A.8. 高级 WS-Trust 场景
A.8.1. 场景:SAML Holder-Of-Key Assertion 方案
WS-Trust 帮助管理软件安全令牌。SAML 断言是安全令牌的类型。在 Holder-Of-Key 方法中,STS 创建一个包含客户端公钥的 SAML 令牌,并使用其私钥为 SAML 令牌签名。客户端包括 SAML 令牌,并使用其私钥将传出的 soap 信封签名给 web 服务。Web 服务验证 SOAP 消息和 SAML 令牌。
实施此场景需要以下内容:
-
必须保护带有 Holder-Of-Key 主题确认方法的 SAML 令牌,以便无法侦听令牌。在大多数情况下,Holder-Of-Key 令牌与 HTTPS 相结合足以防止获取令牌。这意味着安全策略使用
sp:TransportBinding
和sp:HttpsToken
。 -
Holder-Of-Key 令牌没有与其关联的加密或签名密钥,因此应该将
sp:IssuedToken
ofSymmetricKey
或PublicKey
keyType 用于sp:SignedEndorsingSupportingTokens
。
A.8.1.1. Web 服务提供商
本节列出了 SAML Holder-Of-Key 场景的 Web 服务元素。这些组件包括:
A.8.1.1.1. Web 服务提供商 WSDL
Web 服务提供商是一个合同第一端点。HolderOfKeyService.wsdl
WSDL 中声明的所有 WS-trust 和安全策略。在这种情况下,需要一个 ws-requester
来提供 SAML 2.0 令牌的 SymmetricKey
keyType(由指定的 STS 发布)。STS 地址在 WSDL 中提供。使用传输绑定策略。该令牌被声明为签名和签名,SignedEndorsingSupportingTokens
。
以下列表中的注释中提供了安全设置的详细解释:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <definitions targetNamespace="http://www.jboss.org/jbossws/ws-extensions/holderofkeywssecuritypolicy" name="HolderOfKeyService" xmlns:tns="http://www.jboss.org/jbossws/ws-extensions/holderofkeywssecuritypolicy" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" xmlns="http://schemas.xmlsoap.org/wsdl/" xmlns:wsp="http://www.w3.org/ns/ws-policy" xmlns:wsam="http://www.w3.org/2007/05/addressing/metadata" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:wsaws="http://www.w3.org/2005/08/addressing" xmlns:wsx="http://schemas.xmlsoap.org/ws/2004/09/mex" xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702" xmlns:t="http://docs.oasis-open.org/ws-sx/ws-trust/200512"> <types> <xsd:schema> <xsd:import namespace="http://www.jboss.org/jbossws/ws-extensions/holderofkeywssecuritypolicy" schemaLocation="HolderOfKeyService_schema1.xsd"/> </xsd:schema> </types> <message name="sayHello"> <part name="parameters" element="tns:sayHello"/> </message> <message name="sayHelloResponse"> <part name="parameters" element="tns:sayHelloResponse"/> </message> <portType name="HolderOfKeyIface"> <operation name="sayHello"> <input message="tns:sayHello"/> <output message="tns:sayHelloResponse"/> </operation> </portType> <!-- The wsp:PolicyReference binds the security requirements on all the endpoints. The wsp:Policy wsu:Id="#TransportSAML2HolderOfKeyPolicy" element is defined later in this file. --> <binding name="HolderOfKeyServicePortBinding" type="tns:HolderOfKeyIface"> <wsp:PolicyReference URI="#TransportSAML2HolderOfKeyPolicy" /> <soap:binding transport="http://schemas.xmlsoap.org/soap/http" style="document"/> <operation name="sayHello"> <soap:operation soapAction=""/> <input> <soap:body use="literal"/> </input> <output> <soap:body use="literal"/> </output> </operation> </binding> <!-- The soap:address has been defined to use JBoss's https port, 8443. This is set in conjunction with the sp:TransportBinding policy for https. --> <service name="HolderOfKeyService"> <port name="HolderOfKeyServicePort" binding="tns:HolderOfKeyServicePortBinding"> <soap:address location="https://@jboss.bind.address@:8443/jaxws-samples-wsse-policy-trust-holderofkey/HolderOfKeyService"/> </port> </service> <wsp:Policy wsu:Id="TransportSAML2HolderOfKeyPolicy"> <wsp:ExactlyOne> <wsp:All> <!-- The wsam:Addressing element, indicates that the endpoints of this web service MUST conform to the WS-Addressing specification. The attribute wsp:Optional="false" enforces this assertion. --> <wsam:Addressing wsp:Optional="false"> <wsp:Policy /> </wsam:Addressing> <!