Java 我的自定义STS无法解析Metro framework生成的RST上的UseKey令牌
我有自己的STS使用日内瓦框架。有一个端点具有MutualCertificateBinding,如下所示Java 我的自定义STS无法解析Metro framework生成的RST上的UseKey令牌,java,c#,microsoft-metro,wsit,Java,C#,Microsoft Metro,Wsit,我有自己的STS使用日内瓦框架。有一个端点具有MutualCertificateBinding,如下所示 使用AsymmetricSecurityBindingElement 保护级别是一个标志 通过https 我复制了其wsdl的一部分,如下所示,以供参考 <sp:AsymmetricBinding xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"> <wsp:Policy&g
- 使用AsymmetricSecurityBindingElement
- 保护级别是一个标志
- 通过https
<sp:AsymmetricBinding xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
<wsp:Policy>
<sp:InitiatorToken>
<wsp:Policy>
<sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:WssX509V3Token10/>
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:InitiatorToken>
<sp:RecipientToken>
<wsp:Policy>
<sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never">
<wsp:Policy>
<sp:WssX509V3Token10/>
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:RecipientToken>
...
</sp:AsymmetricBinding>
我们的客户机使用另一个Java servlet调用由mySTS保护的Java服务。Metro将自动处理STS调用,下面是java服务的配置方式(使用STS发布的背书令牌)
- 令牌类型:2.0
- 关键字类型:public
- 按键大小:256
STSIssuedTokenConfiguration config = new MySTSIssuesTokenConfiguration();
STSIssuedTokenFeature feature = new STSIssuedTokenFeature(config);
//Initialize UserContext service with STS configuration above
Service_Service service = new Service_Service();
Service stub = service.getServicePort(new WebServiceFeature[]{feature});
stub.ping();
STS在尝试解析UseKey元素时引发异常。它看起来像下面
Handling an exception. Exception details: System.IdentityModel.Protocols.WSTrust.InvalidRequestException: ID3092: The specified UseKey 'SecurityKeyIdentifier
(
IsReadOnly = False,
Count = 1,
Clause[0] = RsaKeyIdentifierClause(Modulus = sH/OHZwDUBExFgbLTslliY4xH3jP63vQ1F3yKxwjcK3jfYeiM3IC6ag6RARLMdX3emhjMu2djCt+/eTB9nq2yMs51kesev23yfywjIkcpZI5c1yb3wL7I+Fh+aa+bDqo0VNjoCeHlevjTVxc82l+q5iPkTZJ7rfe+jZUfZNl+D8=, Exponent = AQAB)
)
' cannot be resolved to a token that would prove the client's possession of the private key.
at System.IdentityModel.Protocols.WSTrust.WSTrustSerializationHelper.ReadRSTXml(XmlReader reader, RequestSecurityToken rst, WSTrustSerializationContext context, WSTrustConstantsAdapter trustConstants)
at System.IdentityModel.Protocols.WSTrust.WSTrust13RequestSerializer.ReadXmlElement(XmlReader reader, RequestSecurityToken rst, WSTrustSerializationContext context)
at System....
我试图比较从2个Java servlet发送的2条消息。一个是由我的servlet以编程方式生成的,另一个是由我的客户机的servlet发送的Metro生成的,我看到的唯一不同之处是关于UseKey元素
我的那个很好用的
<UseKey>
<BinarySecurityToken:BinarySecurityToken
xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:BinarySecurityToken="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:d5p1="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3">MIIDCTCCAfGgAw.....25C057w==
</BinarySecurityToken:BinarySecurityToken>
</UseKey>
MIIDCTCCAfGgAw…..25C057w==
我的一个客户端不工作(由metro framework生成)
sH/OHZwDUBExFgbLTsll…rfe+jZUfZNl+D8=
AQAB
AFAI可以看到,它失败了,因为STS无法解析UseKey元素,它是一个RSA密钥值,而它的UseKeyResolver只有一个X509SecurityTokenResolver,由请求的Initiator Token启动
所以我的问题是
您好,您已经使用BinarySecurityToken方法和KeyInfo方法尝试了UseKey。只有在KeyInfo方法中,而不是在BinarySecurityToken方法中,才会出现异常“无法将指定的usekey解析为可证明客户端拥有私钥的令牌”。然而,对于这两种方法,我得到了相同的例外。您能告诉我需要为BinarySecurityToken元素设置什么吗?是证书文本还是其他什么?另外,您是否以某种方式签署了发送给STS的请求?您是如何使用BinarySecurityToken工作的。
<UseKey>
<BinarySecurityToken:BinarySecurityToken
xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:BinarySecurityToken="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:d5p1="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3">MIIDCTCCAfGgAw.....25C057w==
</BinarySecurityToken:BinarySecurityToken>
</UseKey>
<trust:UseKey>
<ns10:KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<KeyValue>
<RSAKeyValue>
<Modulus>sH/OHZwDUBExFgbLTsll...rfe+jZUfZNl+D8=</Modulus>
<Exponent>AQAB</Exponent>
</RSAKeyValue>
</KeyValue>
</ns10:KeyInfo>
</trust:UseKey>