A.8.2. 场景:SAML Bearerions
WS-Trust 管理软件安全令牌。SAML 断言是安全令牌的类型。在 SAML Bearer 场景中,服务提供商会在服务验证令牌签名后自动信任传入的 SOAP 请求来自 SAML 令牌中定义的主题。
实施此方案需要满足以下要求:
-
带有
Bearer
主题确认方法的 SAML 令牌必须受到保护,以便令牌不能被嗅探。在大多数情况下,bearer 令牌与 HTTPS 相结合足以防止"中间人"获得令牌。这意味着使用 sp:TransportBinding 和
的安全策略。sp:
HttpsToken -
bearer 令牌没有与之关联的加密或签名密钥,因此
bearer
keyType 的sp:IssuedToken
应当用于sp:SupportingToken 或
sp:SignedSupportingTokens
。
A.8.2.1. Web 服务提供商
本节探讨 SAML Bearer 场景的 Web 服务元素。这些组件包括:
A.8.2.1.1. bearer Web Service Provider WSDL
Web 服务提供商是一个合同第一端点。WS-信任和安全策略在 BearerService.wsdl
WSDL 中声明。在这种情况下,Wer-requester
需要提供由指定的 STS 发布的 SAML 2.0 Bearer 令牌。STS 的地址在 WSDL 中提供。HTTPS、传输绑定和
HttpsToken
策略用于保护在 ws-requester 和
之间发送的消息的 SOAP 正文。安全设置详细信息在以下列表中作为注释提供:
ws-
provider
<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <definitions targetNamespace="http://www.jboss.org/jbossws/ws-extensions/bearerwssecuritypolicy" name="BearerService" xmlns:tns="http://www.jboss.org/jbossws/ws-extensions/bearerwssecuritypolicy" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" xmlns="http://schemas.xmlsoap.org/wsdl/" xmlns:wsp="http://www.w3.org/ns/ws-policy" xmlns:wsam="http://www.w3.org/2007/05/addressing/metadata" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:wsaws="http://www.w3.org/2005/08/addressing" xmlns:wsx="http://schemas.xmlsoap.org/ws/2004/09/mex" xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702" xmlns:t="http://docs.oasis-open.org/ws-sx/ws-trust/200512"> <types> <xsd:schema> <xsd:import namespace="http://www.jboss.org/jbossws/ws-extensions/bearerwssecuritypolicy" schemaLocation="BearerService_schema1.xsd"/> </xsd:schema> </types> <message name="sayHello"> <part name="parameters" element="tns:sayHello"/> </message> <message name="sayHelloResponse"> <part name="parameters" element="tns:sayHelloResponse"/> </message> <portType name="BearerIface"> <operation name="sayHello"> <input message="tns:sayHello"/> <output message="tns:sayHelloResponse"/> </operation> </portType> <!-- The wsp:PolicyReference binds the security requirments on all the endpoints. The wsp:Policy wsu:Id="#TransportSAML2BearerPolicy" element is defined later in this file. --> <binding name="BearerServicePortBinding" type="tns:BearerIface"> <wsp:PolicyReference URI="#TransportSAML2BearerPolicy" /> <soap:binding transport="http://schemas.xmlsoap.org/soap/http" style="document"/> <operation name="sayHello"> <soap:operation soapAction=""/> <input> <soap:body use="literal"/> </input> <output> <soap:body use="literal"/> </output> </operation> </binding> <!-- The soap:address has been defined to use JBoss's https port, 8443. This is set in conjunction with the sp:TransportBinding policy for https. --> <service name="BearerService"> <port name="BearerServicePort" binding="tns:BearerServicePortBinding"> <soap:address location="https://@jboss.bind.address@:8443/jaxws-samples-wsse-policy-trust-bearer/BearerService"/> </port> </service> <wsp:Policy wsu:Id="TransportSAML2BearerPolicy"> <wsp:ExactlyOne> <wsp:All> <!-- The wsam:Addressing element, indicates that the endpoints of this web service MUST conform to the WS-Addressing specification. The attribute wsp:Optional="false" enforces this assertion. --> <wsam:Addressing wsp:Optional="false"> <wsp:Policy /> </wsam:Addressing> <!