-- The sp:TransportBinding element indicates that security is provided by the message exchange transport medium, https. WS-Security policy specification defines the sp:HttpsToken for use in exchanging messages transmitted over HTTPS. --> <sp:TransportBinding xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"> <wsp:Policy> <sp:TransportToken> <wsp:Policy> <sp:HttpsToken> <wsp:Policy/> </sp:HttpsToken> </wsp:Policy> </sp:TransportToken> <!-- The sp:AlgorithmSuite element, requires the TripleDes algorithm suite be used in performing cryptographic operations. --> <sp:AlgorithmSuite> <wsp:Policy> <sp:TripleDes /> </wsp:Policy> </sp:AlgorithmSuite> <!-- The sp:Layout element, indicates the layout rules to apply when adding items to the security header. The sp:Lax sub-element indicates items are added to the security header in any order that conforms to WSS: SOAP Message Security. --> <sp:Layout> <wsp:Policy> <sp:Lax /> </wsp:Policy> </sp:Layout> <sp:IncludeTimestamp /> </wsp:Policy> </sp:TransportBinding> <!-- The sp:SignedEndorsingSupportingTokens, when transport level security level is used there will be no message signature and the signature generated by the supporting token will sign the Timestamp. --> <sp:SignedEndorsingSupportingTokens xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"> <wsp:Policy> <!-- The sp:IssuedToken element asserts that a SAML 2.0 security token of type Bearer is expected from the STS. The sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient"> attribute instructs the runtime to include the initiator's public key with every message sent to the recipient. The sp:RequestSecurityTokenTemplate element directs that all of the children of this element will be copied directly into the body of the RequestSecurityToken (RST) message that is sent to the STS when the initiator asks the STS to issue a token. --> <sp:IssuedToken sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient"> <sp:RequestSecurityTokenTemplate> <t:TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0</t:TokenType> <!-- KeyType of "SymmetricKey", the client must prove to the WS service that it possesses a particular symmetric session key. --> <t:KeyType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/SymmetricKey</t:KeyType> </sp:RequestSecurityTokenTemplate> <wsp:Policy> <sp:RequireInternalReference /> </wsp:Policy> <!-- The sp:Issuer element defines the STS's address and endpoint information This information is used by the STSClient. --> <sp:Issuer> <wsaws:Address>http://@jboss.bind.address@:8080/jaxws-samples-wsse-policy-trust-sts-holderofkey/SecurityTokenService</wsaws:Address> <wsaws:Metadata xmlns:wsdli="http://www.w3.org/2006/01/wsdl-instance" wsdli:wsdlLocation="http://@jboss.bind.address@:8080/jaxws-samples-wsse-policy-trust-sts-holderofkey/SecurityTokenService?wsdl"> <wsaw:ServiceName xmlns:wsaw="http://www.w3.org/2006/05/addressing/wsdl" xmlns:stsns="http://docs.oasis-open.org/ws-sx/ws-trust/200512/" EndpointName="UT_Port">stsns:SecurityTokenService</wsaw:ServiceName> </wsaws:Metadata> </sp:Issuer> </sp:IssuedToken> </wsp:Policy> </sp:SignedEndorsingSupportingTokens> <!-- The sp:Wss11 element declares WSS: SOAP Message Security 1.1 options to be supported by the STS. These particular elements generally refer to how keys are referenced within the SOAP envelope. These are normally handled by Apache CXF. --> <sp:Wss11> <wsp:Policy> <sp:MustSupportRefIssuerSerial /> <sp:MustSupportRefThumbprint /> <sp:MustSupportRefEncryptedKey /> </wsp:Policy> </sp:Wss11> <!