编写独立Java客户端以使用SAML2令牌访问受保护的WCF Web服务

时间:2012-10-25 09:52:51

标签: jax-ws wcf-client wsit

我正在尝试使用普通Java客户端和Metro Web服务API(webservices-rt-2.2.0-1)访问在.NET平台上编写的安全Windows Common Foundation(WCF)Web服务

使用WCF Web服务的WSDL和ant目标,我能够生成Web服务工件。

为了访问WCF Web服务,我需要在SOAP请求中插入SAML2令牌。通过访问REST服务来检索此SAML2令牌,该服务的响应包含SAML2断言。目前我将令牌作为String对象(整个断言XML)

My client code looks something like this:
 MyService service = new MyService(new URL(wsdlLocation), new QName("http://tempuri.org/",
        "MyService"));

IMyService port = service.getCustomBindingIMyService();

port.callMyServiceApi();

此代码抛出以下错误: WST0029:无法从IssuedToken或从客户端

获取STS位置

由于这个原因,我将我的代码修改为以下内容:

MyService service = new MyService(new URL(wsdlLocation), new QName("http://tempuri.org/",
        "MyService"));

DefaultSTSIssuedTokenConfiguration config = new DefaultSTSIssuedTokenConfiguration(stsEndpointAddress, wsdl, "MyService","CustomBinding_IMyService","http://tempuri.org/");

STSIssuedTokenFeature feature = new STSIssuedTokenFeature(config);
IMyService  port = service.getCustomBindingIMyService(new WebServiceFeature[]{feature});

port.getApiVersion();

通过上述操作,STS位置错误消失,但出现以下错误。 线程“main”中的异常javax.xml.ws.WebServiceException:java.lang.NullPointerException         at com.sun.xml.wss.jaxws.impl.SecurityClientTube.processRequest(SecurityClientTube.java:250)         在com.sun.xml.ws.api.pipe.Fiber .__ doRun(Fiber.java:961)         在com.sun.xml.ws.api.pipe.Fiber._doRun(Fiber.java:910)         在com.sun.xml.ws.api.pipe.Fiber.doRun(Fiber.java:873)         在com.sun.xml.ws.api.pipe.Fiber.runSync(Fiber.java:775)         在com.sun.xml.ws.client.Stub.process(Stub.java:429)         在com.sun.xml.ws.client.sei.SEIStub.doProcess(SEIStub.java:168)         at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:119)         at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:102)         在com.sun.xml.ws.client.sei.SEIStub.invoke(SEIStub.java:151)         在$ Proxy44.getApiVersion(未知来源)         在TnTActionsClient.callTnT(TnTActionsClient.java:426)         在TnTActionsClient.main(TnTActionsClient.java:447) 引起:java.lang.NullPointerException         at com.sun.xml.ws.security.trust.impl.WSTrustClientContractImpl.setLifetime(WSTrustClientContractImpl.java:215)         at com.sun.xml.ws.security.trust.impl.WSTrustClientContractImpl.handleRSTR(WSTrustClientContractImpl.java:145)         在com.sun.xml.ws.security.trust.impl.TrustPluginImpl.process(TrustPluginImpl.java:177)         at com.sun.xml.ws.security.trust.impl.client.STSIssuedTokenProviderImpl.getIssuedTokenContext(STSIssuedTokenProviderImpl.java:144)         at com.sun.xml.ws.security.trust.impl.client.STSIssuedTokenProviderImpl.issue(STSIssuedTokenProviderImpl.java:74)         at com.sun.xml.ws.api.security.trust.client.IssuedTokenManager.getIssuedToken(IssuedTokenManager.java:83)         at com.sun.xml.wss.jaxws.impl.SecurityClientTube.invokeTrustPlugin(SecurityClientTube.java:685)         at com.sun.xml.wss.jaxws.impl.SecurityClientTube.processClientRequestPacket(SecurityClientTube.java:281)         at com.sun.xml.wss.jaxws.impl.SecurityClientTube.processRequest(SecurityClientTube.java:247)         ......还有12个

我已经开启了SOAP消息的日志记录,并且在检查请求时,我发现没有与安全相关的信息进入请求。 正在从Web服务端点返回失败响应,指示请求中存在无效安全性。

我想知道: 到目前为止,我是否与我的客户走在正确的轨道上? 2.调用REST服务并解析SAML2令牌响应的最佳方法是什么? 3.如何将步骤2中的SAML2令牌设置为我的所有Web服务?

