按代码为STS / WS-Trust配置CXF

时间:2014-07-25 10:38:39

标签: java cxf ws-trust

我喜欢使用CXF访问受STS / WS-Trust保护的SOAP服务。由于我被迫减少依赖性,我使用CXFBusFactory而不是spring配置。这意味着我被迫通过代码进行配置,这在网络上的文档化和流行度很低。

任何人都可以指出哪些配置设置缺失以及如何通过代码设置它们?

我得到了:

private static void testSo(String endpointUrl, String username, String password) {
    String busFactory = System.getProperty(BusFactory.BUS_FACTORY_PROPERTY_NAME);
    try {
        // Setup the system properties to use the CXFBusFactory not the SpringBusFactory
        System.setProperty(BusFactory.BUS_FACTORY_PROPERTY_NAME, "org.apache.cxf.bus.CXFBusFactory");

        CXFBusFactory bf = new CXFBusFactory();         
        Bus bus = bf.createBus();
        bus.getFeatures().add(new org.apache.cxf.feature.LoggingFeature());

        STSClient stsClient = new STSClient(bus);
        stsClient.setWsdlLocation("https://example.com/adfs/services/trust/mex");
        stsClient.setServiceName("{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}SecurityTokenService");
        stsClient.setEndpointName("{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}CustomBinding_IWSTrustFeb2005Async");

        bus.setProperty("ws-security.callback-handler", "com.example.ClientCallbackHandler");
        bus.setProperty("ws-security.username", username);
        bus.setProperty("ws-security.password", password);
        bus.setProperty("ws-security.sts.client", stsClient);

        BusFactory.setDefaultBus(bus);
        BusFactory.setThreadDefaultBus(bus);

        URL wsdlUrl = new URL(endpointUrl + "?singleWsdl");
        Service ss = OrganizationService.create(wsdlUrl, SERVICE_NAME);         
        IOrganizationService port = ss.getPort(IOrganizationService.class);

        ColumnSet cs = new ColumnSet();
        cs.setAllColumns(true);
        Entity e = port.retrieve("account", "323223", cs);          
    } catch (Exception ex) {
        ex.printStackTrace();
    } finally {
        // clean up the system properties
        if (busFactory != null) {
            System.setProperty(BusFactory.BUS_FACTORY_PROPERTY_NAME, busFactory);
        } else {
            System.clearProperty(BusFactory.BUS_FACTORY_PROPERTY_NAME);
        }
    }
}

如果重要,目标服务是MS CRM 2013.

到目前为止,我从CXF日志记录中获取:

Jul 25, 2014 12:24:55 PM org.apache.cxf.ws.policy.AssertionBuilderRegistryImpl handleNoRegisteredBuilder
WARNUNG: No assertion builder for type {http://schemas.microsoft.com/xrm/2011/Contracts/Services}AuthenticationPolicy registered.
Jul 25, 2014 12:24:55 PM org.apache.cxf.ws.security.policy.builders.HttpsTokenBuilder build
WARNUNG: sp:HttpsToken/wsp:Policy should have a value!

然后是这个例外:

javax.xml.ws.soap.SOAPFaultException: None of the policy alternatives can be satisfied.
    at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:158)
    at com.sun.proxy.$Proxy46.retrieve(Unknown Source)

更新1 :我认为主要问题是按代码设置sp:HttpsToken/wsp:Policy。通常,网络向我展示了这个示例弹簧配置,但我没有看到如何使用代码进行复制(Client client = ClientProxy.getClient(port);让我成为客户端)。例如:

  <sp:TransportBinding>
    <wsp:Policy>
        <sp:TransportToken>
            <wsp:Policy>
                <sp:HttpsToken/>
            </wsp:Policy>
        </sp:TransportToken>
        <sp:AlgorithmSuite>
            <wsp:Policy>
                <sp:Basic256/>
            </wsp:Policy>
        </sp:AlgorithmSuite>
        <sp:Layout>
            <wsp:Policy>
                <sp:Lax/>
            </wsp:Policy>
        </sp:Layout>
        <sp:IncludeTimestamp/>
    </wsp:Policy>
  </sp:TransportBinding>

