cOs3sa5hRWufea+QFhSJKSG0nouwW1/5WT3/GYtKJZystL2N2q6pUqhwfP5x1JDELTcoiZZzbTkHOxFiz5iLMrZyDL8Bmb856pF7SzmD6NzLXpqiOwMjTeDWyJ3I9mZqDwoTwxC/e8wG42d486GKu3O/BbDkxEv5UDClMY2722oZKKhu3TdQLOIOLJChKgghjuEWOXb+mDdj/Qq</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml2:Subject>
<saml2:NameID>authSigner</saml2:NameID>
</saml2:Subject>
</saml2:Assertion>
SAML XML:
<saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" IssueInstant="2015-09-23T09:46:14.357Z" Version="2.0">
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">iTEST</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
<ds:Reference URI="" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:Transforms xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
<ds:DigestValue xmlns:ds="http://www.w3.org/2000/09/xmldsig#">rVbvzGr4LI/Kd0c+kuhqkupSY44=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue xmlns:ds="http://www.w3.org/2000/09/xmldsig#">TIbtFHnqURfko94eqANDX8UEhw0HSI3xL0sAQ5GbhjVn2DicckzxpoJL3RVPF6KhLOkUPm5IgnF5At6Es69D48DLE+QvWvP0F7VmcdNJHRSnzIWYaJsXfNfDt2AXXM1kanp5Gq8nj1EsT6C8SlkO1x77C3vKkn1nLSNszEkukuhEzA8V7G+l6L65bIveA36IyYqjiVDKIMOIzHMF9qK03Um7qJHWoxvxSig1UPBINlBtDqyhbGW01OnoHP8qXK7bzuP6p3zbBDhhEYMyNV2P8GT8zX1+cv+JE6ghde4K9hyf6V+x6L218L1AOjACEJUkBrxw0q1uJAVGA1UNJPJbJQ==</ds:SignatureValue>
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Certificate xmlns:ds="http://www.w3.org/2000/09/xmldsig#">MIIC1TCCAb2gAwIBAgIENFWkEzANBgkqhkiG9w0BAQsFADAbMRkwFwYDVQQDExBpVEVTVDpjb21tdW5pdHlBMB4XDTE1MDkxMDE0NDcyMFoXDTI1MDkwNzE0NDcyMFowGzEZMBcGA1UEAxMQaVRFU1Q6Y29tbXVuaXR5QTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMX9f6af8s8bqZSlSl7nZVmVz9sQuaxK/fYHwKcBCmeQGfx67K6Lrmg4ZkVlMxFPFAZta8i0UHVbFXD6hY4nD8skA+P1RjnHvk4KboBM2krtx7tSC8IzXmtb8sxXsfLKfu1Blqq0lX0kjPyvCIo4FLOSRE//AuKy8zeTSrKAX8tcZYo23mX8TWkp22Hd6O/x4IxuakWRB6fq8DxYWFsu9f1cnt2n3R+d/myrZ6XRVdpZhptWlZjzy90L2VOuHFC3kY8DvgSCdI3UgL+PzD7R3cKUytHlz04LO5cJue4kRaGbNOdgJoRdj4D24BsjpIZ9PCbzSw689N/hRftsUtO5PRECAwEAAaMhMB8wHQYDVR0OBBYEFBL153jJBGRArnJ5dSyHZGKC3vGcMA0GCSqGSIb3DQEBCwUAA4IBAQCWa0KtdISsQecjA3i4Kyr50oynOnas6YK9Jgb3LzJEU911JW4vX4rHmXEe64OkbIO/fpdCE30saTiBoLEFxrUx0xn+0wGvPMIBJZYncaZUUN9412XPEjYoj5DnFjFvdYqNsdNZ9cOs3sa5hRWufea+QFhSJKSG0nouwW1/5WT3/GYtKJZystL2N2q6pUqhwfP5x1JDELTcoiZZzbTkHOxFiz5iLMrZyDL8Bmb856pF7SzmD6NzLXpqiOwMjTeDWyJ3I9mZqDwoTwxC/e8wG42d486GKu3O/BbDkxEv5UDClMY2722oZKKhu3TdQLOIOLJChKgghjuEWOXb+mDdj/Qq</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml2:Subject xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
<saml2:NameID xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">authSigner</saml2:NameID>
</saml2:Subject>
</saml2:Assertion>
</wsse:Security>
编辑:我找到了一种不添加其他命名空间的方法。我现在正在做的是使用javax.xml.soap.SOAPMessage并导入节点:
@Override
public void doWithMessage(WebServiceMessage message) throws IOException, TransformerException {
super.doWithMessage(message);
Assert.isInstanceOf(SaajSoapMessage.class, message);
try {
SOAPMessage soapMessage = ((SaajSoapMessage) message).getSaajMessage();
SOAPPart soapPart = soapMessage.getSOAPPart();
SOAPEnvelope soapEnvelope = soapPart.getEnvelope();
if (soapEnvelope.getHeader() == null) {
soapEnvelope.addHeader();
}
SOAPHeaderElement securityElement = soapEnvelope.getHeader().addHeaderElement(WS_SECURITY_NAME);
securityElement.appendChild(soapPart.importNode(assertion, true));
} catch (SOAPException ex) {
throw new IOException(ex);
}
}
然而,即使差异显示输出之间没有差异验证仍然失败。在这一点上,我不确定我是否可以信任输出,并且这样做真的没有改变SAML ...