根据WCF Web服务的实现者,他们使用的是WS-Security而不是Federated安全性。 收到的SAML2令牌看起来像这样:

<wsse:Security soap:mustUnderstand="true"
        xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
        <Assertion ID="_909088b3-d972-4b6f-84b1-26301c1c3b69"
                IssueInstant="2012-10-16T12:32:44.293Z" Version="2.0"
                xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
                <Issuer>xyz:appl:identity</Issuer>
                <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                        <ds:SignedInfo>
                                <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                                <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
                                <ds:Reference URI="#_909088b3-d972-4b6f-84b1-26301c1c3b69">
                                        <ds:Transforms>
                                                <ds:Transform
                                                        Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                                                <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                                        </ds:Transforms>
                                        <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
                                        <ds:DigestValue>some_value_here</ds:DigestValue>
                                </ds:Reference>
                        </ds:SignedInfo>
                        <ds:SignatureValue>sig_here</ds:SignatureValue>
                        <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
                                <X509Data>
                                        <X509Certificate>certHere</X509Certificate>
                                </X509Data>
                        </KeyInfo>
                </ds:Signature>
                <Subject>
                        <NameID
                                Format="http://schemas.xyz.com/2009/09/Identity/Format/Idm/InsightUserName">user222</NameID>
                        <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer" />
                </Subject>
                <Conditions NotBefore="2012-10-16T12:32:44.293Z"
                        NotOnOrAfter="2022-01-01T12:00:00.000Z">
                        <AudienceRestriction>
                                <Audience>uri:samlclient.xyzbadal.com</Audience>
                        </AudienceRestriction>
                </Conditions>
                <AttributeStatement>
                        <Attribute
                                Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name">
                                <AttributeValue>user222</AttributeValue>
                        </Attribute>
                        <Attribute
                                Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname">
                                <AttributeValue>user222</AttributeValue>
                        </Attribute>
                        <Attribute
                                Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress">
                                <AttributeValue>support@abc.com</AttributeValue>
                        </Attribute>
                        <Attribute
                                Name="http://schemas.xyz.com/2009/09/Identity/Claims/CustomerId">
                                <AttributeValue>11209</AttributeValue>
                        </Attribute>
                        <Attribute
                                Name="http://schemas.xyz.com/2009/09/Identity/Claims/InsightUserId">
                                <AttributeValue>1</AttributeValue>
                        </Attribute>
                        <Attribute
                                Name="http://schemas.xyz.com/2009/09/Identity/Claims/NameIdFormat">
                                <AttributeValue>http://schemas.xyz.com/2009/09/Identity/Format/Idm/InsightUserName</AttributeValue>
                        </Attribute>
                        <Attribute
                                Name="http://schemas.xyz.com/2009/09/Identity/Claims/HasProfile">
                                <AttributeValue>True</AttributeValue>
                        </Attribute>
                        <Attribute
                                Name="http://schemas.xyz.com/2009/09/Identity/Claims/Password">
                                <AttributeValue>test1</AttributeValue>
                        </Attribute>
                        <Attribute
                                Name="http://schemas.xyz.com/2009/09/Identity/Claims/HasPassword">
                                <AttributeValue>True</AttributeValue>
                        </Attribute>
                        <Attribute
                                Name="http://schemas.xyz.com/2009/09/Identity/Claims/LocaleName">
                                <AttributeValue>en-US</AttributeValue>
                        </Attribute>
                        <Attribute
                                Name="http://schemas.xyz.com/2009/09/Identity/Claims/HasCredential">
                                <AttributeValue>false</AttributeValue>
                        </Attribute>
                        <Attribute
                                Name="http://schemas.xyz.com/2009/09/Identity/Claims/InternalReferenceId">
                                <AttributeValue>user222</AttributeValue>
                        </Attribute>
                        <Attribute
                                Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/role">
                                <AttributeValue>CustomiseUI</AttributeValue>
                                <AttributeValue>EditConfiguration</AttributeValue>
                                ...
                        </Attribute>
                        <Attribute
                                Name="http://schemas.xyz.com/2009/09/Identity/Claims/ProfileUrl">
                                <AttributeValue>https://identity.com/able/</AttributeValue>
                        </Attribute>
                </AttributeStatement>
                <AuthnStatement AuthnInstant="2012-10-16T12:32:44.000Z"
                        SessionNotOnOrAfter="2022-01-01T12:00:00.000Z">
                        <AuthnContext>
                                <AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</AuthnContextClassRef>
                        </AuthnContext>
                </AuthnStatement>
        </Assertion>
</wsse:Security>