更新2 :这是服务服务器的WSDL策略:

<wsp:Policy wsu:Id="CustomBinding_IOrganizationService_policy">
<wsp:ExactlyOne>
<wsp:All>
<ms-xrm:AuthenticationPolicy xmlns:ms-xrm="http://schemas.microsoft.com/xrm/2011/Contracts/Services">
<ms-xrm:Authentication>Federation</ms-xrm:Authentication>
<ms-xrm:SecureTokenService>
<ms-xrm:Identifier>http://sts1.example.com/adfs/services/trust</ms-xrm:Identifier>
</ms-xrm:SecureTokenService>
</ms-xrm:AuthenticationPolicy>
<sp:TransportBinding xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
<wsp:Policy>
<sp:TransportToken>
<wsp:Policy>
<sp:HttpsToken/>
</wsp:Policy>
</sp:TransportToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic256/>
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Strict/>
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp/>
</wsp:Policy>
</sp:TransportBinding>
<sp:EndorsingSupportingTokens xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
<wsp:Policy>
<sp:IssuedToken sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
<Issuer xmlns="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
<Address xmlns="http://www.w3.org/2005/08/addressing">http://www.w3.org/2005/08/addressing/anonymous</Address>
<Metadata xmlns="http://www.w3.org/2005/08/addressing">
<Metadata xmlns="http://schemas.xmlsoap.org/ws/2004/09/mex" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<wsx:MetadataSection xmlns="">
<wsx:MetadataReference>
<Address xmlns="http://www.w3.org/2005/08/addressing">https://sts1.edrcrm.com/adfs/services/trust/mex</Address>
</wsx:MetadataReference>
</wsx:MetadataSection>
</Metadata>
</Metadata>
</Issuer>
<sp:RequestSecurityTokenTemplate>
<trust:KeyType xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">
http://docs.oasis-open.org/ws-sx/ws-trust/200512/SymmetricKey
</trust:KeyType>
<trust:KeySize xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">256</trust:KeySize>
<trust:Claims xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512" Dialect="http://schemas.xmlsoap.org/ws/2005/05/identity">
<wsid:ClaimType xmlns:wsid="http://schemas.xmlsoap.org/ws/2005/05/identity" Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"/>
</trust:Claims>
<trust:KeyWrapAlgorithm xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p</trust:KeyWrapAlgorithm>
<trust:EncryptWith xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">http://www.w3.org/2001/04/xmlenc#aes256-cbc</trust:EncryptWith>
<trust:SignWith xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">http://www.w3.org/2000/09/xmldsig#hmac-sha1</trust:SignWith>
<trust:CanonicalizationAlgorithm xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">http://www.w3.org/2001/10/xml-exc-c14n#</trust:CanonicalizationAlgorithm>
<trust:EncryptionAlgorithm xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">http://www.w3.org/2001/04/xmlenc#aes256-cbc</trust:EncryptionAlgorithm>
</sp:RequestSecurityTokenTemplate>
<wsp:Policy>
<sp:RequireInternalReference/>
</wsp:Policy>
</sp:IssuedToken>
</wsp:Policy>
</sp:EndorsingSupportingTokens>
<sp:Wss11 xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
<wsp:Policy/>
</sp:Wss11>
<sp:Trust13 xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
<wsp:Policy>
<sp:MustSupportIssuedTokens/>
<sp:RequireClientEntropy/>
<sp:RequireServerEntropy/>
</wsp:Policy>
</sp:Trust13>
<wsaw:UsingAddressing/>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>

1 个答案:

答案 0 :(得分:1)

请求+响应消息是什么样的? STS的安全策略是什么? HttpsToken是一个红色的鲱鱼,这只是一个警告,在这种情况下STS的安全策略并不严格符合规范。

科尔姆。

相关问题
最新问题