-- The sp:Trust13 element declares controls for WS-Trust 1.3 options. They are policy assertions related to exchanges specifically with client and server challenges and entropy behaviors. Again these are normally handled by Apache CXF. --> <sp:Trust13> <wsp:Policy> <sp:MustSupportIssuedTokens /> <sp:RequireClientEntropy /> <sp:RequireServerEntropy /> </wsp:Policy> </sp:Trust13> </wsp:All> </wsp:ExactlyOne> </wsp:Policy> </definitions>
A.8.1.1.2. SSL 配置
此 Web 服务使用 HTTPS,因此必须将 JBoss EAP 服务器配置为在 undertow
子系统中提供 SSL/TLS 支持。
有关如何为 Web 应用程序配置 HTTPS 的详情,请参考如何配置服务器安全性为应用程序配置单向和双向 SSL/TLS。
A.8.1.1.3. Web 服务提供商接口
Web 服务提供商接口 HolderOfKeyIface
类是一个简单的 Web 服务定义。
package org.jboss.test.ws.jaxws.samples.wsse.policy.trust.holderofkey; import javax.jws.WebMethod; import javax.jws.WebService; @WebService ( targetNamespace = "http://www.jboss.org/jbossws/ws-extensions/holderofkeywssecuritypolicy" ) public interface HolderOfKeyIface { @WebMethod String sayHello(); }
A.8.1.1.4. Web 服务提供商实施
Web 服务提供商实施 HolderOfKeyImpl
类是一个简单的 POJO。它使用标准的 WebService
注释来定义服务端点。此外,还有两个 Apache CXF 注解,Ed pointProperties
和 EndpointProperty
用于为 Apache CXF 运行时配置端点。这些注释来自 Apache WSS4J 项目,该项目为 Web 服务提供了主 WS-Security 标准的 Java 实施。这些注释以编程方式向端点添加属性。使用普通 Apache CXF 时,这些属性通常使用 Spring 配置中的
元素进行设置。这些注释允许在代码中配置属性。
<jaxws:properties>
;
WSS4J 使用 Crypto 接口获取用于签名创建/验证的密钥和证书,如 WSDL 为此服务的要求。HolderOfKeyImpl
提供的 WSS4J 配置信息用于 Crypto 的 Merlin 实施。
列表中的第一个 EndpointProperty
语句禁用了对基本安全配置文件 1.1 的合规性。下一个 EndpointProperty
语句声明包含(Merlin)Crypto 配置信息的 Java 属性文件。最后的 EndpointProperty
语句声明 STSHolderOfKeyCallbackHandler
实施类。它用于获取密钥存储文件中证书的密码。
package org.jboss.test.ws.jaxws.samples.wsse.policy.trust.holderofkey; import org.apache.cxf.annotations.EndpointProperties; import org.apache.cxf.annotations.EndpointProperty; import javax.jws.WebService; @WebService ( portName = "HolderOfKeyServicePort", serviceName = "HolderOfKeyService", wsdlLocation = "WEB-INF/wsdl/HolderOfKeyService.wsdl", targetNamespace = "http://www.jboss.org/jbossws/ws-extensions/holderofkeywssecuritypolicy", endpointInterface = "org.jboss.test.ws.jaxws.samples.wsse.policy.trust.holderofkey.HolderOfKeyIface" ) @EndpointProperties(value = { @EndpointProperty(key = "ws-security.is-bsp-compliant", value = "false"), @EndpointProperty(key = "ws-security.signature.properties", value = "serviceKeystore.properties"), @EndpointProperty(key = "ws-security.callback-handler", value = "org.jboss.test.ws.jaxws.samples.wsse.policy.trust.holderofkey.HolderOfKeyCallbackHandler") }) public class HolderOfKeyImpl implements HolderOfKeyIface { public String sayHello() { return "Holder-Of-Key WS-Trust Hello World!"; } }
A.8.1.1.5. 加密属性和密钥存储文件
WSS4J 的 Crypto 实施通过包含 Crypto 配置数据的 Java 属性文件来加载和配置。文件包含特定于实施的属性,如密钥存储位置、密码、默认别名等。这个应用程序使用 Merlin 实施。serviceKeystore.properties
文件包含此信息。
servicestore.jks
文件是 Java KeyStore(JKS)存储库。它包含 myservicekey 和
的自签名证书。
mystskey
org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin org.apache.ws.security.crypto.merlin.keystore.type=jks org.apache.ws.security.crypto.merlin.keystore.password=sspass org.apache.ws.security.crypto.merlin.keystore.alias=myservicekey org.apache.ws.security.crypto.merlin.keystore.file=servicestore.jks
A.8.1.1.6. 默认 MANIFEST.MF
此应用程序需要访问 org.jboss.ws.cxf.jbossws-cxf 中提供的 JBossWS 和 Apache CXF API。
dependency 语句指示服务器在部署时提供它们。
Manifest-Version: 1.0 Dependencies: org.jboss.ws.cxf.jbossws-cxf-client