Security Token Service

[b]Introduction to WS-Trust[/b]
[u]Overview[/u]

The WS-Trust standard is based around a centralized security server (the [color=blue]Security Token Service[/color]), which is capable of authenticating clients and can issue tokens containing various kinds of authentication and authorization data.
[u]WS-Trust specification[/u]

The WS-Trust features of Artix are based on the WS-Trust standard from Oasis:

http://docs.oasis-open.org/ws-sx/ws-trust/v1.4/ws-trust.html

[u]Supporting specifications[/u]

Apart from the WS-Trust specification itself, several other specifications play an important role in the WS-Trust architecture, as follows:

WS-SecurityPolicy 1.2

SAML 2.0

Username Token Profile

X.509 Token Profile

SAML Token Profile

Kerberos Token Profile

[u]WS-Trust architecture[/u]

Figure 8.1 shows a general overview of the WS-Trust architecture.
[img]http://fusesource.com/docs/esb/4.4/cxf_security/images/ws_trust_01.gif[/img]

Figure 8.1. WS-Trust Architecture
WS-Trust Architecture

[u]Requestor[/u]

A requestor is an entity that tries to invoke a secure operation over a network connection. In practice, a requestor is typically a Web service client.

[u]Relying party[/u]

A relying party refers to an entity that has some services or resources that must be secured against unauthorized access. In practice, a relying party is typically a Web service.
[Note] Note

This is a term defined by the SAML specification, not by WS-Trust.
[u]Security token[/u]

A security token is a collection of security data that a requestor sends inside a request (typically embedded in the message header) in order to invoke a secure operation or to gain access to a secure resource. In the WS-Trust framework, the notion of a security token is quite general and can be used to describe any block of security data that might accompany a request.

In principle, WS-Trust can be used with the following kinds of security token:

SAML token.

UsernameToken token.

X.509 certificate token.

Kerberos token.

[u]SAML token[/u]

A SAML token is a particularly flexible kind of security token. The SAML specification defines a general-purpose XML schema that enables you to wrap almost any kind of security data and enables you to sign and encrypt part or all of the token.

SAML is a popular choice of token to use in the context of WS-Trust, because SAML has all of the necessary features to support typical WS-Trust authentication scenarios.
[u]Claims[/u]

A SAML security token is formally defined to consist of a collection of claims. Each claim typically contains a particular kind of security data.
[u]Policy[/u]

In WS-Trust scenarios, a policy can represent the security configuration of a participant in a secure application. The requestor, the relying party, and the security token service are all configured by policies. For example, a policy can be used to configure what kinds of authentication are supported and required.
[u]Security token service[/u]

The security token service (STS) lies at the heart of the WS-Trust security architecture. In the WS-Trust standard, the following bindings are defined (not all of which are supported by Apache CXF):

Issue binding—the specification defines this binding as follows: Based on the credential provided/proven in the request, a new token is issued, possibly with new proof information.

Validate binding—the specification defines this binding as follows: The validity of the specified security token is evaluated and a result is returned. The result may be a status, a new token, or both.

Renew binding—the specification defines this binding as follows: A previously issued token with expiration is presented (and possibly proven) and the same token is returned with new expiration semantics.

