安全上下文令牌
应用程序服务器中的 Web Services Trust (WS-Trust) 和 Web Services Secure Conversation (WS-SecureConversation) 支持提供了发出安全上下文令牌 (SCT) 的功能。对安全上下文令牌的请求由安全性令牌服务处理。
WebSphere® Application Server 的安全性令牌服务称为信任服务。但是,此应用程序服务器未提供全部安全性令牌服务(该服务实现该 WS-Trust 规范的所有内容)。
安全会话称为安全对话,因为所用的消息协议由 WS-SecureConversation 和 WS-Trust 定义。WebSphere Application Server 支持安全对话。
要请求安全上下文令牌,将 WS-Trust 和 WS-SecureConversation 协议定义的 RequestSecurityToken (RST) 发送至要与其建立安全对话的服务端点。这些请求将被透明地重新路由至信任服务。信任服务处理 RST 并用 RequestSecurityTokenResponse (RSTR) 进行响应。向请求者返回此响应,就好像它是由端点服务生成一样。
WebSphere Application Server 令牌提供程序支持限制为安全上下文令牌提供程序。应用程序服务器中的 WS-SecureConversation 着重于在安全对话的发起方与接收方之间建立安全上下文令牌。
WebSphere Application Server 包括在集群环境和非集群环境中以及在客户机和服务器上对安全上下文令牌的高速缓存支持。WebSphere Application Server 还对每个信任服务操作(发出、取消、验证和更新)提供信任策略集管理。可对与显式服务端点或信任服务缺省值相关的这些信任操作中的每个操作管理信任系统策略集。当没有显式连接时,将强制使用信任操作的缺省信任服务策略集。
有关受支持的 WS-Trust 功能,请参阅有关 Web Services Trust 的信息。
- 为 WS-SecureConversation 配置安全上下文令牌提供程序(包括发布、更新和取消操作)。
- 配置信任服务以发出用于访问特定端点服务(目标)的安全上下文令牌。
- 配置访问信任服务和应用程序的安全性要求。WebSphere Application Server 提供预先配置的应用程序策略集和信任服务策略集以帮助进行此配置。
- 为四个信任服务操作(发出、取消、验证和更新)中的每一个定义系统策略。将对缺省或特定端点服务配置这些策略。请注意,此处不支持修订操作。
- WS-SecureConversation 修订
- 协商以建立安全对话
- WS-Trust 密钥交换请求
- 由客户机发起的 RequestSecurityTokenResponse (RSTR) 和 RequestSecurityTokenResponseCollection (RSTRC) 请求
- WS-SecurityPolicy 信任声明
定义
为了更好地了解安全性令牌,定义了以下术语:
- 安全性令牌
- 安全性令牌表示一组声明。
- 安全上下文
- 安全上下文是一个抽象概念,指的是已建立认证状态和可具有其他与安全性相关的属性的一个或多个已协商密钥。安全上下文需要先由通信方创建和共享才能使用。安全上下文在通信会话的生存期内在通信方之间共享,并且安全上下文令牌是此抽象安全上下文的有线表示。
WebSphere Application Server 不支持由通信方之一创建且通过消息传播的安全上下文令牌
WebSphere Application Server 不支持通过协商和交换创建安全上下文令牌。 - 安全上下文令牌
- 安全上下文令牌是安全上下文抽象概念的有线表示,它允许由 URI 命名上下文并与 Web Service 安全性配合使用。在两方之间使用安全上下文令牌进行的受保护通信用 WS-Trust 和 WS-SecureConversation 实现。
- 安全性令牌服务
- 安全性令牌服务 (STS) 是发放安全性令牌的 Web Service,这意味着它根据自己信任的证据向信任它的任何人(或特定接收方)发出声明。
- 信任服务
- 信任服务就是 Websphere Application Server 提供的安全性令牌服务和支持代码。
- RequestSecurityToken (RST)
- RST 是发送给安全性令牌服务以请求安全性令牌的消息。
- RequestSecurityToken 响应 (RSTR)
- RSTR 是在接收到 RST 消息后,对来自安全性令牌服务对安全性令牌的请求向请求者作出的响应。
为使通信可信任,服务需要证明(例如签名)以证明知晓一个或一组安全性令牌。服务本身可以生成令牌,或者它可依赖独立的安全性令牌服务来用它自己的信任语句发出安全性令牌。注意,对于某些安全性令牌格式,通信信任可能只是组成信任代理基础的重新发出或共同签名。
<wsc:SecurityContextToken> 元素的语法
安全上下文在通信会话的生存期内在通信方之间共享,并且安全上下文令牌是此抽象安全上下文的有线表示。
http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512/sct
<wsc:SecurityContextToken> 元素的语法如下所示:
<wsc:SecurityContextToken wsu:Id="..." ...>
<wsc:Identifier>...</wsc:Identifier>
<wsc:Instance>...</wsc:Instance>
...