我收到了几个WSDL文件。片段粘贴在下面: WSDL 1:

<?xml version="1.0" encoding="UTF-8"?>
<wsdl:definitions targetNamespace="http://schemas.xyz.com/TrackMe/2010/06/" xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/" xmlns:wsx="http://schemas.xmlsoap.org/ws/2004/09/mex" xmlns:wsa10="http://www.w3.org/2005/08/addressing" xmlns:tns="http://schemas.xyz.com/TrackMe/2010/06/" xmlns:soap12="http://schemas.xmlsoap.org/wsdl/soap12/" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy" xmlns:wsap="http://schemas.xmlsoap.org/ws/2004/08/addressing/policy" xmlns:msc="http://schemas.microsoft.com/ws/2005/12/wsdl/contract" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:wsam="http://www.w3.org/2007/05/addressing/metadata" xmlns:wsaw="http://www.w3.org/2006/05/addressing/wsdl" xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">
  <wsdl:types>
    <xsd:schema targetNamespace="http://schemas.xyz.com/TrackMe/2010/06/Imports">
      <xsd:import schemaLocation="TrackMe.xsd" namespace="http://schemas.xyz.com/TrackMe/2010/06/"/>
      <xsd:import schemaLocation="TrackMe_1_2_3_4.xsd" namespace="http://schemas.xyz.com/shs/api"/>
      <xsd:import schemaLocation="TrackMe_1_2.xsd" namespace="http://schemas.microsoft.com/2003/10/Serialization/"/>
      <xsd:import schemaLocation="TrackMe_1.xsd" namespace="http://schemas.xyz.com/TrackMe/2010/06/Data"/>
      <xsd:import schemaLocation="TrackMe_1_2_3_4_5.xsd" namespace="http://schemas.datacontract.org/2004/07/xyz.Validation"/>
      <xsd:import schemaLocation="TrackMe_1_2_3.xsd" namespace="http://schemas.datacontract.org/2004/07/xyz.TrackMe.PublicApiService.Contract"/>
    </xsd:schema>
  </wsdl:types>
  <wsdl:message name="IMyService_GetApiVersion_InputMessage">
    <wsdl:part name="parameters" element="tns:GetApiVersion"/>
  </wsdl:message>
  <wsdl:message name="IMyService_GetApiVersion_OutputMessage">
    <wsdl:part name="parameters" element="tns:GetApiVersionResponse"/>
  </wsdl:message>
  <wsdl:message name="IMyService_GetApiVersion_FaultDetailFault_FaultMessage">
    <wsdl:part name="detail" element="q2:Fault" xmlns:q2="http://schemas.xyz.com/shs/api"/>
  </wsdl:message>
  ....
 <wsdl:operation name="GetApiVersion">
      <wsdl:input wsaw:Action="http://schemas.xyz.com/TrackMe/2010/06/IMyService/GetApiVersion" message="tns:IMyService_GetApiVersion_InputMessage"/>
      <wsdl:output wsaw:Action="http://schemas.xyz.com/TrackMe/2010/06/IMyService/GetApiVersionResponse" message="tns:IMyService_GetApiVersion_OutputMessage"/>
      <wsdl:fault wsaw:Action="http://schemas.xyz.com/TrackMe/2010/06/IMyService/GetApiVersionFaultDetailFault" name="FaultDetailFault" message="tns:IMyService_GetApiVersion_FaultDetailFault_FaultMessage"/>
    </wsdl:operation>
    ...
  </wsdl:portType>
</wsdl:definitions>

WSDL 2:

