我正在使用来自http://web-gmazza.rhcloud.com/blog/entry/cxf-sts-tutorial的示例的CXF-STS应用程序。我能够生成SAML断言但它在遇到服务提供商时失败。
我将PasswordCallback作为服务,
@Override
public void handle(Callback[] callbacks) throws IOException,
UnsupportedCallbackException {
for (int index = 0; index < callbacks.length; index++) {
WSPasswordCallback pc = (WSPasswordCallback)callbacks[index];
int usage = pc.getUsage();
if (usage == WSPasswordCallback.DECRYPT || usage == WSPasswordCallback.SIGNATURE) {
String pass = (String) passwords.get(pc.getIdentifier());
if (pass != null) {
pc.setPassword(pass);
return;
}
}
}
WSPasswordCallback类型被发现为SECRETKEY或not WSPasswordCallback.DECRYPT or WSPasswordCallback.SIGNATURE
上面代码中调试的标识符显示为_0bfaf221-9588-4033-b3fa-db9ecbd478fe或一些随机文本。在服务提供者上,我使用Keytype绑定绑定 - SymmetricKey为
<sp:SymmetricBinding>
<wsp:Policy>
<sp:ProtectionToken>
<wsp:Policy>
<sp:IssuedToken sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
<sp:RequestSecurityTokenTemplate>
<t:TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1</t:TokenType>
<t:KeyType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/SymmetricKey</t:KeyType>
<t:KeySize>256</t:KeySize>
</sp:RequestSecurityTokenTemplate>
<wsp:Policy>
<sp:RequireInternalReference/>
</wsp:Policy>
<sp:Issuer>
<wsaw:Address>http://localhost:8080/StsService/services/STS</wsaw:Address>
<wsaw:Metadata>
<wsx:Metadata>
<wsx:MetadataSection>
<wsx:MetadataReference>
<wsaw:Address>http://localhost:8080/StsService/services/STS/mex</wsaw:Address>
</wsx:MetadataReference>
</wsx:MetadataSection>
在STS端,我提供加密服务提供商的公钥
<bean id="utSTSProperties"
class="org.apache.cxf.sts.StaticSTSProperties">
<property name="signaturePropertiesFile" value="springconfig/keystore.properties"/>
<property name="signatureUsername" value="${stskeyalias}"/>
<property name="callbackHandlerClass" value="com.security.sts.security.StsPasswordCallbackHandler"/>
<property name="encryptionUsername" value="${serverkeyalias}" />
<property name="encryptionPropertiesFile" value="springconfig/keystore.properties" />
<property name="issuer" value="cieron"/>
</bean>
根据http://mail-archives.apache.org/mod_mbox/cxf-users/201112.mbox/%3CCAB8XdGABkphcJXTbtVpDfBZ3KcymtZYX-Rmv0H8QiuwYNHP5OQ@mail.gmail.com%3E和http://coheigea.blogspot.in/2011/05/ws-trust-sample-in-talend-service.html
的建议我不确定对称密钥如何可用于服务提供商,因为它是enrypted。
我检查了所有相关文件,一切似乎都完好无损。我在https://github.com/sampleref/CXFSecurity有我的例子以供参考。我在运行客户端时遇到错误,服务提供商日志显示
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at java.lang.Thread.run(Thread.java:722)
Caused by: org.apache.wss4j.common.ext.WSSecurityException: No certificates were found for decryption (KeyId)
at org.apache.wss4j.dom.processor.EncryptedKeyProcessor.getCertificatesFromEncryptedKey(EncryptedKeyProcessor.java:372)
at org.apache.wss4j.dom.processor.EncryptedKeyProcessor.handleToken(EncryptedKeyProcessor.java:137)
at org.apache.wss4j.dom.saml.WSSSAMLKeyInfoProcessor.processSAMLKeyInfo(WSSSAMLKeyInfoProcessor.java:80)
at org.apache.wss4j.common.saml.SAMLUtil.getCredentialFromKeyInfo(SAMLUtil.java:225)
at org.apache.wss4j.common.saml.SAMLUtil.getCredentialFromSubject(SAMLUtil.java:152)
at org.apache.wss4j.common.saml.SamlAssertionWrapper.parseSubject(SamlAssertionWrapper.java:672)
at org.apache.wss4j.dom.processor.SAMLTokenProcessor.handleSAMLToken(SAMLTokenProcessor.java:193)
at org.apache.wss4j.dom.processor.SAMLTokenProcessor.handleToken(SAMLTokenProcessor.java:79)
at org.apache.wss4j.dom.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:427)
at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:257)
未找到证书。请提供一些建议
由于
答案 0 :(得分:0)
您的STS +服务密钥库似乎包含不同的密钥......
STS:
serverkeyalias,2014年7月13日,trustedCertEntry, 证书指纹(SHA1):45:4E:EB:4C:35:89:17:E6:A4:0E:94:FB:61:9B:81:83:FB:A0:82:B1
服务器:
serverkeyalias,2014年7月12日,PrivateKeyEntry, 证书指纹(SHA1):B8:E6:BA:A5:07:24:69:B3:5E:08:2F:A3:CE:97:D8:2E:E2:E1:31:F8
科尔姆。