还有什么想法会导致摘要不匹配?
答案 0 :(得分:0)
以下方法(我已将其作为编辑记录在我的问题中)阻止了添加其他命名空间。
@Override
public void doWithMessage(WebServiceMessage message) throws IOException, TransformerException {
super.doWithMessage(message);
Assert.isInstanceOf(SaajSoapMessage.class, message);
try {
SOAPMessage soapMessage = ((SaajSoapMessage) message).getSaajMessage();
SOAPPart soapPart = soapMessage.getSOAPPart();
SOAPEnvelope soapEnvelope = soapPart.getEnvelope();
if (soapEnvelope.getHeader() == null) {
soapEnvelope.addHeader();
}
SOAPHeaderElement securityElement = soapEnvelope.getHeader().addHeaderElement(WS_SECURITY_NAME);
securityElement.appendChild(soapPart.importNode(assertion, true));
} catch (SOAPException ex) {
throw new IOException(ex);
}
}
我也获得了SAML验证。它与SAML添加到SOAP消息的方式无关(也是我使用Transformer的原始方法 - 即使它添加了额外的命名空间 - 现在验证)。缺少的是断言的ID。
以下是我的SAML现在的样子:
<saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="_63ecd7ce7163507e56270edcd644494b" IssueInstant="2015-09-24T18:23:15.118Z" Version="2.0">
<saml2:Issuer>iTEST</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#_63ecd7ce7163507e56270edcd644494b">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>yjlkSOIJC3qNYzEYfipGIwoAD9A=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>fIEp5aYFVesexZWAfMM+e8kcwe52nl54xMr92wtz2BZ3TIVkY6u5vfh8hA0q6hkzEEaHV5vM0cEXholekn4og41jhMn7XwmScggrbr/neYBMdE95GRz6Nv2Sc6PzqPTYeFp+Dylho7sy1yZtWAb3jiGm8zdHJIQuk6NNUZhnMPkZqjXpM68U9cRGojAmnczbRVl2couxDp5fErivKJgJuffN3FVBfCFrFOjGpVf00ukZxqJJ3RP+n7wXWl251W0i0KvWCZPCD5gzl69EzNFc78o8khzd26aLIeDFLBQr0BPnrC454dZZ/SSNeH52HtDstNJ6SBrWFAA8c8vnLSJ0fg==</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIIC1TCCAb2gAwIBAgIENFWkEzANBgkqhkiG9w0BAQsFADAbMRkwFwYDVQQDExBpVEVTVDpjb21tdW5pdHlBMB4XDTE1MDkxMDE0NDcyMFoXDTI1MDkwNzE0NDcyMFowGzEZMBcGA1UEAxMQaVRFU1Q6Y29tbXVuaXR5QTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMX9f6af8s8bqZSlSl7nZVmVz9sQuaxK/fYHwKcBCmeQGfx67K6Lrmg4ZkVlMxFPFAZta8i0UHVbFXD6hY4nD8skA+P1RjnHvk4KboBM2krtx7tSC8IzXmtb8sxXsfLKfu1Blqq0lX0kjPyvCIo4FLOSRE//AuKy8zeTSrKAX8tcZYo23mX8TWkp22Hd6O/x4IxuakWRB6fq8DxYWFsu9f1cnt2n3R+d/myrZ6XRVdpZhptWlZjzy90L2VOuHFC3kY8DvgSCdI3UgL+PzD7R3cKUytHlz04LO5cJue4kRaGbNOdgJoRdj4D24BsjpIZ9PCbzSw689N/hRftsUtO5PRECAwEAAaMhMB8wHQYDVR0OBBYEFBL153jJBGRArnJ5dSyHZGKC3vGcMA0GCSqGSIb3DQEBCwUAA4IBAQCWa0KtdISsQecjA3i4Kyr50oynOnas6YK9Jgb3LzJEU911JW4vX4rHmXEe64OkbIO/fpdCE30saTiBoLEFxrUx0xn+0wGvPMIBJZYncaZUUN9412XPEjYoj5DnFjFvdYqNsdNZ9cOs3sa5hRWufea+QFhSJKSG0nouwW1/5WT3/GYtKJZystL2N2q6pUqhwfP5x1JDELTcoiZZzbTkHOxFiz5iLMrZyDL8Bmb856pF7SzmD6NzLXpqiOwMjTeDWyJ3I9mZqDwoTwxC/e8wG42d486GKu3O/BbDkxEv5UDClMY2722oZKKhu3TdQLOIOLJChKgghjuEWOXb+mDdj/Qq</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml2:Subject>
<saml2:NameID>authSigner</saml2:NameID>
</saml2:Subject>
</saml2:Assertion>