将XAML实施SAML

于 2020-04-16 06:38:05 发布
阅读量196 收藏 1
点赞数
文章标签: java http 安全 web 区块链
实施SAML之前



这就是XACML请求到达要评估的PDP(策略决策点)时的样子。 

<Request xmlns='urn:oasis:names:tc:xacml:2.0:context:schema:os'>
<Subject>
    <Attribute AttributeId='urn:oasis:names:tc:xacml:1.0:subject:subject-id'
    DataType='http://www.w3.org/2001/XMLSchema#string'>
    <AttributeValue>admin</AttributeValue>
    </Attribute>
</Subject>
<Resource>
    <Attribute AttributeId='urn:oasis:names:tc:xacml:1.0:resource:resource-id'
    DataType='http://www.w3.org/2001/XMLSchema#string'>
    <AttributeValue>http://localhost:8280/services/echo/echoString</AttributeValue>
    </Attribute>
</Resource>
<Action>
    <Attribute AttributeId='urn:oasis:names:tc:xacml:1.0:action:action-id'
    DataType='http://www.w3.org/2001/XMLSchema#string'><AttributeValue>read</AttributeValue>
    </Attribute>
</Action>
<Environment/>
</Request>

基本上,它指出谁(主题)想要访问哪个资源以及它想要对该资源执行什么操作。 PDP相信发出的请求在发送和接收时不会被更改,根据现有的已启用策略评估该请求,并作出如下决定的答复。 

<Response>
<Result ResourceId='http://localhost:8280/services/echo/echoString'>
<Decision>Permit</Decision>
<Status>
    <StatusCode Value='urn:oasis:names:tc:xacml:1.0:status:ok'/>
</Status>
</Result>
</Response>

同样,对于使用此响应的一方,也不能保证自从PDP发送到收到此决定,就不会更改此决定。 为了实现服务器对服务器之间XACML请求和响应的安全通信,OASIS定义了XACML的SAML概要文件,通过允许使用XACML提供的细粒度授权来将系统安全性提高到更高的水平。


实施SAML之后

以下是包装到XACMLAuthzDecisionQueryType中的上一个XACML请求的样子,该XACMLAuthzDecisionQueryType使用OpenSAML 2.0.0库生成,该库支持2004年声明的XACML的SAML概要文件 。 该图显示了XACMLAuthzDecisionQueryType的基本结构。