</wsc:SecurityContextToken>
安全上下文令牌不支持通过使用密钥标识或密钥名称进行引用。所有引用都必须在安全上下文令牌中使用标识(属于 wsu:Id 属性)或使用对 <wsc:Identifier> 元素的 URI 引用 (<wsse:Reference>)。
发出安全性令牌的 RST 和 RSTR 示例
以下示例显示发出安全性令牌的 RST 请求。在此示例中使用的 URI http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512/sct 表示令牌类型:
<wsc:SecurityContextToken>
<soapenv:Envelope
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
<wsa:To xmlns:wsa="http://www.w3.org/2005/08/addressing"
soapenv:mustUnderstand="0">
http://localhost:80/WSSampleSei/EchoService
</wsa:To>
<wsa:MessageID xmlns:wsa="http://www.w3.org/2005/08/addressing"
soapenv:mustUnderstand="0">
fc0632828e1252b4:487cee53:11cbfa7916e:-7fb6
</wsa:MessageID>
<wsa:Action xmlns:wsa="http://www.w3.org/2005/08/addressing"
soapenv:mustUnderstand="0">
http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/SCT
</wsa:Action>
</soapenv:Header>
<soapenv:Body>
<wst:RequestSecurityToken
xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512"
Context="http://www.ibm.com/login/">
<wst:TokenType>
http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512/sct
</wst:TokenType>
<wst:RequestType>
http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue
</wst:RequestType>
<wsp:AppliesTo
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
-
<wsa:EndpointReference
xmlns:wsa="http://www.w3.org/2005/08/addressing">
<wsa:Address>
http://localhost:80/WSSampleSei/EchoService
</wsa:Address>
</wsa:EndpointReference>
</wsp:AppliesTo>
<wst:Entropy>
<wst:BinarySecret
Type="http://docs.oasis-open.org/ws-sx/ws-trust/200512/Nonce">
zb//KsawV6DmfC8kB6vNOQ==
</wst:BinarySecret>
</wst:Entropy>
<wst:KeySize>128</wst:KeySize>
</wst:RequestSecurityToken>
</soapenv:Body>
</soapenv:Envelope>
此示例显示发布安全性令牌的 RSTR 请求:
<soapenv:Envelope
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header xmlns:wsa="http://www.w3.org/2005/08/addressing">
<wsa:Action>
http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/SCT
</wsa:Action>
<wsa:RelatesTo>
fc0632828e1252b4:487cee53:11cbfa7916e:-7fb6
</wsa:RelatesTo>
</soapenv:Header>
<soapenv:Body>
<wst:RequestSecurityTokenResponseCollection
xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512">
<wst:RequestSecurityTokenResponse
Context="http://www.ibm.com/login/">
<wst:RequestedSecurityToken>
<wsc:SecurityContextToken
xmlns:wsc="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
wsu:Id="uuid:FFA51A32EB818FB6EA1222986227363">
<wsc:Identifier>
uuid:FFA51A32EB818FB6EA1222986227346
</wsc:Identifier>
<wsc:Instance>
uuid:FFA51A32EB818FB6EA1222986227345
</wsc:Instance>
</wsc:SecurityContextToken>
</wst:RequestedSecurityToken>
<wsp:AppliesTo
xmlns:wsp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsa:EndpointReference
xmlns:wsa="http://www.w3.org/2005/08/addressing">
<wsa:Address>
http://localhost:80/WSSampleSei/EchoService
</wsa:Address>
</wsa:EndpointReference>
</wsp:AppliesTo>
<wst:RequestedProofToken>
<wst:ComputedKey>
http://docs.oasis-open.org/ws-sx/ws-trust/200512/CK/PSHA1
</wst:ComputedKey>
</wst:RequestedProofToken>
<wst:Entropy>
<wst:BinarySecret
