从 ADFS STS 请求令牌 - DirectReference,禁用更新

Request Token from ADFS STS - DirectReference, disable Renewing

我正在尝试将 Apache CXF 与基于策略的 WS-Security 一起使用。 WSDL 文件告诉客户端首先从安全令牌服务获取令牌。 此请求需要使用我从服务提供商处获得的证书进行签名。 STS 使用 ADFS.

实现

我当前的代码如下所示:

BindingProvider bindingProvider = (BindingProvider) port;
Map<String, Object> requestContext = bindingProvider.getRequestContext();

// signing configuration
Properties cryptoProperties = new Properties();
cryptoProperties.put(Merlin.PREFIX + Merlin.KEYSTORE_TYPE, "pkcs12");
cryptoProperties.put(Merlin.PREFIX + Merlin.KEYSTORE_FILE, "C:\[...]\keystore.p12");
cryptoProperties.put(Merlin.PREFIX + Merlin.KEYSTORE_PASSWORD, KEYSTORE_KEY);
cryptoProperties.put(Merlin.PREFIX + Merlin.KEYSTORE_ALIAS, KEYSTORE_ALIAS);
requestContext.put(SecurityConstants.SIGNATURE_CRYPTO, new Merlin(cryptoProperties, Loader.getClassLoader(Merlin.class), null));
requestContext.put(SecurityConstants.SIGNATURE_USERNAME, KEYSTORE_ALIAS);
requestContext.put(SecurityConstants.CALLBACK_HANDLER,
    new CallbackHandler() {
        @Override
        public void handle(Callback[] callbacks)
            throws IOException, UnsupportedCallbackException {
        WSPasswordCallback pc = (WSPasswordCallback) callbacks[0];
        pc.setPassword(KEYSTORE_KEY);
    }
});

// additional configuration
requestContext.put(SecurityConstants.STS_CLIENT_SOAP12_BINDING, "true");

目前我收到错误 ID3035:请求无效或格式错误。

政策是这样的

<wsp:Policy wsu:Id="[...]">
    <wsp:ExactlyOne>
        <wsp:All>
            <sp:TransportBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
                <wsp:Policy>
                    <sp:TransportToken>
                        <wsp:Policy>
                            <sp:HttpsToken RequireClientCertificate="false"/>
                        </wsp:Policy>
                    </sp:TransportToken>
                    <sp:AlgorithmSuite>
                        <wsp:Policy>
                            <sp:Basic256/>
                        </wsp:Policy>
                    </sp:AlgorithmSuite>
                    <sp:Layout>
                        <wsp:Policy>
                            <sp:Strict/>
                        </wsp:Policy>
                    </sp:Layout>
                    <sp:IncludeTimestamp/>
                </wsp:Policy>
            </sp:TransportBinding>
            <sp:EndorsingSupportingTokens xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
                <wsp:Policy>
                    <sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
                        <wsp:Policy>
                            <sp:RequireThumbprintReference/>
                            <sp:WssX509V3Token10/>
                        </wsp:Policy>
                    </sp:X509Token>
                    <mssp:RsaToken sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never" wsp:Optional="true" xmlns:mssp="http://schemas.microsoft.com/ws/2005/07/securitypolicy"/>
                    <sp:SignedParts>
                        <sp:Header Name="To" Namespace="http://www.w3.org/2005/08/addressing"/>
                    </sp:SignedParts>
                </wsp:Policy>
            </sp:EndorsingSupportingTokens>
            <sp:Wss11 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
                <wsp:Policy>
                    <sp:MustSupportRefThumbprint/>
                </wsp:Policy>
            </sp:Wss11>
            <sp:Trust10 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
                <wsp:Policy>
                    <sp:MustSupportIssuedTokens/>
                    <sp:RequireClientEntropy/>
                    <sp:RequireServerEntropy/>
                </wsp:Policy>
            </sp:Trust10>
            <wsaw:UsingAddressing/>
        </wsp:All>
    </wsp:ExactlyOne>
</wsp:Policy>

服务提供商的例子告诉我这样签署请求:

<Security>
    <BinarySecurityToken Id="uuid-something">[...]</BinarySecurityToken>
    <Signature>
        [...]
        <KeyInfo>
            <SecurityTokenReference>
                <Reference URI="#uuid-something"></Reference>
            </SecurityTokenReference>
        </KeyInfo>
    </Signature>
</Security>

我的请求是这样的:

<Security>
    <BinarySecurityToken>[...]</BinarySecurityToken>
    <Signature>
        [...]
        <KeyInfo>
            <SecurityTokenReference>
                <KeyIdentifier>[...]</KeyIdentifier>
            </SecurityTokenReference>
        </KeyInfo>
    </Signature>
</Security>

我如何设法获得 Reference 而不是 KeyIdentifier

在互联网上搜索我想我必须以某种方式设置 WSHandlerConstants.SIG_KEY_ID to DirectReference like stated in this blog-post。 问题是我不知道如何使用基于策略的方法来做到这一点...

与工作示例的另一个区别是,我的请求包含 ,它不适用于像 stated in this answer.

这样的 ADFS 
<wst:RequestSecurityToken>
    [...]
    <wst:Renewing/>
</wst:RequestSecurityToken>

政策是什么样的?它应该告诉 CXF 如何引用签名密钥,而无需任何配置更改。

政策明确告诉 CXF 使用指纹参考来引用签名密钥,因此 CXF 正在按照政策做正确的事情。如果您想使用直接引用,请删除 "RequireThumbprintReference" 政策。

您可以通过将 STSClient 的 "sendRenewing" 设置为 "false" 来避免发送更新元素。