以下是样本XACMLAuthzDecisionQuery。 

<xacml-samlp:XACMLAuthzDecisionQueryType InputContextOnly='true' IssueInstant='2011-10-31T06:44:57.766Z' ReturnContext='false' Version='2.0' xmlns:xacml-samlp='urn:oasis:names:tc:xacml:2.0:profile:saml2.0:v2:schema:protocol'>
<saml:Issuer SPProvidedID='SPPProvierId' xmlns:saml='urn:oasis:names:tc:SAML:2.0:assertion'> https://identity.carbon.wso2.org</saml:Issuer>
<ds:Signature xmlns:ds='http://www.w3.org/2000/09/xmldsig#'>
   <ds:SignedInfo>
   <ds:CanonicalizationMethod Algorithm='http://www.w3.org/2001/10/xml-exc-c14n#'/>
   <ds:SignatureMethod Algorithm='http://www.w3.org/2000/09/xmldsig#rsa-sha1'/>
   <ds:Reference URI=''>
      <ds:Transforms>
      <ds:Transform Algorithm='http://www.w3.org/2000/09/xmldsig#enveloped-signature'/>
      <ds:Transform Algorithm='http://www.w3.org/2001/10/xml-exc-c14n#'>
      <ec:InclusiveNamespaces PrefixList='ds saml xacml-context xacml-samlp'       xmlns:ec='http://www.w3.org/2001/10/xml-exc-c14n#'/>
      </ds:Transform>
      </ds:Transforms>
      <ds:DigestMethod Algorithm='http://www.w3.org/2000/09/xmldsig#sha1'/>
      <ds:DigestValue>7T1ScatC2Xg7pSpjB2X9HB3EH8M=</ds:DigestValue>
   </ds:Reference>
   </ds:SignedInfo>
   <ds:SignatureValue>XQBUVH3j16HVm3aTFSFh5EYFyiYjn0IU4PJfXelzK6BfXp
GGTBGouVJEe2Kk26sa3Yj0nEgh51pKsNWxk8xQFWdXg6/UlMkq+CaKrYj7laYlM9yGuIlEBT6t
yzjIQBa8wskHeITL6tHE+G0aMa5YnTqtb+9IaJKGPIrl/K5Zn2A=</ds:SignatureValue>
   <ds:KeyInfo>
   <ds:X509Data>
   <ds:X509Certificate>MIICNTCCAZ6gAwIBAgIES343gjANBgkqhkiG9w0BA
QUFADBVMQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ0ExFjAUBgNVBAcMDU1vdW50YWluIFZ
pZXcxDTALBgNVBAoMBFdTTzIxEjAQBgNVBAMMCWxvY2FsaG9zdDAeFw0xMDAyMTkwNzAyM
jZaFw0zNTAyMTMwNzAyMjZaMFUxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTEWMBQGA1U
EBwwNTW91bnRhaW4gVmlldzENMAsGA1UECgwEV1NPMjESMBAGA1UEAwwJbG9jYWxob3N0M
IGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCUp/oV1vWc8/TkQSiAvTousMzOM4asB2i
ltr2QKozni5aVFu818MpOLZIr8LMnTzWllJvvaA5RAAdpbECb+48FjbBe0hseUdN5Hpwvn
H/DW8ZccGvk53I6Orq7hLCv1ZHtuOCokghz/ATrhyPq+QktMfXnRS4HrKGJTzxaCcU7OQI
DAQABoxIwEDAOBgNVHQ8BAf8EBAMCBPAwDQYJKoZIhvcNAQEFBQADgYEAW5wPR7cr1LAdq
+IrR44iQlRG5ITCZXY9hI0PygLP2rHANh+PYfTmxbuOnykNGyhM6FjFLbW2uZHQTY1jMrP
prjOrmyK5sjJRO4d1DeGHT/YnIjs9JogRKv4XHECwLtIVdAbIdWHEtVZJyMSktcyysFcvu
hPQK8Qc/E/Wq8uHSCo=</ds:X509Certificate>
   </ds:X509Data>
   </ds:KeyInfo>
</ds:Signature>
<xacml-context:Request xmlns:xacml-context='urn:oasis:names:tc:xacml:2.0:context:schema:os'><xacml-context:Subject SubjectCategory='urn:oasis:names:tc:xacml:1.0:subject-category:access-subject' xmlns:xacml-context='urn:oasis:names:tc:xacml:2.0:context:schema:os'><xacml-context:Attribute AttributeId='urn:oasis:names:tc:xacml:1.0:subject:subject-id' DataType='http://www.w3.org/2001/XMLSchema#string'><xacml-context:AttributeValue>admin</xacml-context:AttributeValue></xacml-context:Attribute></xacml-context:Subject><xacml-context:Resource xmlns:xacml-context='urn:oasis:names:tc:xacml:2.0:context:schema:os'><xacml-context:Attribute AttributeId='urn:oasis:names:tc:xacml:1.0:resource:resource-id' DataType='http://www.w3.org/2001/XMLSchema#string'><xacml-context:AttributeValue>http://localhost:8280/services/echo/echoString</xacml-context:AttributeValue></xacml-context:Attribute></xacml-context:Resource><xacml-context:Action xmlns:xacml-context='urn:oasis:names:tc:xacml:2.0:context:schema:os'><xacml-context:Attribute AttributeId='urn:oasis:names:tc:xacml:1.0:action:action-id' DataType='http://www.w3.org/2001/XMLSchema#string'><xacml-context:AttributeValue>read</xacml-context:AttributeValue></xacml-context:Attribute></xacml-context:Action><xacml-context:Environment xmlns:xacml-context='urn:oasis:names:tc:xacml:2.0:context:schema:os'/>
</xacml-context:Request>
</xacml-samlp:XACMLAuthzDecisionQueryType>

如您所见,它携带了与请求内容相关的大量信息,例如由谁发出请求,何时使用X509Certificate和XACML请求签名。 可以通过这种方式保持数据完整性。
执行完请求并从PDP获得响应后,还将发送带有签名的安全请求。 该图显示了基本SAML响应的结构。

