我使用日内瓦框架拥有自己的STS。有一个MutualCertificateBinding的端点,如下所示
我已将其wsdl的一部分复制如下,以供参考
<sp:AsymmetricBinding xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
<wsp:Policy>
<sp:InitiatorToken>
<wsp:Policy>
<sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:WssX509V3Token10/>
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:InitiatorToken>
<sp:RecipientToken>
<wsp:Policy>
<sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never">
<wsp:Policy>
<sp:WssX509V3Token10/>
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:RecipientToken>
...
</sp:AsymmetricBinding>
我已经使用非对称密钥从mySTS协商安全令牌的C#客户端应用程序,UseKey是X509Certificate。它运作得很好。
我还直接向mySTS发出Java serlet调用以发出令牌,它使用PublicKey类型,将UseKey手动设置为RST作为X509证书。它也可以正常工作,包含以下代码片段
SecurityTokenService sts = new SecurityTokenService(new URL(Constant.StsMexEndpointAddress));
IWSTrust13Sync stsService = sts.getMutualCertificateWithMessageSecurityBindingIWSTrust13Sync();
RequestSecurityTokenType rst = new RequestSecurityTokenType();
rst.getAny().add(getRequestTypeElement());
rst.getAny().add(getTokenTypeElement());
rst.getAny().add(getKeyTypeElement());
rst.getAny().add(getApplyToElement());
rst.getAny().add(getUseKeyElement());
return message;
token = stsService.trust13Issue(rst);
public static Element getUseKeyElement(){
//code to generate UseKey element manually, it is a BinarySecurityToken
}
我们的客户端使用另一个Java servlet调用mySTS保护的java服务。 Metro会自动处理STS呼叫,下面是java服务的配置方式(使用STS颁发的背书令牌)
- TokenType:2.0
- KeyType:public
- 密钥大小:256
以下是调用java服务的代码片段
STSIssuedTokenConfiguration config = new MySTSIssuesTokenConfiguration();
STSIssuedTokenFeature feature = new STSIssuedTokenFeature(config);
//Initialize UserContext service with STS configuration above
Service_Service service = new Service_Service();
Service stub = service.getServicePort(new WebServiceFeature[]{feature});
stub.ping();
尝试解析UseKey元素时STS抛出异常。它看起来像下面
Handling an exception. Exception details: System.IdentityModel.Protocols.WSTrust.InvalidRequestException: ID3092: The specified UseKey 'SecurityKeyIdentifier
(
IsReadOnly = False,
Count = 1,
Clause[0] = RsaKeyIdentifierClause(Modulus = sH/OHZwDUBExFgbLTslliY4xH3jP63vQ1F3yKxwjcK3jfYeiM3IC6ag6RARLMdX3emhjMu2djCt+/eTB9nq2yMs51kesev23yfywjIkcpZI5c1yb3wL7I+Fh+aa+bDqo0VNjoCeHlevjTVxc82l+q5iPkTZJ7rfe+jZUfZNl+D8=, Exponent = AQAB)
)
' cannot be resolved to a token that would prove the client's possession of the private key.
at System.IdentityModel.Protocols.WSTrust.WSTrustSerializationHelper.ReadRSTXml(XmlReader reader, RequestSecurityToken rst, WSTrustSerializationContext context, WSTrustConstantsAdapter trustConstants)
at System.IdentityModel.Protocols.WSTrust.WSTrust13RequestSerializer.ReadXmlElement(XmlReader reader, RequestSecurityToken rst, WSTrustSerializationContext context)
at System....
我试图比较从2个Java servlet发送的2条消息。一个是由我的servlet以编程方式生成的,另一个是由我的客户端servlet发送的Metro生成的,唯一不同的是我能看到的关于UseKey元素的东西 我的一个运作良好
<UseKey>
<BinarySecurityToken:BinarySecurityToken
xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:BinarySecurityToken="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:d5p1="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3">MIIDCTCCAfGgAw.....25C057w==
</BinarySecurityToken:BinarySecurityToken>
</UseKey>
我的客户端之一无效(由Metro框架生成)
<trust:UseKey>
<ns10:KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<KeyValue>
<RSAKeyValue>
<Modulus>sH/OHZwDUBExFgbLTsll...rfe+jZUfZNl+D8=</Modulus>
<Exponent>AQAB</Exponent>
</RSAKeyValue>
</KeyValue>
</ns10:KeyInfo>
</trust:UseKey>
AFAI可以看到,它失败了,因为STS无法解析作为RSA KeyValue的UseKey元素,而其UseKeyResolver只有一个由请求的InitiatorToken启动的X509SecurityTokenResolver。
所以我的问题是
- 在调用java服务时,还是以编程方式设置UseKey吗?
- 无论如何让STS解析UseKey元素?
醇>