Mule ESB 学习笔记（16）CXF SOAP基于SAML的验证的配置

mule的配置

<mule xmlns:core="http://www.mulesoft.org/schema/mule/core" xmlns="http://www.mulesoft.org/schema/mule/core"    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"    xmlns:spring="http://www.springframework.org/schema/beans"    xmlns:cxf="http://www.mulesoft.org/schema/mule/cxf"    xmlns:doc="http://www.mulesoft.org/schema/mule/documentation"    xmlns:http="http://www.mulesoft.org/schema/mule/http"    xsi:schemaLocation="http://www.mulesoft.org/schema/mule/http http://www.mulesoft.org/schema/mule/http/current/mule-http.xsd http://www.mulesoft.org/schema/mule/cxf http://www.mulesoft.org/schema/mule/cxf/current/mule-cxf.xsd http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-current.xsd http://www.mulesoft.org/schema/mule/core http://www.mulesoft.org/schema/mule/core/current/mule.xsd " version="EE-3.3.0">    <spring:beans>        <spring:bean id="Bean" name="samlCustomValidator" doc:name="SamlTokenServiceFlow">        <http:inbound-endpoint address="http://localhost:63084/services/saml" exchange-pattern="request-response" doc:name="HTTP Inbound Endpoint"/>        <cxf:jaxws-service servicedoc:name="Secure SAMLToken service">            <cxf:ws-security>                <cxf:ws-config>                    <cxf:property key="action" value="SAMLTokenUnsigned Timestamp"/>                </cxf:ws-config>                <cxf:ws-custom-validator>                    <cxf:saml2-token-validator ref="samlCustomValidator"/>                </cxf:ws-custom-validator>            </cxf:ws-security>        </cxf:jaxws-service>        <component doc:name="Greeter Service"/>    </flow>    <flow name="SignedSamlTokenServiceFlow" doc:name="SignedSamlTokenServiceFlow">        <http:inbound-endpoint address="http://localhost:63084/services/signedsaml" exchange-pattern="request-response" doc:name="HTTP Inbound Endpoint"/>        <cxf:jaxws-service servicedoc:name="Secure SAMLToken Signed service">            <cxf:ws-security>                <cxf:ws-config>                    <cxf:property key="action" value="SAMLTokenUnsigned Signature"/>                    <cxf:property key="signaturePropFile" value="wssecurity.properties" />                </cxf:ws-config>                <cxf:ws-custom-validator>                    <cxf:saml2-token-validator ref="samlCustomValidator"/>                </cxf:ws-custom-validator>            </cxf:ws-security>        </cxf:jaxws-service>        <component doc:name="Greeter Service"/>    </flow></mule>

?

?

package com.mulesoft.mule.soap.security;import java.io.IOException;import java.util.Collections;import javax.security.auth.callback.Callback;import javax.security.auth.callback.CallbackHandler;import javax.security.auth.callback.UnsupportedCallbackException;import org.apache.ws.security.saml.ext.SAMLCallback;import org.apache.ws.security.saml.ext.bean.AuthenticationStatementBean;import org.apache.ws.security.saml.ext.bean.SubjectBean;import org.apache.ws.security.saml.ext.builder.SAML2Constants;import org.opensaml.common.SAMLVersion;/** *  Callback handler that populates a SAML 2.0 assertion based on the SAML properties file */public class SAMLCallbackHandler implements CallbackHandler {    private String subjectName;    private String subjectQualifier;    private String confirmationMethod;    public SAMLCallbackHandler()    {        subjectName = "AllowGreetingServices";        subjectQualifier = "www.example.com";        confirmationMethod = SAML2Constants.CONF_SENDER_VOUCHES;    }    public void handle(Callback[] callbacks)            throws IOException, UnsupportedCallbackException    {        for (int i = 0; i < callbacks.length; i++) {            if (callbacks[i] instanceof SAMLCallback) {                SAMLCallback callback = (SAMLCallback) callbacks[i];                callback.setSamlVersion(SAMLVersion.VERSION_20);                SubjectBean subjectBean =                        new SubjectBean(                                subjectName, subjectQualifier, confirmationMethod                        );                callback.setSubject(subjectBean);                createAndSetStatement(null, callback);            } else {                throw new UnsupportedCallbackException(callbacks[i], "Unrecognized Callback");            }        }    }    private void createAndSetStatement(SubjectBean subjectBean, SAMLCallback callback) {        AuthenticationStatementBean authBean = new AuthenticationStatementBean();        if (subjectBean != null) {            authBean.setSubject(subjectBean);        }        authBean.setAuthenticationMethod("Password");        callback.setAuthenticationStatementData(Collections.singletonList(authBean));    }}

?

?

import org.apache.ws.security.WSSecurityException;import org.apache.ws.security.handler.RequestData;import org.apache.ws.security.saml.ext.AssertionWrapper;import org.apache.ws.security.saml.ext.OpenSAMLUtil;import org.apache.ws.security.validate.Credential;import org.apache.ws.security.validate.SamlAssertionValidator;public class SAMLCustomValidator extends SamlAssertionValidator{    @Override    public Credential validate(Credential credential, RequestData data) throws WSSecurityException    {        Credential returnedCredential = super.validate(credential, data);        //        // Do some custom validation on the assertion        //        AssertionWrapper assertion = credential.getAssertion();        if (!"self".equals(assertion.getIssuerString()))        {            throw new WSSecurityException(WSSecurityException.FAILURE, "invalidSAMLsecurity");        }        if (assertion.getSaml2() == null)        {            throw new WSSecurityException(WSSecurityException.FAILURE, "invalidSAMLsecurity");        }        String confirmationMethod = assertion.getConfirmationMethods().get(0);        if (confirmationMethod == null)        {            throw new WSSecurityException(WSSecurityException.FAILURE, "invalidSAMLsecurity");        }        if (!OpenSAMLUtil.isMethodSenderVouches(confirmationMethod))        {            throw new WSSecurityException(WSSecurityException.FAILURE, "invalidSAMLsecurity");        }        if(!"AllowGreetingServices".equals(assertion.getSaml2().getSubject().getNameID().getValue()))        {            throw new WSSecurityException(WSSecurityException.FAILURE, "invalidSAMLsecurity");        }        return returnedCredential;    }}

?

?

服务端:

import org.mule.api.MuleContext;import org.mule.api.MuleException;import org.mule.api.context.MuleContextFactory;import org.mule.config.spring.SpringXmlConfigurationBuilder;import org.mule.context.DefaultMuleContextFactory;public class MuleServerApp {  public static void main(String[] args) throws MuleException {  String configFile = "mule-config.xml";      System.setProperty("mule.verbose.exceptions","true");      String[] configFileArr = new String[] {configFile };      MuleContextFactory muleContextFactory = new DefaultMuleContextFactory();      MuleContext muleContext = muleContextFactory              .createMuleContext(new SpringXmlConfigurationBuilder(configFileArr));      muleContext.start();  }}

?

客户端测试:

public class MuleSecureClient{    public static void main(String[] args) throws Exception    {        Greeter service = createService("http://localhost:63084/services/saml?wsdl",            getSamlTokenProps("SAMLTokenUnsigned Timestamp", "saml.properties"));        System.out.println(service.greet("Mule"));                        service = createService("http://localhost:63084/services/signedsaml?wsdl",                                        getSignedSamlTokenProps("SAMLTokenSigned", "saml.properties"));        System.out.println(service.greet("Mule"));    }        protected static Map<String, Object> getSamlTokenProps(String action, String propertiesFile)    {        Map<String, Object> wss4jProps = new HashMap<String, Object>();        wss4jProps.put("action", action);        wss4jProps.put("samlPropFile", propertiesFile);        SAMLCallbackHandler samlCallbackHandler = new SAMLCallbackHandler();        wss4jProps.put(WSHandlerConstants.SAML_CALLBACK_REF, samlCallbackHandler);        return wss4jProps;    }    protected static Map<String, Object> getSignedSamlTokenProps(String action, String propertiesFile)    {        Map<String, Object> wss4jProps = new HashMap<String, Object>();        wss4jProps.put("action", action);        wss4jProps.put("samlPropFile", propertiesFile);        wss4jProps.put("signatureKeyIdentifier", "DirectReference");        wss4jProps.put("user", "joe");        wss4jProps.put("passwordCallbackClass", PasswordCallback.class.getName());        wss4jProps.put(WSHandlerConstants.SAML_CALLBACK_REF, new SAMLCallbackHandler());        return wss4jProps;    }        public static Greeter createService(String url, Map<String, Object> wss4jProps)    {        URL wsdlDocumentLocation;        try        {            wsdlDocumentLocation = new URL(url);        }        catch (MalformedURLException e)        {            throw new RuntimeException("Invalid test definition", e);        }        QName serviceName = new QName("http://security.soap.mule.mulesoft.com/", "GreeterService");        Service dynService = Service.create(wsdlDocumentLocation, serviceName);        Greeter service = dynService.getPort(Greeter.class);        Client client = ClientProxy.getClient(service);        if (wss4jProps != null)        {            client.getOutInterceptors().add(new WSS4JOutInterceptor(wss4jProps));        }        return service;    }    }

?