有没有人能让WS-Trust在JBoss 7中工作？

Question

实际上，我已经在阳光下尝试了一切，让基于令牌的WS-信任Web服务工作，但没有效果。我可以从STS获得一个令牌，但在我的生活中，我不知道如何使用令牌使WS服务器从外部安全和可访问。

所以我想知道的是，如果有人在JBoss 7上使用它，我对“jboss应该给你一些信息”不感兴趣。做过那种事-不管用。你能让它开始工作吗？

Answer 1

我查看了使用SAML保护web服务的picketlink，但它似乎使用JAAS安全上下文公开了SAML身份验证。因此，我只是使用picketlink API编写了一个自定义处理程序来保护WS。处理程序实际上执行与picketlink jars中可用的SAMLTokenCertValidatingCommonLoginModule相同的操作(即saml断言过期和数字签名验证检查)，但将SAML属性传递给WS消息上下文，而不是将其作为JAAS安全上下文传递。

在代码片段下面找到。

有关自定义处理程序中使用的getX509Certificate、validateCertPath方法的实现，请参见picketlink-jbas-公共源的validateCertPath类。

public class CustomSAML2Handler<C extends LogicalMessageContext> implements SOAPHandler {

protected boolean handleInbound(MessageContext msgContext) {
    logger.info("Handling Inbound Message");

    String assertionNS = JBossSAMLURIConstants.ASSERTION_NSURI.get();
    SOAPMessageContext ctx = (SOAPMessageContext) msgContext;


    SOAPMessage soapMessage = ctx.getMessage();

    if (soapMessage == null)
        throw logger.nullValueError("SOAP Message");

    // retrieve the assertion
    Document document = soapMessage.getSOAPPart();
    Element soapHeader = Util.findOrCreateSoapHeader(document.getDocumentElement());
    Element assertion = Util.findElement(soapHeader, new QName(assertionNS, "Assertion"));
    if (assertion != null) {
        AssertionType assertionType = null;
        try {
            assertionType = SAMLUtil.fromElement(assertion);
            if (AssertionUtil.hasExpired(assertionType))
                throw new RuntimeException(logger.samlAssertionExpiredError());
        } catch (Exception e) {
            logger.samlAssertionPasingFailed(e);
        }
        SamlCredential credential = new SamlCredential(assertion);
        if (logger.isTraceEnabled()) {
            logger.trace("Assertion included in SOAP payload: " + credential.getAssertionAsString());
        }

        try {
            validateSAMLCredential(credential, assertionType);
            ctx.put("roles",AssertionUtil.getRoles(assertionType, null));
            ctx.setScope("roles", MessageContext.Scope.APPLICATION);

        } catch (Exception e) {
            logger.error("Error: " + e);
            throw new RuntimeException(e);
        }
    } else {
        logger.trace("We did not find any assertion");
    }


    return true;
}

private void validateSAMLCredential(SamlCredential credential, AssertionType assertion) throws LoginException, ConfigurationException, CertificateExpiredException, CertificateNotYetValidException {


    // initialize xmlsec
    org.apache.xml.security.Init.init();

    X509Certificate cert = getX509Certificate(credential);

    // public certificate validation
    validateCertPath(cert);

    // check time validity of the certificate
    cert.checkValidity();

    boolean sigValid = false;
    try {
        sigValid = AssertionUtil.isSignatureValid(credential.getAssertionAsElement(), cert.getPublicKey());
    } catch (ProcessingException e) {
        logger.processingError(e);
    }
    if (!sigValid) {
        throw logger.authSAMLInvalidSignatureError();
    }
    if (AssertionUtil.hasExpired(assertion)) {
        throw logger.authSAMLAssertionExpiredError();
    }

}

}