<?xml version="1.0" encoding="UTF-8"?>
<wsdl:definitions name="MyService" targetNamespace="http://tempuri.org/" xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/" xmlns:wsx="http://schemas.xmlsoap.org/ws/2004/09/mex" xmlns:wsa10="http://www.w3.org/2005/08/addressing" xmlns:tns="http://tempuri.org/" xmlns:soap12="http://schemas.xmlsoap.org/wsdl/soap12/" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy" xmlns:wsap="http://schemas.xmlsoap.org/ws/2004/08/addressing/policy" xmlns:msc="http://schemas.microsoft.com/ws/2005/12/wsdl/contract" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:wsam="http://www.w3.org/2007/05/addressing/metadata" xmlns:wsaw="http://www.w3.org/2006/05/addressing/wsdl" xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" xmlns:i0="http://schemas.xyz.com/TrackMe/2010/06/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">
  <wsp:Policy wsu:Id="CustomBinding_IMyService_policy">
    <wsp:ExactlyOne>
      <wsp:All>
        <sp:TransportBinding xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
          <wsp:Policy>
            <sp:TransportToken>
              <wsp:Policy>
                <sp:HttpsToken/>
              </wsp:Policy>
            </sp:TransportToken>
            <sp:AlgorithmSuite>
              <wsp:Policy>
                <sp:Basic256/>
              </wsp:Policy>
            </sp:AlgorithmSuite>
            <sp:Layout>
              <wsp:Policy>
                <sp:Strict/>
              </wsp:Policy>
            </sp:Layout>
            <sp:IncludeTimestamp/>
          </wsp:Policy>
        </sp:TransportBinding>
        <sp:SignedSupportingTokens xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
          <wsp:Policy>
            <sp:IssuedToken sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
              <sp:RequestSecurityTokenTemplate>
                <trust:TokenType xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0</trust:TokenType>
                <trust:KeyType xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">http://docs.oasis-open.org/ws-sx/ws-trust/200512/Bearer</trust:KeyType>
              </sp:RequestSecurityTokenTemplate>
              <wsp:Policy>
                <sp:RequireInternalReference/>
              </wsp:Policy>
            </sp:IssuedToken>
          </wsp:Policy>
        </sp:SignedSupportingTokens>
        <sp:Wss11 xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
          <wsp:Policy/>
        </sp:Wss11>
        <sp:Trust13 xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
          <wsp:Policy>
            <sp:MustSupportIssuedTokens/>
            <sp:RequireClientEntropy/>
            <sp:RequireServerEntropy/>
          </wsp:Policy>
        </sp:Trust13>
        <wsaw:UsingAddressing/>
      </wsp:All>
    </wsp:ExactlyOne>
  </wsp:Policy>
  <wsdl:import namespace="http://schemas.xyz.com/TrackMe/2010/06/" location="TrackMe.wsdl"/>
  <wsdl:types/>
  <wsdl:binding name="CustomBinding_IMyService" type="i0:IMyService">
    <wsp:PolicyReference URI="#CustomBinding_IMyService_policy"/>
    <soap12:binding transport="http://schemas.xmlsoap.org/soap/http"/>
    ...
     <wsdl:operation name="GetApiVersion">
      <soap12:operation soapAction="http://schemas.xyz.com/TrackMe/2010/06/IMyService/GetApiVersion" style="document"/>
      <wsdl:input>
        <soap12:body use="literal"/>
      </wsdl:input>
      <wsdl:output>
        <soap12:body use="literal"/>
      </wsdl:output>
      <wsdl:fault name="FaultDetailFault">
        <soap12:fault name="FaultDetailFault" use="literal"/>
      </wsdl:fault>
    </wsdl:operation>
    ....
     </wsdl:binding>
  <wsdl:service name="MyService">
    <wsdl:port name="CustomBinding_IMyService" binding="tns:CustomBinding_IMyService">
      <soap12:address location="https://apidev2.devel.abc.com/tnt/public_api/TrackMe.svc"/>
      <wsa10:EndpointReference>
        <wsa10:Address>https://apidev2.devel.abc.com/tnt/public_api/TrackMe.svc</wsa10:Address>
      </wsa10:EndpointReference>
    </wsdl:port>
  </wsdl:service>
</wsdl:definitions>

如果您需要更多信息,请告诉我们。 非常感谢任何帮助。 提前致谢! 卡尔。

0 个答案:

没有答案