Type="http://docs.oasis-open.org/ws-sx/ws-trust/200512/Nonce">
rF1Yp5zhRhamLQNPAOm4TA==
</wst:BinarySecret>
</wst:Entropy>
<wst:Lifetime>
<wsu:Created
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
2008-10-02T22:23:44.765Z
</wsu:Created>
<wsu:Expires
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
2008-10-02T22:35:44.765Z
</wsu:Expires>
</wst:Lifetime>
<wst:RequestedAttachedReference>
<wsse:SecurityTokenReference
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<wsse:Reference
URI="#uuid:FFA51A32EB818FB6EA1222986227363"
ValueType="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512/sct" />
</wsse:SecurityTokenReference>
</wst:RequestedAttachedReference>
<wst:RequestedUnattachedReference>
<wsse:SecurityTokenReference
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<wsse:Reference
URI="uuid:FFA51A32EB818FB6EA1222986227346"
ValueType="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512/sct" />
</wsse:SecurityTokenReference>
</wst:RequestedUnattachedReference>
<wst:Renewing Allow="true" OK="false" />
<wst:KeySize>128</wst:KeySize>
</wst:RequestSecurityTokenResponse>
</wst:RequestSecurityTokenResponseCollection>
</soapenv:Body>
</soapenv:Envelope>
取消安全性令牌的 RST 和 RSTR 示例
以下示例显示取消安全性令牌的 RST 请求。
<soapenv:Envelope
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
<wsa:To xmlns:wsa="http://www.w3.org/2005/08/addressing"
soapenv:mustUnderstand="0">
http://localhost:80/WSSampleSei/EchoService
</wsa:To>
<wsa:MessageID xmlns:wsa="http://www.w3.org/2005/08/addressing"
soapenv:mustUnderstand="0">
fc0632828e1252b4:-270287b7:11cc22c16ed:-7fa8
</wsa:MessageID>
<wsa:Action xmlns:wsa="http://www.w3.org/2005/08/addressing"
soapenv:mustUnderstand="0">
http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Cancel
</wsa:Action>
</soapenv:Header>
<soapenv:Body>
<wst:RequestSecurityToken
xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512"
Context="http://www.ibm.com/login/">
<wst:TokenType>
http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512/sct
</wst:TokenType>
<wst:RequestType>
http://docs.oasis-open.org/ws-sx/ws-trust/200512/Cancel
</wst:RequestType>
<wsp:AppliesTo
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
<wsa:EndpointReference
xmlns:wsa="http://www.w3.org/2005/08/addressing">
<wsa:Address>
http://localhost:80/WSSampleSei/EchoService
</wsa:Address>
</wsa:EndpointReference>
</wsp:AppliesTo>
<wst:CancelTarget>
<wsc:SecurityContextToken
xmlns:wsc="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
wsu:Id="uuid:AC4764EB4BE91011501223028453769">
<wsc:Identifier>
uuid:AC4764EB4BE91011501223028453768
</wsc:Identifier>
<wsc:Instance>
uuid:AC4764EB4BE91011501223028453751
</wsc:Instance>
</wsc:SecurityContextToken>
</wst:CancelTarget>
</wst:RequestSecurityToken>
</soapenv:Body>
</soapenv:Envelope>
以下示例显示取消安全性令牌的 RSTR 请求:
<soapenv:Envelope
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:wsa="http://www.w3.org/2005/08/addressing">
<soapenv:Header>
<wsa:Action>
http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/Cancel
</wsa:Action>
<wsa:RelatesTo>