以下是带有XACML响应的示例SAML响应。 

<samlp:Response IssueInstant='2011-10-31T06:49:51.013Z' Version='2.0' xmlns:samlp='urn:oasis:names:tc:SAML:2.0:protocol'>
<saml:Issuer SPProvidedID='SPPProvierId' xmlns:saml='urn:oasis:names:tc:SAML:2.0:assertion'>
https://identity.carbon.wso2.org</saml:Issuer>
<ds:Signature xmlns:ds='http://www.w3.org/2000/09/xmldsig#'>
   <ds:SignedInfo>
   <ds:CanonicalizationMethod Algorithm='http://www.w3.org/2001/10/xml-exc-c14n#'/>
   <ds:SignatureMethod Algorithm='http://www.w3.org/2000/09/xmldsig#rsa-sha1'/>
   <ds:Reference URI=''>
   <ds:Transforms>
   <ds:Transform Algorithm='http://www.w3.org/2000/09/xmldsig#enveloped-signature'/>
   <ds:Transform Algorithm='http://www.w3.org/2001/10/xml-exc-c14n#'>
   <ec:InclusiveNamespaces PrefixList='ds saml samlp xacml-context xacml-saml' 
xmlns:ec='http://www.w3.org/2001/10/xml-exc-c14n#'/>
   </ds:Transform>
   </ds:Transforms>
   <ds:DigestMethod Algorithm='http://www.w3.org/2000/09/xmldsig#sha1'/>
   <ds:DigestValue>uct4nBcdqAV4FIO50WMmFjSy9sE=</ds:DigestValue>
   </ds:Reference>
   </ds:SignedInfo>
   <ds:SignatureValue>dLaXFl6+HHqtaQoE8l22bCCM8byxblyBOYUTdUdG/LeYIR+
NUTn6nTRe9MJqWqrXT4qLtQ2Jvb3Cjrw66YZTdVrBXNjD1t6oWAg3YFXtZcO4s1+z5y4BeN6Mq
spLLKIUnovCADNbHvhhVDwtMkCOcUs0x35R0zENiU1PYVMLQMM=</ds:SignatureValue>
   <ds:KeyInfo>
   <ds:X509Data>
   <ds:X509Certificate>
MIICNTCCAZ6gAwIBAgIES343gjANBgkqhkiG9w0BAQUFADBVMQswCQYDVQQGEwJVUzELMAkGA1
UECAwCQ0ExFjAUBgNVBAcMDU1vdW50YWluIFZpZXcxDTALBgNVBAoMBFdTTzIxEjAQBgNVBAMM
CWxvY2FsaG9zdDAeFw0xMDAyMTkwNzAyMjZaFw0zNTAyMTMwNzAyMjZaMFUxCzAJBgNVBAYTAl
VTMQswCQYDVQQIDAJDQTEWMBQGA1UEBwwNTW91bnRhaW4gVmlldzENMAsGA1UECgwEV1NPMjES
MBAGA1UEAwwJbG9jYWxob3N0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCUp/oV1vWc8/
TkQSiAvTousMzOM4asB2iltr2QKozni5aVFu818MpOLZIr8LMnTzWllJvvaA5RAAdpbECb+48F
jbBe0hseUdN5HpwvnH/DW8ZccGvk53I6Orq7hLCv1ZHtuOCokghz/ATrhyPq+QktMfXnRS4HrK
GJTzxaCcU7OQIDAQABoxIwEDAOBgNVHQ8BAf8EBAMCBPAwDQYJKoZIhvcNAQEFBQADgYEAW5wP
R7cr1LAdq+IrR44iQlRG5ITCZXY9hI0PygLP2rHANh+PYfTmxbuOnykNGyhM6FjFLbW2uZHQTY
1jMrPprjOrmyK5sjJRO4d1DeGHT/YnIjs9JogRKv4XHECwLtIVdAbIdWHEtVZJyMSktcyysFcv
uhPQK8Qc/E/Wq8uHSCo=
   </ds:X509Certificate>
   </ds:X509Data>
   </ds:KeyInfo>
</ds:Signature>
<saml:Assertion IssueInstant='2011-10-31T06:49:51.008Z' Version='2.0' xmlns:saml='urn:oasis:names:tc:SAML:2.0:assertion'>
<saml:Issuer SPProvidedID='SPPProvierId'>https://identity.carbon.wso2.org</saml:Issuer>
<saml:Statement xmlns:xacml-saml='urn:oasis:names:tc:xacml:2.0:profile:saml2.0:v2:schema:assertion' xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance' xsi:type='xacml-saml:XACMLAuthzDecisionStatementType'>
<xacml-context:Response xmlns:xacml-context='urn:oasis:names:tc:xacml:2.0:context:schema:os'>
<xacml-context:Result ResourceId='http://localhost:8280/services/echo/echoString'
xmlns:xacml-context='urn:oasis:names:tc:xacml:2.0:context:schema:os'>
<xacml-context:Decision>Permit</xacml-context:Decision>
<xacml-context:Status><xacml-context:StatusCode Value='urn:oasis:names:tc:xacml:1.0:status:ok'/>
</xacml-context:Status>
</xacml-context:Result>
</xacml-context:Response>
</saml:Statement>
</saml:Assertion>
</samlp:Response>

XACML响应被包装到SAML声明中,该声明包含在SAML声明中,该声明又被SAML响应包装。我仅根据上下文对响应进行签名,并且仅包含一个声明。 我们可以根据规范分别对断言和响应进行签名,并在一个响应中包含更多断言。 也可以在响应中发送相关的XACML请求,并且根据规范,还有更多选项。 借助OpenSAML,我们可以将其中的大多数付诸实践。

参考: Pushpalanka博客博客上的JCG合作伙伴 Pushpalanka 向XACML实现SAML


翻译自: https://www.javacodegeeks.com/2012/07/implementing-saml-to-xacml.html

danpu0978
关注
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值