Cancel binding—the specification defines this binding as follows: When a previously issued token is no longer needed, the Cancel binding can be used to cancel the token, terminating its use.
  • 0
    点赞
  • 0
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
当使用Spring Security进行身份验证和授权时,可以通过集成令牌(token)来增强安全性。以下是一个示例代码,演示了如何集成基于令牌的身份验证和授权。 首先,需要添加相关的依赖项到项目的构建文件(例如pom.xml)中: ```xml <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-security</artifactId> </dependency> <dependency> <groupId>io.jsonwebtoken</groupId> <artifactId>jjwt</artifactId> <version>0.9.1</version> </dependency> ``` 接下来,创建一个用于生成和解析令牌的TokenProvider类: ```java import io.jsonwebtoken.Claims; import io.jsonwebtoken.Jwts; import io.jsonwebtoken.SignatureAlgorithm; import org.springframework.beans.factory.annotation.Value; import org.springframework.stereotype.Component; import java.util.Date; @Component public class TokenProvider { @Value("${app.jwtSecret}") private String jwtSecret; @Value("${app.jwtExpirationInMs}") private int jwtExpirationInMs; public String generateToken(String username) { Date now = new Date(); Date expiryDate = new Date(now.getTime() + jwtExpirationInMs); return Jwts.builder() .setSubject(username) .setIssuedAt(new Date()) .setExpiration(expiryDate) .signWith(SignatureAlgorithm.HS512, jwtSecret) .compact(); } public String getUsernameFromToken(String token) { Claims claims = Jwts.parser() .setSigningKey(jwtSecret) .parseClaimsJws(token) .getBody(); return claims.getSubject(); } public boolean validateToken(String token) { try { Jwts.parser().setSigningKey(jwtSecret).parseClaimsJws(token); return true; } catch (Exception ex) { return false; } } } ``` 在上述代码中,TokenProvider类包含了生成令牌、解析令牌和验证令牌的方法。需要注意的是,需要在配置文件(application.properties或application.yml)中配置jwtSecret和jwtExpirationInMs属性。 然后,创建一个用于处理身份验证和授权的SecurityConfig类: ```java import org.springframework.beans.factory.annotation.Autowired; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.http.HttpMethod; import org.springframework.security.authentication.AuthenticationManager; import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.config.http.SessionCreationPolicy; import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder; import org.springframework.security.crypto.password.PasswordEncoder; @Configuration @EnableWebSecurity @EnableGlobalMethodSecurity(prePostEnabled = true) public class SecurityConfig extends WebSecurityConfigurerAdapter { @Autowired private CustomUserDetailsService customUserDetailsService; @Autowired private JwtAuthenticationEntryPoint unauthorizedHandler; @Bean public JwtAuthenticationFilter jwtAuthenticationFilter() { return new JwtAuthenticationFilter(); } @Override public void configure(AuthenticationManagerBuilder authenticationManagerBuilder) throws Exception { authenticationManagerBuilder .userDetailsService(customUserDetailsService) .passwordEncoder(passwordEncoder()); } @Override protected void configure(HttpSecurity http) throws Exception { http .cors() .and() .csrf() .disable() .exceptionHandling() .authenticationEntryPoint(unauthorizedHandler) .and() .sessionManagement() .sessionCreationPolicy(SessionCreationPolicy.STATELESS) .and() .authorizeRequests() .antMatchers("/api/auth/**").permitAll() .anyRequest().authenticated(); http.addFilterBefore(jwtAuthenticationFilter(), UsernamePasswordAuthenticationFilter.class); } @Bean public PasswordEncoder passwordEncoder() { return new BCryptPasswordEncoder(); } @Bean @Override public AuthenticationManager authenticationManagerBean() throws Exception { return super.authenticationManagerBean(); } } ``` 在上述代码中,SecurityConfig类继承了WebSecurityConfigurerAdapter,并覆盖了configure方法。通过配置HttpSecurity,我们可以定义哪些URL需要进行身份验证和授权。 最后,创建一个用于处理用户详情的CustomUserDetailsService类: ```java import org.springframework.beans.factory.annotation.Autowired; import org.springframework.security.core.userdetails.UserDetails; import org.springframework.security.core.userdetails.UserDetailsService; import org.springframework.security.core.userdetails.UsernameNotFoundException; import org.springframework.stereotype.Service; @Service public class CustomUserDetailsService implements UserDetailsService { @Autowired private UserRepository userRepository; @Override public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException { User user = userRepository.findByUsername(username) .orElseThrow(() -> new UsernameNotFoundException("User not found with username: " + username)); return UserPrincipal.create(user); } } ``` 在上述代码中,CustomUserDetailsService类实现了UserDetailsService接口,并覆盖了loadUserByUsername方法。该方法根据用户名从数据库中加载用户信息。 这样,我们就完成了Spring Security与令牌的集成。可以使用TokenProvider类生成和解析令牌,使用SecurityConfig类配置身份验证和授权规则,使用CustomUserDetailsService类加载用户信息。

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值