fc0632828e1252b4:-270287b7:11cc22c16ed:-7fa8
</wsa:RelatesTo>
</soapenv:Header>
<soapenv:Body>
<wst:RequestSecurityTokenResponse
Context="http://www.ibm.com/login/"
xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512">
<wst:RequestedTokenCancelled>
</wst:RequestSecurityTokenResponse>
</soapenv:Body>
</soapenv:Envelope>
更新安全性令牌的 RST 和 RSTR 示例
以下示例显示更新安全性令牌的 RST 请求。
<soapenv:Envelope
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
<wsa:To xmlns:wsa="http://www.w3.org/2005/08/addressing"
soapenv:mustUnderstand="0">
http://localhost:80/WSSampleSei/EchoService
</wsa:To>
<wsa:MessageID xmlns:wsa="http://www.w3.org/2005/08/addressing"
soapenv:mustUnderstand="0">
fc0632828e1252b4:487cee53:11cbfa7916e:-7f8e
</wsa:MessageID>
<wsa:Action xmlns:wsa="http://www.w3.org/2005/08/addressing"
soapenv:mustUnderstand="0">
http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Renew
</wsa:Action>
</soapenv:Header>
<soapenv:Body>
<wst:RequestSecurityToken
xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512"
Context="http://www.ibm.com/login/">
<wst:TokenType>
http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512/sct
</wst:TokenType>
<wst:RequestType>
http://docs.oasis-open.org/ws-sx/ws-trust/200512/Renew
</wst:RequestType>
<wst:RenewTarget>
<wsc:SecurityContextToken
xmlns:wsc="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
wsu:Id="uuid:FFA51A32EB818FB6EA1223026418869">
<wsc:Identifier>
uuid:FFA51A32EB818FB6EA1223026418868
</wsc:Identifier>
<wsc:Instance>
uuid:FFA51A32EB818FB6EA1223026418867
</wsc:Instance>
</wsc:SecurityContextToken>
</wst:RenewTarget>
<wsp:AppliesTo
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
<wsa:EndpointReference
xmlns:wsa="http://www.w3.org/2005/08/addressing">
<wsa:Address>
http://localhost:80/WSSampleSei/EchoService
</wsa:Address>
</wsa:EndpointReference>
</wsp:AppliesTo>
<wst:Entropy>
<wst:BinarySecret
Type="http://docs.oasis-open.org/ws-sx/ws-trust/200512/Nonce">
U8rH9l/wLV1gpsBf/yCooA==
</wst:BinarySecret>
</wst:Entropy>
<wst:KeySize>128</wst:KeySize>
</wst:RequestSecurityToken>
</soapenv:Body>
</soapenv:Envelope>
以下示例显示更新安全性令牌的 RSTR 请求:
<soapenv:Envelope
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header xmlns:wsa="http://www.w3.org/2005/08/addressing">
<wsa:Action>
http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/RenewFinal
</wsa:Action>
<wsa:RelatesTo>
fc0632828e1252b4:487cee53:11cbfa7916e:-7f8e
</wsa:RelatesTo>
</soapenv:Header>
<soapenv:Body>
<wst:RequestSecurityTokenResponse
xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512"
Context="http://www.ibm.com/login/">
<wst:RequestedSecurityToken>
<wsc:SecurityContextToken
xmlns:wsc="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
wsu:Id="uuid:FFA51A32EB818FB6EA1223026990448">
<wsc:Identifier>
uuid:FFA51A32EB818FB6EA1223026418868
</wsc:Identifier>
<wsc:Instance>
uuid:FFA51A32EB818FB6EA1223026990447
</wsc:Instance>
</wsc:SecurityContextToken>
</wst:RequestedSecurityToken>
<wst:Entropy>
<wst:BinarySecret
Type="http://docs.oasis-open.org/ws-sx/ws-trust/200512/Nonce">
lFkKSI/pajtTZzRpQalNMA==
