1. 首頁
  2. 問答
  3. PHP SAML身份驗證WSSE JAX-WS

PHP SAML身份驗證WSSE JAX-WS

2013-01-14 154 views
0

我知道很難用簡單的詞語表達它。但它真的讓我很困惑。 我將在PHP中爲驗證類進行編碼。PHP SAML身份驗證WSSE JAX-WS

這裏的技術要點: 1. saml2p:AuthnRequest XML(在php中,我們必須將它們轉換成對象,但是怎麼樣?) 2. simplexml數組來對象和數組對象。 3. WSSE頭的JAX-WS 4. AuthnRequestType

我的代碼和問題: 這應該是authnrequest XML,但我不知道如何把它變成一種方法,在SoapClient的參數。

<?xml version="1.0" encoding="UTF-8"?> 
<saml2p:AuthnRequest AssertionConsumerServiceURL="http://http://localhost/SAML/objectoarray.php" 
    ID="551e5cd8-7f50-4dcd-bc85-eb625bb12da7" IssueInstant="2013-01-14T06:17:05.138Z" 
    ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Version="2.0" 
    xmlns:ns4="http://www.w3.org/2000/09/xmldsig#" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" 
    xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"> 
    <saml2:Issuer>applpf.pioneer.jp</saml2:Issuer> 
    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> 
     <ds:SignedInfo> 
      <ds:CanonicalizationMethod 
       Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments" /> 
      <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" /> 
      <ds:Reference URI="#551e5cd8-7f50-4dcd-bc85-eb625bb12da7"> 
       <ds:Transforms> 
        <ds:Transform 
         Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /> 
       </ds:Transforms> 
       <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /> 
       <ds:DigestValue>4RzD9oGu0D+pWD1ZZfrb83WsWL8=</ds:DigestValue> 
      </ds:Reference> 
     </ds:SignedInfo> 
     <ds:SignatureValue>dxZE/60oe3+rlIbVUcCa1isgfOGM0pi5XRaKPsvFtyJ3RAw9AoLzN0nYngTD9Dj/TbWdu1wCW+gekrBUtbhKkBU7xBuBWtQvLxHCB7mHxiOZZqMSYR4kjzzmHEWqSbsG3oYoWhDBXyfHWnlztk8onI9sysiBMboJe7yybmne0PilZkLmkpZcTUefUKyrCQF1l49BIF5J5R+QC7Uh6dHCNXx1zFesVKBqmaWumlKCXssycEUFfNqoTD9rtlMnQ5U6aQEEfYpRClMS8SYdsY+K9daM0lEEncjfZrpUaZR5jQJo+M1CHSmfrv7qU36Hqi+vNWBK8YIH1raMkg17ZMYBhA==</ds:SignatureValue> 
     <ds:KeyInfo> 
      <ds:X509Data> 
       <ds:X509Certificate>MIIDPDCCAiSgAwIBAgIEUO+oMjANBgkqhkiG9w0BAQUFADBgMQswCQYDVQQGEwJKUDEOMAwGA1UECBMFVG9reW8xFDASBgNVBAoTC3BpbmVhcy10ZXN0MQ8wDQYDVQQLEwZwaW5lYXMxGjAYBgNVBAMTEXBpbmVhcy5waW9uZWVyLmpwMB4XDTEzMDExMTA1NTA0MloXDTMzMDEwNjA1NTA0MlowYDELMAkGA1UEBhMCSlAxDjAMBgNVBAgTBVRva3lvMRQwEgYDVQQKEwtwaW5lYXMtdGVzdDEPMA0GA1UECxMGcGluZWFzMRowGAYDVQQDExFwaW5lYXMucGlvbmVlci5qcDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKUzsdfIqPe81UYNgyeBsnSvZcNGoTsn/SEnvo09IXjaQxOHUhPY/RQmsAK6ZnjlVNi1zO+0W71KF4Kl1sLJC3Yhv92aoL09cJfWlx/AYz5wpAm7B/om2CYADxoAsaT5+Wlif+aO2CAgwVCLIZzMhIF1B6YX+c3+WnWZceHvzy8F04mCeFFsT9sf6VQ3ZGiZXK8U9CnfdOFYMb/GCgUyqut/jpgCXvyzwZ4aGPBIOuCDuMDhfw6tvTjf0W2lAgmWmcjPs0kmDtV9SHOAPOYBCPrDDjFJsQwLiCwJiHYFMCKnIRNfXzGs9xttFkt4/WOgMMSo2suttvu2JZ7GhoFZJrkCAwEAATANBgkqhkiG9w0BAQUFAAOCAQEAPMsJkuDhxeZwwd7XEbLi+2847JVzpvR1R90azkdvq9bJrs/b4IZMEJo+Qbswb+KajV/1W40kf+wjOEwvpDmyILD9Ds0zuVEipzGv+wAsQd6WMl5GcDTNs/PQqn8hEf/+l0llJeZ5DHbzUSZRd91Y2AAM2q2gcRo/PJkMB110Arl1POaCWCEKqyLfIA2g9ZaxXqUYEWk1rs4NeR/T+7hPm2HZzPRm4zbcfETIcoFqoymlx++TgFACy5ZoSAuMfEE6X9G6sySAvVyStqHD1sZiD8AoRKMCVll7u2zNQYjuIHCtIfqDDP3WlhAEJ7Bm1YmK2PEOKADn3msG3dt2pf92zQ==</ds:X509Certificate> 
      </ds:X509Data> 
     </ds:KeyInfo> 
    </ds:Signature> 
</saml2p:AuthnRequest>

我只是將它們保存爲純XML並將它們轉換爲數組。

像:

$xml = new SimpleXMLElement('<?xml version="1.0" encoding="UTF-8"?><saml2p:AuthnRequest AssertionConsumerServiceURL="http://applpf.pioneer.co.jp/" ID="0011e577-5e4a-46b5-9703-888294c0bd66" IssueInstant="2013-01-14T06:19:51.626Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Version="2.0" xmlns:ns4="http://www.w3.org/2000/09/xmldsig#" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"><saml2:Issuer>applpf.pioneer.jp</saml2:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments"/><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><ds:Reference URI="#0011e577-5e4a-46b5-9703-888294c0bd66"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>PWG+OxqzVzA0piHjtvsjh/MlChA=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>gcoF7BZAJ0W85PK9tbSvJT0aTATQTysFmi+FxyLfZvhA7nHtmYqqXfy9r2r73Jai1qCruPUGmOx3IpjP9wjBPnCCCx/gHW8UjPdAJlLhNBK17svKEmx4uMranN5M/MLrFnqkQduuzmMXl/xio3+iJs4Tldo/5wL4L99Go58l+BMGurEdgmh744E7v+yvniS1thPjc2E07Dlb0o5rdlqkEYYPL2CR0r8er3IXdT2+939iaoD8h+B3v9zu6M6qNcOTfVz9HmV54/sIB15u9cl7efDIsHj4/uAlnqZTg66EgrD44Cj0J2b7z8mo1Qdd+8b59vRA6DtRXw3DnIE3hKeMRw==</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIDPDCCAiSgAwIBAgIEUO+oMjANBgkqhkiG9w0BAQUFADBgMQswCQYDVQQGEwJKUDEOMAwGA1UECBMFVG9reW8xFDASBgNVBAoTC3BpbmVhcy10ZXN0MQ8wDQYDVQQLEwZwaW5lYXMxGjAYBgNVBAMTEXBpbmVhcy5waW9uZWVyLmpwMB4XDTEzMDExMTA1NTA0MloXDTMzMDEwNjA1NTA0MlowYDELMAkGA1UEBhMCSlAxDjAMBgNVBAgTBVRva3lvMRQwEgYDVQQKEwtwaW5lYXMtdGVzdDEPMA0GA1UECxMGcGluZWFzMRowGAYDVQQDExFwaW5lYXMucGlvbmVlci5qcDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKUzsdfIqPe81UYNgyeBsnSvZcNGoTsn/SEnvo09IXjaQxOHUhPY/RQmsAK6ZnjlVNi1zO+0W71KF4Kl1sLJC3Yhv92aoL09cJfWlx/AYz5wpAm7B/om2CYADxoAsaT5+Wlif+aO2CAgwVCLIZzMhIF1B6YX+c3+WnWZceHvzy8F04mCeFFsT9sf6VQ3ZGiZXK8U9CnfdOFYMb/GCgUyqut/jpgCXvyzwZ4aGPBIOuCDuMDhfw6tvTjf0W2lAgmWmcjPs0kmDtV9SHOAPOYBCPrDDjFJsQwLiCwJiHYFMCKnIRNfXzGs9xttFkt4/WOgMMSo2suttvu2JZ7GhoFZJrkCAwEAATANBgkqhkiG9w0BAQUFAAOCAQEAPMsJkuDhxeZwwd7XEbLi+2847JVzpvR1R90azkdvq9bJrs/b4IZMEJo+Qbswb+KajV/1W40kf+wjOEwvpDmyILD9Ds0zuVEipzGv+wAsQd6WMl5GcDTNs/PQqn8hEf/+l0llJeZ5DHbzUSZRd91Y2AAM2q2gcRo/PJkMB110Arl1POaCWCEKqyLfIA2g9ZaxXqUYEWk1rs4NeR/T+7hPm2HZzPRm4zbcfETIcoFqoymlx++TgFACy5ZoSAuMfEE6X9G6sySAvVyStqHD1sZiD8AoRKMCVll7u2zNQYjuIHCtIfqDDP3WlhAEJ7Bm1YmK2PEOKADn3msG3dt2pf92zQ==</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature></saml2p:AuthnRequest>'); 
$xml_object = simplexml_load_string($xml->asXML());

最後我把這個方法將在CustomerLoginService類參數

$authnSample->loginByCustomer($xml_object,"\$00astest","password");

我們做

class WsseAuthHeader extends SoapHeader { 

private $wss_ns = 'http://docs.oasis-open.org/wss/2004/01/asis-200401-wss-wssecurity-secext-1.0.xsd'; 


    function __construct($user, $pass, $ns = null) { 
     if ($ns) { 
      $this->wss_ns = $ns; 
     } 

     $auth = new stdClass(); 
     $auth->Username = new SoapVar($user, XSD_STRING, NULL, $this->wss_ns, NULL, $this->wss_ns); 
     $auth->Password = new SoapVar($pass, XSD_STRING, NULL, $this->wss_ns, NULL, $this->wss_ns); 

     $username_token = new stdClass(); 
     $username_token->UsernameToken = new SoapVar($auth, SOAP_ENC_OBJECT, NULL, $this->wss_ns, 'UsernameToken', $this->wss_ns); 

     $security_sv = new SoapVar(
      new SoapVar($username_token, SOAP_ENC_OBJECT, NULL, $this->wss_ns, 'UsernameToken', $this->wss_ns), 
      SOAP_ENC_OBJECT, NULL, $this->wss_ns, 'Security', $this->wss_ns); 
     parent::__construct($this->wss_ns, 'Security', $security_sv, true); 
    } 
}

然後

$wsse_header = new WsseAuthHeader($this->userid, $this->password); 
$this->soapClient = new SoapClient($url, array("trace" => 1, "exception" => 0)); 
$this->soapClient->__setSoapHeaders(array($wsse_header));

但最終我還是得到了錯誤是這樣的:

異常:的SOAPFault異常:[HTTP]在 C內部服務器錯誤:\ PHP5 \ WWW \ PINE_FW_AS_PHPProject \ COM \先行者\松樹\防火牆\ as \ object \ CustomerLoginService.php:137 Stack trace:#0 [internal function]: SoapClient - > _ doRequest(' _call('login',Array)#2 C:\ php5 \ www \ PINE_FW_AS_PHPProject \ com \先驅\松樹\ fw \ as \ object \ CustomerLoginService.php(137): SoapClient-> login(Array)#3 C:\ php5 \ www \ PINE_FW_AS_PHPProject \ com \ pioneer \ pine \ fw \ as \ Authentication。 PHP(76 ): CustomerLoginService-> login(Array)#4 C:\ php5 \ www \ SAML \ test_authreq01.php(48): Authentication-> loginByCustomer(Array,'$ 00astest','password')#5 {主}

任何人都可以告訴我,我怎麼能以正確的方式或以簡單的方式正確訪問Auth服務器。

來源

2013-01-14 KEN

+0

讓我對我的問題有一點點評論: 我遇到的第一個問題是如何將xml與namingspaces轉換爲對象,然後使用namingspace將對象轉換爲xml。 第二個問題是如何爲AuthnRequest XML創建這兩個點由PHP $ signature-> KeyInfo $ X509Data-> X509Certificate 第三個問題是如何通過PHP將參數userid和password傳輸到WSSE頭。 – KEN

回答

1

我正在做一些非常類似的身份驗證的一些Web服務。這是我做這件事的方式。一個將數組轉換爲SoapVar對象的函數。

function arrayToSoapVarObject($array=array(),$nameSpace=NULL,$nodeName=NULL){ 
    $object=array(); 
    foreach ($array as $key=>$val){ 

     if (is_array($val)) 
      $object[$key]= new SoapVar(arrayToSoapVarObject($val,$nameSpace), SOAP_ENC_OBJECT, NULL, $nameSpace, $key, $nameSpace); 
     elseif (is_string($val)) 
      $object[$key]=new SoapVar($val, XSD_STRING, NULL, $nameSpace, NULL, $nameSpace); 
     elseif (is_object($val)) 
      $object[$key]=new SoapVar($val, SOAP_ENC_OBJECT, NULL, $nameSpace, NULL, $nameSpace); 
    } 

    return $nodeName!=''?new SoapVar((object)$object, NULL, SOAP_ENC_OBJECT, NULL, $nodeName, $nameSpace):(object)$object; 
}

現在,只需聲明的方式數組它需要WSSE

$strWSSENS = "http://schemas.xmlsoap.org/ws/2002/12/secext"; 

$token=array(

     'UsernameToken'=>array(
       'Username' => 'XXX', 
       'Password' => 'YYY', 
       'Organization' => 'ZZZ', 
       'domain' => 'DEFAULT', 
     ), 
); 

$objToken=arrayToSoapVarObject($token,$strWSSENS,'UsernameToken');

這objToken是完美地形成SoapVar對象...所以我們使用WSSE頭安全

$objSoapVarWSSEHeader = new SoapHeader($strWSSENS, 'Security', $objToken,true, 'https://actor.com'); 


try { 

$client= new SoapClient($wsdl); 
$client->__setSoapHeaders(array($objSoapVarWSSEHeader)); 
$response=$client->__soapCall('Action',array($arguments),null,null,$output_headers); 
}catch (SoapFault $fault){ 

    echo $fault->getMessage(); 
}

我想這種方法有點簡單。

來源

2013-03-07 23:30:27 ontananza

相關問題

 相關問題