-- The sp:TransportBinding element indicates that security is provided by the message exchange transport medium, https. WS-Security policy specification defines the sp:HttpsToken for use in exchanging messages transmitted over HTTPS. --> <sp:TransportBinding xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"> <wsp:Policy> <sp:TransportToken> <wsp:Policy> <sp:HttpsToken> <wsp:Policy/> </sp:HttpsToken> </wsp:Policy> </sp:TransportToken> <!-- The sp:AlgorithmSuite element, requires the TripleDes algorithm suite be used in performing cryptographic operations. --> <sp:AlgorithmSuite> <wsp:Policy> <sp:TripleDes /> </wsp:Policy> </sp:AlgorithmSuite> <!-- The sp:Layout element, indicates the layout rules to apply when adding items to the security header. The sp:Lax sub-element indicates items are added to the security header in any order that conforms to WSS: SOAP Message Security. --> <sp:Layout> <wsp:Policy> <sp:Lax /> </wsp:Policy> </sp:Layout> <sp:IncludeTimestamp /> </wsp:Policy> </sp:TransportBinding> <!-- The sp:SignedSupportingTokens element causes the supporting tokens to be signed using the primary token that is used to sign the message. --> <sp:SignedSupportingTokens xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"> <wsp:Policy> <!-- The sp:IssuedToken element asserts that a SAML 2.0 security token of type Bearer is expected from the STS. The sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient"> attribute instructs the runtime to include the initiator's public key with every message sent to the recipient. The sp:RequestSecurityTokenTemplate element directs that all of the children of this element will be copied directly into the body of the RequestSecurityToken (RST) message that is sent to the STS when the initiator asks the STS to issue a token. --> <sp:IssuedToken sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient"> <sp:RequestSecurityTokenTemplate> <t:TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0</t:TokenType> <t:KeyType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Bearer</t:KeyType> </sp:RequestSecurityTokenTemplate> <wsp:Policy> <sp:RequireInternalReference /> </wsp:Policy> <!-- The sp:Issuer element defines the STS's address and endpoint information This information is used by the STSClient. --> <sp:Issuer> <wsaws:Address>http://@jboss.bind.address@:8080/jaxws-samples-wsse-policy-trust-sts-bearer/SecurityTokenService</wsaws:Address> <wsaws:Metadata xmlns:wsdli="http://www.w3.org/2006/01/wsdl-instance" wsdli:wsdlLocation="http://@jboss.bind.address@:8080/jaxws-samples-wsse-policy-trust-sts-bearer/SecurityTokenService?wsdl"> <wsaw:ServiceName xmlns:wsaw="http://www.w3.org/2006/05/addressing/wsdl" xmlns:stsns="http://docs.oasis-open.org/ws-sx/ws-trust/200512/" EndpointName="UT_Port">stsns:SecurityTokenService</wsaw:ServiceName> </wsaws:Metadata> </sp:Issuer> </sp:IssuedToken> </wsp:Policy> </sp:SignedSupportingTokens> <!-- The sp:Wss11 element declares WSS: SOAP Message Security 1.1 options to be supported by the STS. These particular elements generally refer to how keys are referenced within the SOAP envelope. These are normally handled by Apache CXF. --> <sp:Wss11> <wsp:Policy> <sp:MustSupportRefIssuerSerial /> <sp:MustSupportRefThumbprint /> <sp:MustSupportRefEncryptedKey /> </wsp:Policy> </sp:Wss11> <!