通过使用 API 来添加属性并重新签署现有的 SAML 令牌
SAML 库 API 可用于对未加密的 SAML 令牌添加或删除属性,然后签署或重新签署 SAML 令牌。每当进行了任何操作以修改 SAML 令牌对象时,如果该对象上已存在数字签名,那么会移除现有的数字签名。
关于此任务
以下过程描述如何修改现有的 SAMLToken 对象,然后将新的数字签名应用于令牌。此任务不会显示如何获取现有的 SAMLToken 对象。现有的 SAMLToken 对象可来自入站 SOAP(通过 LoginModule 共享状态)、SAML Web SSO(通过基本安全性主体)、STS(使用信任客户机)或自签发令牌(使用 SAML API 创建)。
当 SAML API 初始化配置对象时,会从 SamlIssuerConfig.properties 获取配置。可选择使用 SamlIssuerConfig.properties 中的设置,也可选择覆盖这些设置。以下过程显示如何覆盖此文件中的所有设置。
过程
- 克隆现有的 SAML 令牌
import java.util.ArrayList; import org.apache.axiom.om.OMElement; import com.ibm.websphere.wssecurity.wssapi.token.SAMLToken; import com.ibm.websphere.wssecurity.wssapi.token.SAMLTokenFactory; import com.ibm.wsspi.wssecurity.saml.config.ProviderConfig; import com.ibm.wsspi.wssecurity.saml.config.RequesterConfig; import com.ibm.wsspi.wssecurity.saml.data.SAMLAttribute; import com.ibm.wsspi.wssecurity.wssapi.OMStructure; .... //someSAMLToken is the existing SAMLToken object SAMLTokenFactory samlFactory = null; //initialize the desired SAML token factory //samlFactory = SAMLTokenFactory.getInstance(SAMLTokenFactory.WssSamlV11Token11); samlFactory = SAMLTokenFactory.getInstance(SAMLTokenFactory.WssSamlV20Token11); //clone the existing SAMLToken object if desired. SAMLToken mySamlToken = factory.newSAMLToken(someSamlToken);
- 对此令牌添加或删除属性
//add a single attribute SAMLAttribute sattribute1 = new SAMLAttribute("Purchases", new String[] {"TooMany"}, null, null, null, null); mySamlToken.addAttribute(sattribute1); //after this first addAttribute, there will not be a digital signature in the //token's XML. Doing a token modification invalidated the signature. //add a list of attributes SAMLAttribute sattribute2 = new SAMLAttribute("Address", new String[] {"Austin, Texas"},null,null,"IBM NameFormat","IBM FriendlyName"); SAMLAttribute sattribute3 = new SAMLAttribute("Membership",new String[] {"Blue team", "Green Team"},null,null,null,null ); ArrayList al = new ArrayList(); al.add(sattribute2); al.add(sattribute3); mySamlToken.addAttribute(al); //delete an attribute mySamlToken.deleteAttribute(sattribute3); ....
- 重新签署 SAML 令牌。
RequesterConfig reqData = null; //initialize the desired requester config //reqData = samlFactory.newSenderVouchesTokenGenerateConfig(); reqData = samlFactory.newBearerTokenGenerateConfig(); //initialize the provider config object with an issuer name ProviderConfig samlIssuerCfg = samlFactory.newDefaultProviderConfig("myIssuer"); //Or preserve the existing issuer by setting the issuer URI to null //samlIssuerCfg.setIssuerURI(null); //set the keystore information for use with digital signature in the provider config object KeyStoreConfig ksc = samlFactory.newKeyStoreConfig( "jks", "/myx509.ks", "myx509"); samlIssuerCfg.setKeyStoreConfig(ksc); //set the key information for use with digital signature in the provider config object KeyInformationConfig kic = samlFactory.newKeyInformationConfig("mySignAlias", "password", "CN=ME"); samlIssuerCfg.setKeyInformationConfig(kic); //create a new SAMLToken object that is a signed clone of the input token SAMLToken myNewSamlToken = samlFactory.newSAMLToken(mySamlToken,reqData,samlIssuerCfg);
- 检查 SAML 令牌 XML 以查看修改内容
//get the SAML Assertion element OMElement samlElement = ((OMStructure) myNewSamlToken.getXML()).getNode(); //convert the element to a String String xmlString = samlElement.toString();


http://www14.software.ibm.com/webapp/wsbroker/redirect?version=cord&product=was-nd-mp&topic=twbs_addingattributesandresigningexistingSAMLtokens
文件名:twbs_addingattributesandresigningexistingSAMLtokens.html