WS-Trust不使用PHP进行身份验证
发布时间:2020-12-13 14:02:03 所属栏目:PHP教程 来源:网络整理
导读:这是我的头…. 我在这里缺少什么…必须是时间戳的东西,因为当我玩这些时我收到不同的错误… 我有以下信封(这是供应商如何使用它) 但它keepis给我 s:Body s:Fault s:Code s:Value s:Sender/s:Value s:Subcode s:Value xmlns:a="http://docs.oasis-open.org/ws
|
这是我的头….
我在这里缺少什么…必须是时间戳的东西,因为当我玩这些时我收到不同的错误… 我有以下信封(这是供应商如何使用它) <s:Body> <s:Fault> <s:Code> <s:Value> s:Sender</s:Value> <s:Subcode> <s:Value xmlns:a="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"> a:InvalidSecurity</s:Value> </s:Subcode> </s:Code> <s:Reason> <s:Text xml:lang="en-US"> An error occurred when verifying security for the message.</s:Text> </s:Reason> </s:Fault> </s:Body> 这是我的代码: $c = $this->getTimestamp();
$e = $this->getTimestamp(300);
$envelope = '
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://www.w3.org/2005/08/addressing" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<s:Header>
<a:Action s:mustUnderstand="1">http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue</a:Action>
<a:MessageID>urn:uuid:4137dbed-db9f-40d9-ba9c-6fc82eb8aa46</a:MessageID>
<a:ReplyTo>
<a:Address>http://www.w3.org/2005/08/addressing/anonymous</a:Address>
</a:ReplyTo>
<a:To s:mustUnderstand="1">https://sts.service.net/adfs/services/trust/13/usernamemixed</a:To>
<o:Security s:mustUnderstand="1" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<u:Timestamp u:Id="_0">
<u:Created>'.$c.'</u:Created>
<u:Expires>'.$e.'</u:Expires>
</u:Timestamp>
<o:UsernameToken u:Id="uuid-4137dbed-db9f-40d9-ba9c-6fc82eb8aa46">
<o:Username>'.$username.'</o:Username>
<o:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">'.$password.'</o:Password>
</o:UsernameToken>
</o:Security>
</s:Header>
<s:Body>
<trust:RequestSecurityToken xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">
<wsp:AppliesTo xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
<wsa:EndpointReference xmlns:wsa="http://www.w3.org/2005/08/addressing">
<wsa:Address>'.$appliesTo.'</wsa:Address>
</wsa:EndpointReference>
</wsp:AppliesTo>
<trust:KeyType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Bearer</trust:KeyType>
<trust:RequestType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue</trust:RequestType>
</trust:RequestSecurityToken>
</s:Body>
</s:Envelope>
';
$soap_do = curl_init();
curl_setopt($soap_do,CURLOPT_URL,"https://sts.service.net/adfs/services/trust/13/usernamemixed");
curl_setopt($soap_do,CURLOPT_FOLLOWLOCATION,1);
curl_setopt($soap_do,CURLOPT_HEADER,0);
curl_setopt($soap_do,CURLOPT_RETURNTRANSFER,CURLOPT_CONNECTTIMEOUT,20);
curl_setopt($soap_do,CURLOPT_TIMEOUT,CURLOPT_SSL_VERIFYPEER,CURLOPT_SSL_VERIFYHOST,CURLOPT_POST,true );
curl_setopt($soap_do,CURLOPT_POSTFIELDS,$envelope);
curl_setopt($soap_do,CURLOPT_HTTPHEADER,array('Content-Type: application/soap+xml; charset=utf-8'));
$this->payload = curl_exec($soap_do);
您将当前时间戳放在“创建”元素和“过期元素”中.这意味着当接收器接收到RST时,消息将会过期,并且接收器将被强制拒绝.使用例如:
gmdate("Y-m-dTH:i:sZ",time() + 300);
对于Expires元素. 还要检查时钟漂移:客户端以及服务器上的时间应该同步. 最后但并非最不重要的:默认情况下,ADFS 2.0将尝试加密响应中的令牌,因此需要为依赖方配置加密证书.确保已经为applyTo关联的实体配置了一个. ADFS错误日志应该提供关于该错误的提示. (编辑:李大同) 【声明】本站内容均来自网络,其相关言论仅代表作者个人观点,不代表本站立场。若无意侵犯到您的权利,请及时与联系站长删除相关内容! |