-- The sp:Trust13 element declares controls for WS-Trust 1.3 options. They are policy assertions related to exchanges specifically with client and server challenges and entropy behaviors. Again these are normally handled by Apache CXF. --> <sp:Trust13> <wsp:Policy> <sp:MustSupportIssuedTokens /> <sp:RequireClientEntropy /> <sp:RequireServerEntropy /> </wsp:Policy> </sp:Trust13> </wsp:All> </wsp:ExactlyOne> </wsp:Policy> </definitions>
A.8.2.1.2. SSL 配置
此 Web 服务使用 HTTPS,因此必须将 JBoss EAP 服务器配置为在 undertow
子系统中提供 SSL 支持。
有关如何为 Web 应用程序配置 HTTPS 的详情,请参考如何配置服务器安全性为应用程序配置单向和双向 SSL/TLS。
A.8.2.1.3. bearer Web 服务提供商接口
BearerIface
Bearer Web 服务提供商接口类是一个简单的 Web 服务定义。
package org.jboss.test.ws.jaxws.samples.wsse.policy.trust.bearer; import javax.jws.WebMethod; import javax.jws.WebService; @WebService ( targetNamespace = "http://www.jboss.org/jbossws/ws-extensions/bearerwssecuritypolicy" ) public interface BearerIface { @WebMethod String sayHello(); }
A.8.2.1.4. bearer Web Service Providers 实施
BearerImpl
Web 服务提供商实施类是一个简单的 POJO。它使用标准的 WebService
注释来定义服务端点。此外,还有两个 Apache CXF 注解,Ed pointProperties
和 EndpointProperty
用于为 Apache CXF 运行时配置端点。这些注释来自 Apache WSS4J 项目,该项目为 Web 服务提供了主 WS-Security 标准的 Java 实施。这些注释以编程方式向端点添加属性。使用普通 Apache CXF 时,这些属性通常使用 Spring 配置中的
元素进行设置。这些注释允许在代码中配置属性。
<jaxws:properties>
;
WSS4J 使用 Crypto 接口获取用于签名创建/验证的密钥和证书,如 WSDL 为此服务的要求。BearerImpl
提供的 WSS4J 配置信息用于 Crypto 的 Merlin 实施。
由于 Web 服务提供商自动信任来自 SAML 令牌中定义的主题的传入 SOAP 请求,所以与前面的示例中不同,Crypto CallbackHandler
类或签名用户名不需要该请求。但是,为了验证消息签名,仍然需要包含(Merlin)Crypto 配置信息的 Java 属性文件。
package org.jboss.test.ws.jaxws.samples.wsse.policy.trust.bearer; import org.apache.cxf.annotations.EndpointProperties; import org.apache.cxf.annotations.EndpointProperty; import javax.jws.WebService; @WebService ( portName = "BearerServicePort", serviceName = "BearerService", wsdlLocation = "WEB-INF/wsdl/BearerService.wsdl", targetNamespace = "http://www.jboss.org/jbossws/ws-extensions/bearerwssecuritypolicy", endpointInterface = "org.jboss.test.ws.jaxws.samples.wsse.policy.trust.bearer.BearerIface" ) @EndpointProperties(value = { @EndpointProperty(key = "ws-security.signature.properties", value = "serviceKeystore.properties") }) public class BearerImpl implements BearerIface { public String sayHello() { return "Bearer WS-Trust Hello World!"; } }
A.8.2.1.5. 加密属性和密钥存储文件
WSS4J 的 Crypto 实施通过包含 Crypto 配置数据的 Java 属性文件来加载和配置。文件包含特定于实施的属性,如密钥存储位置、密码、默认别名等。此应用程序正在使用 Merlin 实施。serviceKeystore.properties
文件包含此信息。
servicestore.jks
文件是 Java KeyStore(JKS)存储库。它包含 myservicekey 和
的自签名证书。
mystskey
自签名证书不适合在生产环境中使用。
org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin org.apache.ws.security.crypto.merlin.keystore.type=jks org.apache.ws.security.crypto.merlin.keystore.password=sspass org.apache.ws.security.crypto.merlin.keystore.alias=myservicekey org.apache.ws.security.crypto.merlin.keystore.file=servicestore.jks
A.8.2.1.6. 默认 MANIFEST.MF
部署时,此应用程序需要访问模块 org.jboss.ws.cxf.jbossws-cxf.jbossws-cxf-client
提供的 JBossWS 和 Apache CXF API。dependency 语句指示服务器在部署时提供它们。
Manifest-Version: 1.0 Dependencies: org.jboss.ws.cxf.jbossws-cxf-client