堆栈内存溢出
  简体   繁体   English

WS-Trust没有使用PHP进行身份验证

[英]WS-Trust not authenticating with PHP

 原文  2015-07-01 11:08:54       php/ soap-client/ ws-trust

问题描述

It's doing my head in.... What am i missing here... must be something with the timestamp, because when i play with those i get different errors... 我正在努力......我在这里缺少什么...必须是时间戳的东西,因为当我玩那些我得到不同的错误...

I've got the following envelope (which is how the provider gave it to me to use) But it keepis giving me 我有以下信封(这是提供商给我使用的方式)但是它一直在给我 

<s:Body> <s:Fault> <s:Code> <s:Value> s:Sender</s:Value> <s:Subcode> <s:Value xmlns:a="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"> a:InvalidSecurity</s:Value> </s:Subcode> </s:Code> <s:Reason> <s:Text xml:lang="en-US"> An error occurred when verifying security for the message.</s:Text> </s:Reason> </s:Fault> </s:Body>

this is my code: 这是我的代码: 

$c = $this->getTimestamp();
    $e = $this->getTimestamp(300);


$envelope = '
       <s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://www.w3.org/2005/08/addressing" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
        <s:Header>
            <a:Action s:mustUnderstand="1">http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue</a:Action>
            <a:MessageID>urn:uuid:4137dbed-db9f-40d9-ba9c-6fc82eb8aa46</a:MessageID>
            <a:ReplyTo>
                <a:Address>http://www.w3.org/2005/08/addressing/anonymous</a:Address>
            </a:ReplyTo>
            <a:To s:mustUnderstand="1">https://sts.service.net/adfs/services/trust/13/usernamemixed</a:To>
            <o:Security s:mustUnderstand="1" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
                <u:Timestamp u:Id="_0">
                    <u:Created>'.$c.'</u:Created>
                    <u:Expires>'.$e.'</u:Expires>
                </u:Timestamp>
                <o:UsernameToken u:Id="uuid-4137dbed-db9f-40d9-ba9c-6fc82eb8aa46">
                    <o:Username>'.$username.'</o:Username>
                    <o:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">'.$password.'</o:Password>
                </o:UsernameToken>
            </o:Security>
        </s:Header>
        <s:Body>
            <trust:RequestSecurityToken xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">
                <wsp:AppliesTo xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
                    <wsa:EndpointReference xmlns:wsa="http://www.w3.org/2005/08/addressing">
                        <wsa:Address>'.$appliesTo.'</wsa:Address>
                    </wsa:EndpointReference>
                </wsp:AppliesTo>
                <trust:KeyType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Bearer</trust:KeyType>
                <trust:RequestType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue</trust:RequestType>
            </trust:RequestSecurityToken>
        </s:Body>
       </s:Envelope>
       ';


        $soap_do = curl_init();
        curl_setopt($soap_do, CURLOPT_URL,"https://sts.service.net/adfs/services/trust/13/usernamemixed");
        curl_setopt($soap_do, CURLOPT_FOLLOWLOCATION, 1);
        curl_setopt($soap_do, CURLOPT_HEADER, 0);
        curl_setopt($soap_do, CURLOPT_RETURNTRANSFER, 1);
        curl_setopt($soap_do, CURLOPT_CONNECTTIMEOUT, 20);
        curl_setopt($soap_do, CURLOPT_TIMEOUT,        20);
        curl_setopt($soap_do, CURLOPT_SSL_VERIFYPEER, 0);
        curl_setopt($soap_do, CURLOPT_SSL_VERIFYHOST, 0);
        curl_setopt($soap_do, CURLOPT_POST,           true );            
        curl_setopt($soap_do, CURLOPT_POSTFIELDS,     $envelope); 
        curl_setopt($soap_do, CURLOPT_HTTPHEADER,     array('Content-Type: application/soap+xml; charset=utf-8'));

        $this->payload = curl_exec($soap_do);

2 个解决方案

解决方案1
 9 已采纳  2015-07-03 13:10:43

You are putting the current timestamp in both the Created element and the Expires element. 您将当前时间戳放在Created元素和Expires元素中。 That means that when the receiver receives the RST, the message will have expired and the receiver will be forced to reject it. 这意味着当接收器收到RST时,消息将过期,接收器将被强制拒绝。 Use eg: 使用例如: 

gmdate("Y-m-d\TH:i:s\Z", time() + 300);

for the Expires element. 对于Expires元素。

Also check for clock drift: the time on the client as well as the server should be synchronized. 还要检查时钟漂移:客户端和服务器上的时间应该同步。

Last but not least: by default ADFS 2.0 will try and encrypt the token in the response so it requires the configuration of an encryption certificate for the Relying Party. 最后但并非最不重要:默认情况下,ADFS 2.0将尝试加密响应中的令牌,因此需要为依赖方配置加密证书。 Make sure that you've configured one for the entity associated with appliesTo . 确保您已为与appliesTo关联的实体配置了一个。 The ADFS error logs should give you a hint about that error. ADFS错误日志应该提供有关该错误的提示。

解决方案2
 0  2017-01-29 08:43:08

I did the following to resolve the issue. 我做了以下事情来解决这个问题。 I have changed the current_time - 300 seconds and current_time + 3600 seconds 我更改了current_time - 300秒和current_time + 3600秒

It works 有用

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 与wso2 php框架的ws-trust - ws-trust with wso2 php framework 通过LDAP通过AD认证通过PHP的AD - Authenticating AD via LDAP with a TRUST via PHP 信任边界违反php - Trust Boundary Violation php PHP验证bb代码 - PHP authenticating bb code 使用PHP验证Mandrill Webhook - Authenticating Mandrill Webhook with PHP 不验证用户 PHP MySQL - Not authenticating users PHP MySQL PHP使用LDAP进行身份验证 - PHP authenticating with LDAP LDAP在PHP中对用户进行身份验证 - LDAP Authenticating user in PHP PHP验证和认证字符串 - php validating and authenticating strings 使用PHP $ _SESSION进行身份验证 - Authenticating with PHP $_SESSION
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM