如何在 Spring Boot 中将 SAML 令牌添加到 CXF 客户端请求

Question

我们正在 Spring Boot 中构建一个 CXF 客户端。用于针对 SOAP 服务器 进行身份验证/授权的 SAML 令牌在每个请求的外部身份验证代理的自定义 HTTP 标头中提供给我们的应用程序。因此，我需要一种将提供的令牌添加到每个传出 CXF 请求的方法。

我知道我可以为此注册一个自定义的 CXF 输出拦截器。不过，

• 如何在 Spring Boot 中注册该拦截器？
• 如果不使用拦截器，还有哪些替代方案？

目前，Spring 配置如下所示：

@Configuration
public class MyConfig {

  @Bean
  public PartnerServicePortType partnerServicePortType() {
    PartnerServicePortType partnerServicePortType = new PartnerServiceV0().getPartnerService();

（PartnerServiceV0 是使用 Maven 从服务的 WSDL 生成的。）

在上述配置类中，我们目前没有声明/配置 CXF 总线 bean。

Answer 1

一种可能的解决方案是：

@Configuration
public class MyConfig {

  @Bean
  public PartnerServicePortType partnerServicePortType() {
    PartnerServicePortType service = new PartnerServiceV0().getPartnerService();
    configure(service, path, baseUrl);
    return service;
  }

  private void configureService(BindingProvider bindingProvider, String path, String baseUrl) {
    // maybe try the approach outlined at https://github
    // .com/kprasad99/kp-soap-ws-client/blob/master/src/main/java/com/kp/swasthik/soap/CxfConfig.java#L24
    // as an alternative
    bindingProvider.getRequestContext().put(BindingProvider.ENDPOINT_ADDRESS_PROPERTY, baseUrl + path);

    Endpoint cxfEndpoint = ClientProxy.getClient(bindingProvider).getEndpoint();
    cxfEndpoint.getInInterceptors().add(cxfLoggingInInterceptor);
    cxfEndpoint.getInFaultInterceptors().add(cxfLoggingInInterceptor);
    cxfEndpoint.getOutInterceptors().add(addSamlAssertionInterceptor);
  }
}

还有拦截器

import lombok.SneakyThrows;
import lombok.extern.slf4j.Slf4j;
import org.apache.commons.lang3.StringUtils;
import org.apache.cxf.binding.soap.SoapHeader;
import org.apache.cxf.binding.soap.SoapMessage;
import org.apache.cxf.binding.soap.interceptor.AbstractSoapInterceptor;
import org.apache.cxf.interceptor.Fault;
import org.apache.cxf.phase.Phase;
import org.opensaml.core.xml.XMLObject;
import org.opensaml.core.xml.XMLObjectBuilder;
import org.opensaml.core.xml.XMLObjectBuilderFactory;
import org.opensaml.core.xml.config.XMLObjectProviderRegistrySupport;
import org.opensaml.core.xml.io.Marshaller;
import org.opensaml.core.xml.io.MarshallingException;
import org.opensaml.saml.saml2.core.Assertion;
import org.opensaml.soap.wssecurity.Created;
import org.opensaml.soap.wssecurity.Expires;
import org.opensaml.soap.wssecurity.Security;
import org.opensaml.soap.wssecurity.Timestamp;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Component;
import org.w3c.dom.Element;

import javax.xml.namespace.QName;
import java.time.ZoneOffset;
import java.time.ZonedDateTime;
import java.time.format.DateTimeFormatter;


/**
 * Adding SOAP header with SAML assertion to request.
 */
@Slf4j
@Component
public class AddSamlAssertionInterceptor extends AbstractSoapInterceptor {

  private final SamlAssertionExtractor samlAssertionExtractor;

  @Autowired
  public AddSamlAssertionInterceptor(SamlAssertionExtractor samlAssertionExtractor) {
    super(Phase.POST_LOGICAL);
    this.samlAssertionExtractor = samlAssertionExtractor;
  }

  @Override
  public void handleMessage(SoapMessage message) throws Fault {
    String decodedToken = SamlTokenHolder.getDecodedToken();
    if (StringUtils.isBlank(decodedToken)) {
      log.trace("Not adding SOAP header with SAML assertion because SAML token is blank.");
    } else {
      log.trace("Got decoded SAML token: {}", decodedToken);
      log.trace("Adding SOAP header with SAML assertion to request.");
      SoapHeader header = createSoapHeaderWithSamlAssertionFrom(decodedToken);
      message.getHeaders().add(header);
    }
  }

  private SoapHeader createSoapHeaderWithSamlAssertionFrom(String decodedToken) {
    Assertion assertion = samlAssertionExtractor.extractAssertion(decodedToken);

    Security security = createNewSecurityObject();
    security.getUnknownXMLObjects().add(createTimestampElementFrom(assertion));
    security.getUnknownXMLObjects().add(assertion);

    log.trace("Creating new SOAP header with WS-Security element for '{}'.",
      assertion.getSubject().getNameID().getValue());
    SoapHeader header = new SoapHeader(security.getElementQName(), marshallToDom(security));
    header.setMustUnderstand(config.isMustUnderstandHeader());
    return header;
  }

  @SneakyThrows(MarshallingException.class)
  private Element marshallToDom(Security security) {
    Marshaller marshaller = XMLObjectProviderRegistrySupport.getMarshallerFactory().getMarshaller(security);
    return marshaller.marshall(security);
  }

  /*
   * SAML requirements documented at https://docs.oasis-open.org/wss/v1.1/wss-v1.1-spec-errata-os-SOAPMessageSecurity
   * .htm#_Toc118717167. Both timestamps must be in UTC and formatted to comply with xsd:dateTime.
   */
  private Timestamp createTimestampElementFrom(Assertion assertion) {
    Timestamp timestamp = (Timestamp) createOpenSamlXmlObject(Timestamp.ELEMENT_NAME);
    Created created = (Created) createOpenSamlXmlObject(Created.ELEMENT_NAME);
    Expires expires = (Expires) createOpenSamlXmlObject(Expires.ELEMENT_NAME);
    // alternative would be to use timestamp from assertion like so assertion.getConditions().getNotBefore()
    created.setValue(ZonedDateTime.now(ZoneOffset.UTC).format(DateTimeFormatter.ISO_INSTANT));
    // security semantics should ensure that the expiry date here is the same as the expiry of the SAML assertion
    expires.setValue(assertion.getConditions().getNotOnOrAfter().toString());
    timestamp.setCreated(created);
    timestamp.setExpires(expires);
    return timestamp;
  }

  private Security createNewSecurityObject() {
    return (Security) createOpenSamlXmlObject(Security.ELEMENT_NAME);
  }

  private XMLObject createOpenSamlXmlObject(QName elementName) {
    XMLObjectBuilderFactory builderFactory = XMLObjectProviderRegistrySupport.getBuilderFactory();
    XMLObjectBuilder<Security> builder = (XMLObjectBuilder<Security>) builderFactory.getBuilder(elementName);
    return builder.buildObject(elementName);
  }
}