</wst:BinarySecret>
</wst:Entropy>
<wst:Lifetime>
<wsu:Created
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
2008-10-03T09:43:07.421Z
</wsu:Created>
<wsu:Expires
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
2008-10-03T09:55:07.421Z
</wsu:Expires>
</wst:Lifetime>
<wst:RequestedAttachedReference>
<wsse:SecurityTokenReference
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<wsse:Reference
URI="#uuid:FFA51A32EB818FB6EA1223026990448"
ValueType="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512/sct">
</wsse:Reference>
</wsse:SecurityTokenReference>
</wst:RequestedAttachedReference>
<wst:Renewing Allow="true" OK="false"></wst:Renewing>
</wst:RequestSecurityTokenResponse>
</soapenv:Body>
</soapenv:Envelope>
验证安全性令牌的 RST 和 RSTR 示例
以下示例显示验证安全性令牌的 RST 请求。
<soapenv:Envelope
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
<wsa:To xmlns:wsa="http://www.w3.org/2005/08/addressing"
soapenv:mustUnderstand="0">
http://localhost:80/WSSampleSei/EchoService
</wsa:To>
<wsa:MessageID xmlns:wsa="http://www.w3.org/2005/08/addressing"
soapenv:mustUnderstand="0">
fc0632828e1252b4:-673f2c18:11cc328886a:-7fa7
</wsa:MessageID>
<wsa:Action xmlns:wsa="http://www.w3.org/2005/08/addressing"
soapenv:mustUnderstand="0">
http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Validate
</wsa:Action>
</soapenv:Header>
<soapenv:Body>
<wst:RequestSecurityToken
xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512"
Context="http://www.ibm.com/login/">
<wst:TokenType>
http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512/sct
</wst:TokenType>
<wst:RequestType>
http://docs.oasis-open.org/ws-sx/ws-trust/200512/Validate
</wst:RequestType>
<wst:ValidateTarget>
<wsc:SecurityContextToken
xmlns:wsc="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
wsu:Id="uuid:6B77A2DA28C1E523BD1223045150688">
<wsc:Identifier>
uuid:6B77A2DA28C1E523BD1223045150687
</wsc:Identifier>
<wsc:Instance>
uuid:6B77A2DA28C1E523BD1223045150670
</wsc:Instance>
</wsc:SecurityContextToken>
</wst:ValidateTarget>
<wsp:AppliesTo
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
<wsa:EndpointReference
xmlns:wsa="http://www.w3.org/2005/08/addressing">
<wsa:Address>
http://localhost:80/WSSampleSei/EchoService
</wsa:Address>
</wsa:EndpointReference>
</wsp:AppliesTo>
</wst:RequestSecurityToken>
</soapenv:Body>
</soapenv:Envelope>
以下示例显示验证安全性令牌的 RSTR 请求:
<soapenv:Envelope
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header xmlns:wsa="http://www.w3.org/2005/08/addressing">
<wsa:Action>
http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/ValidateFinal
</wsa:Action>
<wsa:RelatesTo>
fc0632828e1252b4:-673f2c18:11cc328886a:-7fa7
</wsa:RelatesTo>
</soapenv:Header>
<soapenv:Body>
<wst:RequestSecurityTokenResponse
xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512"
Context="http://www.ibm.com/login/">
<wst:Status>
<wst:Code>
http://docs.oasis-open.org/ws-sx/ws-trust/200512/status/valid
</wst:Code>
</wst:Status>
</wst:RequestSecurityTokenResponse>
</soapenv:Body>
</soapenv:Envelope>
有关其他信息,请查看讨论建立安全上下文令牌的两个示例方案主题。